From ada064c7329c0bc0c7a64ce2833f8ac8d876b1e7 Mon Sep 17 00:00:00 2001 From: wmetaw Date: Fri, 5 Mar 2021 16:29:33 +0900 Subject: [PATCH 001/483] Fix google_project_alert_policy Examples in the README Signed-off-by: Ryo Takashima --- .../content/inspec/resources/google_project_alert_policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md index 29830a1e8..4faebc004 100644 --- a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md +++ b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md @@ -19,8 +19,8 @@ A `google_project_alert_policy` is used to test a Google AlertPolicy resource ```ruby describe.one do - google_project_alert_policies(project: 'chef-gcp-inspec').policy_names do |policy_name| - describe google_project_alert_policy(project: 'chef-gcp-inspec', name: policy_name) do + google_project_alert_policies(project: 'chef-gcp-inspec').policy_names.each do |policy_name| + describe google_project_alert_policy(project: 'chef-gcp-inspec', name: policy_name.split('/').last) do it { should exist } its('display_name') { should cmp 'Display'} its('combiner') { should cmp 'OR'} From bcf20a32b3367cb2d13a09ec3a23c72095b9870b Mon Sep 17 00:00:00 2001 From: IanMadd Date: Wed, 24 Mar 2021 12:57:24 -0700 Subject: [PATCH 002/483] Update platforms doc Signed-off-by: IanMadd --- docs-chef-io/content/inspec/platforms.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs-chef-io/content/inspec/platforms.md b/docs-chef-io/content/inspec/platforms.md index 37b13daa3..1fe8e272a 100644 --- a/docs-chef-io/content/inspec/platforms.md +++ b/docs-chef-io/content/inspec/platforms.md @@ -163,7 +163,7 @@ version is 3.0.25. With a version of InSpec above 4.0.0, it is possible to create a profile with the following command: -``` +```bash $ inspec init profile --platform gcp my-profile Create new profile at /Users/me/my-profile * Creating directory libraries @@ -171,15 +171,15 @@ Create new profile at /Users/me/my-profile * Creating directory controls * Creating file controls/example.rb * Creating file inspec.yml - * Creating file attributes.yml + * Creating file inputs.yml * Creating file libraries/.gitkeep ``` -Assuming the attributes yml file contains your GCP project ID, this sample +Assuming the `inputs.yml` file contains your GCP project ID, this sample profile can then be executed using the following command: -``` -inspec exec my-profile --attrs my-profile/attributes.yml -t gcp:// +```bash +inspec exec my-profile --input-file=my-profile/inputs.yml -t gcp:// ``` #### Setting up the GCP Credentials File From c0b213c46af64e3fb92ea70acc3d380924cf056f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 31 Mar 2021 11:42:51 +0530 Subject: [PATCH 003/483] Bug fix for loading hashmap inputs consistently from external and metadata file Signed-off-by: Nikita Mathur --- lib/inspec/input_registry.rb | 3 +- .../inputs/hashmap/controls/hashmap_input.rb | 32 +++++++++++++++++++ .../inputs/hashmap/external_attributes.yml | 4 +++ .../profiles/inputs/hashmap/inspec.yml | 17 ++++++++++ test/functional/inputs_test.rb | 9 ++++++ 5 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb create mode 100644 test/fixtures/profiles/inputs/hashmap/external_attributes.yml create mode 100644 test/fixtures/profiles/inputs/hashmap/inspec.yml diff --git a/lib/inspec/input_registry.rb b/lib/inspec/input_registry.rb index f6fad5d85..8e327de4a 100644 --- a/lib/inspec/input_registry.rb +++ b/lib/inspec/input_registry.rb @@ -256,7 +256,7 @@ module Inspec data.inputs.each do |input_name, input_value| evt = Inspec::Input::Event.new( - value: input_value, + value: input_value&.class.eql?(Hash) ? Thor::CoreExt::HashWithIndifferentAccess.new(input_value) : input_value, provider: :cli_files, priority: 40, file: path @@ -307,6 +307,7 @@ module Inspec def handle_raw_input_from_metadata(input_orig, profile_name) input_options = input_orig.dup input_name = input_options.delete(:name) + input_options[:value] = Thor::CoreExt::HashWithIndifferentAccess.new(input_options[:value]) if input_options[:value]&.class.eql?(Hash) input_options[:provider] = :profile_metadata input_options[:file] = File.join(profile_name, "inspec.yml") input_options[:priority] ||= 30 diff --git a/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb new file mode 100644 index 000000000..0c6b5c14b --- /dev/null +++ b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb @@ -0,0 +1,32 @@ +# copyright: 218, The Authors +title "Verifying loading of hashmap inputs using metadata and external file" + +# controls to test metadata file hash traversing + +control "hashmap-metadata" do + title "Verifying loading of hashmap inputs using metadata file" + + describe input('metadata_basic_key') do + it { should cmp 'metadata_basic_value' } + end + + describe input('metadata_nested_key') do + its(['metadata_nested_key_str']) { should eq 'metadata_nested_value_str' } + its([:metadata_nested_key_sym]) { should eq 'metadata_nested_value_sym' } + end +end + +# controls to test external attribute file hash traversing + +control "hashmap-external-file" do + title "Verifying loading of hashmap inputs using external file" + + describe input('external_attribute_basic_key') do + it { should cmp 'external_attribute_basic_value' } + end + + describe input('external_attribute_nested_key') do + its(['external_attribute_nested_key_str']) { should eq 'external_attribute_nested_value_str' } + its([:external_attribute_nested_key_sym]) { should eq 'external_attribute_nested_value_sym' } + end +end \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/hashmap/external_attributes.yml b/test/fixtures/profiles/inputs/hashmap/external_attributes.yml new file mode 100644 index 000000000..d019dbcb9 --- /dev/null +++ b/test/fixtures/profiles/inputs/hashmap/external_attributes.yml @@ -0,0 +1,4 @@ +external_attribute_basic_key: external_attribute_basic_value +external_attribute_nested_key: + external_attribute_nested_key_str: external_attribute_nested_value_str + external_attribute_nested_key_sym: external_attribute_nested_value_sym \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/hashmap/inspec.yml b/test/fixtures/profiles/inputs/hashmap/inspec.yml new file mode 100644 index 000000000..51bcbc171 --- /dev/null +++ b/test/fixtures/profiles/inputs/hashmap/inspec.yml @@ -0,0 +1,17 @@ +name: hashmap +title: InSpec Profile +maintainer: The Authors +copyright: The Authors +copyright_email: you@example.com +license: Apache-2.0 +summary: A profile that checks the hash inputs using metadata file and external file. +version: 0.1.0 +supports: + platform: os +inputs: +- name: metadata_basic_key + value: metadata_basic_value +- name: metadata_nested_key + value: + metadata_nested_key_str: metadata_nested_value_str + metadata_nested_key_sym: metadata_nested_value_sym \ No newline at end of file diff --git a/test/functional/inputs_test.rb b/test/functional/inputs_test.rb index c14c722a6..937b3f89d 100644 --- a/test/functional/inputs_test.rb +++ b/test/functional/inputs_test.rb @@ -6,6 +6,7 @@ require "tempfile" describe "inputs" do include FunctionalHelper let(:inputs_profiles_path) { File.join(profile_path, "inputs") } + let(:external_attributes_file_path) { "#{inputs_profiles_path}/hashmap/external_attributes.yml" } parallelize_me! @@ -442,4 +443,12 @@ describe "inputs" do _(inputs[2]["options"]["value"]).wont_include "***" # Explicit sensitive = false end end + + describe "when a profile is executed with external inputs and inputs defined in metadata file" do + it "should access the values successfully from in both input ways" do + result = run_inspec_process("exec #{inputs_profiles_path}/hashmap --input-file #{external_attributes_file_path}", json: true) + _(result.stderr).must_be_empty + assert_json_controls_passing(result) + end + end end From a55b083b0afe753c189c33896351016013a1ca54 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 31 Mar 2021 12:35:11 +0530 Subject: [PATCH 004/483] Improvements in various descriptions and a better way to check for hash type Signed-off-by: Nikita Mathur --- lib/inspec/input_registry.rb | 4 ++-- .../profiles/inputs/hashmap/controls/hashmap_input.rb | 4 ---- test/fixtures/profiles/inputs/hashmap/inspec.yml | 2 +- test/functional/inputs_test.rb | 2 +- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/lib/inspec/input_registry.rb b/lib/inspec/input_registry.rb index 8e327de4a..2d39dfe27 100644 --- a/lib/inspec/input_registry.rb +++ b/lib/inspec/input_registry.rb @@ -256,7 +256,7 @@ module Inspec data.inputs.each do |input_name, input_value| evt = Inspec::Input::Event.new( - value: input_value&.class.eql?(Hash) ? Thor::CoreExt::HashWithIndifferentAccess.new(input_value) : input_value, + value: input_value.is_a?(Hash) ? Thor::CoreExt::HashWithIndifferentAccess.new(input_value) : input_value, provider: :cli_files, priority: 40, file: path @@ -307,7 +307,7 @@ module Inspec def handle_raw_input_from_metadata(input_orig, profile_name) input_options = input_orig.dup input_name = input_options.delete(:name) - input_options[:value] = Thor::CoreExt::HashWithIndifferentAccess.new(input_options[:value]) if input_options[:value]&.class.eql?(Hash) + input_options[:value] = Thor::CoreExt::HashWithIndifferentAccess.new(input_options[:value]) if input_options[:value].is_a?(Hash) input_options[:provider] = :profile_metadata input_options[:file] = File.join(profile_name, "inspec.yml") input_options[:priority] ||= 30 diff --git a/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb index 0c6b5c14b..c88f76bef 100644 --- a/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb +++ b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb @@ -1,8 +1,6 @@ # copyright: 218, The Authors title "Verifying loading of hashmap inputs using metadata and external file" -# controls to test metadata file hash traversing - control "hashmap-metadata" do title "Verifying loading of hashmap inputs using metadata file" @@ -16,8 +14,6 @@ control "hashmap-metadata" do end end -# controls to test external attribute file hash traversing - control "hashmap-external-file" do title "Verifying loading of hashmap inputs using external file" diff --git a/test/fixtures/profiles/inputs/hashmap/inspec.yml b/test/fixtures/profiles/inputs/hashmap/inspec.yml index 51bcbc171..cd86c511d 100644 --- a/test/fixtures/profiles/inputs/hashmap/inspec.yml +++ b/test/fixtures/profiles/inputs/hashmap/inspec.yml @@ -4,7 +4,7 @@ maintainer: The Authors copyright: The Authors copyright_email: you@example.com license: Apache-2.0 -summary: A profile that checks the hash inputs using metadata file and external file. +summary: A profile that checks loading of hashmap inputs using metadata file and external file. version: 0.1.0 supports: platform: os diff --git a/test/functional/inputs_test.rb b/test/functional/inputs_test.rb index 937b3f89d..1741b394d 100644 --- a/test/functional/inputs_test.rb +++ b/test/functional/inputs_test.rb @@ -445,7 +445,7 @@ describe "inputs" do end describe "when a profile is executed with external inputs and inputs defined in metadata file" do - it "should access the values successfully from in both input ways" do + it "should access the values successfully from both input ways" do result = run_inspec_process("exec #{inputs_profiles_path}/hashmap --input-file #{external_attributes_file_path}", json: true) _(result.stderr).must_be_empty assert_json_controls_passing(result) From 6ff6b9634aa57114f7d95534b83b19b09aae32f1 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 23 Mar 2021 12:50:11 -0400 Subject: [PATCH 005/483] Add --docker-url CLI option Signed-off-by: Clinton Wolfe --- docs-chef-io/content/inspec/cli.md | 6 ++++++ lib/inspec/base_cli.rb | 2 ++ 2 files changed, 8 insertions(+) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 68cbe451e..6b44ec081 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -96,6 +96,8 @@ This subcommand has additional options: Specifies the bastion user if applicable * ``--config=CONFIG`` Read configuration from JSON file (`-` reads from stdin). +* ``--docker-url`` + Provides path to Docker API endpoint (Docker) * ``--enable-password=ENABLE_PASSWORD`` Password for enable mode on Cisco IOS devices. * ``--format=FORMAT`` @@ -266,6 +268,8 @@ This subcommand has additional options: Write out a lockfile based on this execution (unless one already exists) * ``--distinct-exit``, ``--no-distinct-exit`` Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures. +* ``--docker-url`` + Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows. * ``--enable-password=ENABLE_PASSWORD`` Password for enable mode on Cisco IOS devices. * ``--filter-empty-profiles``, ``--no-filter-empty-profiles`` @@ -428,6 +432,8 @@ This subcommand has additional options: A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell * ``--distinct-exit``, ``--no-distinct-exit`` Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures. +* ``--docker-url`` + Provides path to Docker API endpoint (Docker). Defaults to unix:///var/run/docker.sock on Unix systems and tcp://localhost:2375 on Windows. * ``--enable-password=ENABLE_PASSWORD`` Password for enable mode on Cisco IOS devices. * ``--host=HOST`` diff --git a/lib/inspec/base_cli.rb b/lib/inspec/base_cli.rb index 50499c0d9..20d1acca1 100644 --- a/lib/inspec/base_cli.rb +++ b/lib/inspec/base_cli.rb @@ -120,6 +120,8 @@ module Inspec desc: "Provide a ID which will be included on reports" option :winrm_shell_type, type: :string, default: "powershell", desc: "Specify a shell type for winrm (eg. 'elevated' or 'powershell')" + option :docker_url, type: :string, + desc: "Provides path to Docker API endpoint (Docker)" end def self.profile_options From ee2f44e1cc17dda5bf06385918760fcefcf2cc95 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 4 Apr 2021 21:50:01 -0400 Subject: [PATCH 006/483] Update docs-chef-io/content/inspec/cli.md Signed-off-by: Clinton Wolfe Co-authored-by: Ian Maddaus --- docs-chef-io/content/inspec/cli.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 6b44ec081..827149be1 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -97,7 +97,7 @@ This subcommand has additional options: * ``--config=CONFIG`` Read configuration from JSON file (`-` reads from stdin). * ``--docker-url`` - Provides path to Docker API endpoint (Docker) + Provides path to Docker API endpoint (Docker). * ``--enable-password=ENABLE_PASSWORD`` Password for enable mode on Cisco IOS devices. * ``--format=FORMAT`` From ec30fc3d4e23ef5e17e6834190b4eaa2b8609d00 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 5 Apr 2021 14:41:26 +0530 Subject: [PATCH 007/483] Hash with indifference changes for inputs used via runner api Signed-off-by: Nikita Mathur --- lib/inspec/input_registry.rb | 2 +- .../inputs/via-runner/controls/via-runner.rb | 8 ++++++++ test/functional/inputs_test.rb | 13 ++++++++++++- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/inspec/input_registry.rb b/lib/inspec/input_registry.rb index 2d39dfe27..bd4b49a4f 100644 --- a/lib/inspec/input_registry.rb +++ b/lib/inspec/input_registry.rb @@ -225,7 +225,7 @@ module Inspec input_hash.each do |input_name, input_value| loc = Inspec::Input::Event.probe_stack # TODO: likely modify this to look for a kitchen.yml, if that is realistic evt = Inspec::Input::Event.new( - value: input_value, + value: input_value.is_a?(Hash) ? Thor::CoreExt::HashWithIndifferentAccess.new(input_value) : input_value, provider: :runner_api, # TODO: suss out if audit cookbook or kitchen-inspec or something unknown priority: 40, file: loc.path, diff --git a/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb b/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb index 49f3b7f56..bdc751e63 100644 --- a/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb +++ b/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb @@ -2,4 +2,12 @@ control "test_control_01" do describe input("test_input_01", value: "value_from_dsl") do it { should cmp "value_from_api" } end + + describe input("test_input_hash_string", value: { "string_key": "string_value_dsl" }) do + its(['string_key']) { should eq 'string_value' } + end + + describe input("test_input_hash_symbol", value: { symbol_key: :symbol_value_dsl }) do + its([:symbol_key]) { should eq :symbol_value } + end end diff --git a/test/functional/inputs_test.rb b/test/functional/inputs_test.rb index 1741b394d..c49343363 100644 --- a/test/functional/inputs_test.rb +++ b/test/functional/inputs_test.rb @@ -124,7 +124,6 @@ describe "inputs" do describe "when using the current :inputs key" do let(:runner_options) { common_options.merge({ inputs: { test_input_01: "value_from_api" } }) } - it "finds the values and does not issue any warnings" do output = run_result.stdout refute_includes output, "DEPRECATION" @@ -133,6 +132,18 @@ describe "inputs" do end end + describe "when using the current :inputs key with both string and symbol key in hashes" do + let(:runner_options) { common_options.merge({ inputs: { test_input_01: "value_from_api", test_input_hash_string: { "string_key": "string_value" }, test_input_hash_symbol: { symbol_key: :symbol_value } } }) } + + it "finds the values and runs successfully" do + output = run_result.stdout + structured_output = JSON.parse(output) + assert_equal "passed", structured_output["profiles"][0]["controls"][0]["results"][0]["status"] + assert_equal "passed", structured_output["profiles"][0]["controls"][0]["results"][1]["status"] + assert_equal "passed", structured_output["profiles"][0]["controls"][0]["results"][2]["status"] + end + end + describe "when using the legacy :attributes key" do let(:runner_options) { common_options.merge({ attributes: { test_input_01: "value_from_api" } }) } it "finds the values but issues a DEPRECATION warning" do From 094293b01dfc91657c6ef473f34b352d9536bdf8 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 5 Apr 2021 16:10:47 +0530 Subject: [PATCH 008/483] Refactored logic to enable hash indifference in all input types Signed-off-by: Nikita Mathur --- lib/inspec/input_registry.rb | 6 ++-- .../inputs/hashmap/controls/hashmap_input.rb | 36 +++++++++++++------ .../inputs/via-runner/controls/via-runner.rb | 2 +- test/functional/inputs_test.rb | 4 +-- 4 files changed, 32 insertions(+), 16 deletions(-) diff --git a/lib/inspec/input_registry.rb b/lib/inspec/input_registry.rb index bd4b49a4f..1b2ea9667 100644 --- a/lib/inspec/input_registry.rb +++ b/lib/inspec/input_registry.rb @@ -82,6 +82,7 @@ module Inspec def find_or_register_input(input_name, profile_name, options = {}) input_name = input_name.to_s profile_name = profile_name.to_s + options[:event].value = Thor::CoreExt::HashWithIndifferentAccess.new(options[:event].value) if options[:event]&.value.is_a?(Hash) if profile_alias?(profile_name) && !profile_aliases[profile_name].nil? alias_name = profile_name @@ -225,7 +226,7 @@ module Inspec input_hash.each do |input_name, input_value| loc = Inspec::Input::Event.probe_stack # TODO: likely modify this to look for a kitchen.yml, if that is realistic evt = Inspec::Input::Event.new( - value: input_value.is_a?(Hash) ? Thor::CoreExt::HashWithIndifferentAccess.new(input_value) : input_value, + value: input_value, provider: :runner_api, # TODO: suss out if audit cookbook or kitchen-inspec or something unknown priority: 40, file: loc.path, @@ -256,7 +257,7 @@ module Inspec data.inputs.each do |input_name, input_value| evt = Inspec::Input::Event.new( - value: input_value.is_a?(Hash) ? Thor::CoreExt::HashWithIndifferentAccess.new(input_value) : input_value, + value: input_value, provider: :cli_files, priority: 40, file: path @@ -307,7 +308,6 @@ module Inspec def handle_raw_input_from_metadata(input_orig, profile_name) input_options = input_orig.dup input_name = input_options.delete(:name) - input_options[:value] = Thor::CoreExt::HashWithIndifferentAccess.new(input_options[:value]) if input_options[:value].is_a?(Hash) input_options[:provider] = :profile_metadata input_options[:file] = File.join(profile_name, "inspec.yml") input_options[:priority] ||= 30 diff --git a/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb index c88f76bef..3f3425f62 100644 --- a/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb +++ b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb @@ -4,25 +4,41 @@ title "Verifying loading of hashmap inputs using metadata and external file" control "hashmap-metadata" do title "Verifying loading of hashmap inputs using metadata file" - describe input('metadata_basic_key') do - it { should cmp 'metadata_basic_value' } + describe input("metadata_basic_key") do + it { should cmp "metadata_basic_value" } end - describe input('metadata_nested_key') do - its(['metadata_nested_key_str']) { should eq 'metadata_nested_value_str' } - its([:metadata_nested_key_sym]) { should eq 'metadata_nested_value_sym' } + describe input("metadata_nested_key") do + its(["metadata_nested_key_str"]) { should eq "metadata_nested_value_str" } + its([:metadata_nested_key_sym]) { should eq "metadata_nested_value_sym" } end end control "hashmap-external-file" do title "Verifying loading of hashmap inputs using external file" - describe input('external_attribute_basic_key') do - it { should cmp 'external_attribute_basic_value' } + describe input("external_attribute_basic_key") do + it { should cmp "external_attribute_basic_value" } end - describe input('external_attribute_nested_key') do - its(['external_attribute_nested_key_str']) { should eq 'external_attribute_nested_value_str' } - its([:external_attribute_nested_key_sym]) { should eq 'external_attribute_nested_value_sym' } + describe input("external_attribute_nested_key") do + its(["external_attribute_nested_key_str"]) { should eq "external_attribute_nested_value_str" } + its([:external_attribute_nested_key_sym]) { should eq "external_attribute_nested_value_sym" } + end +end + +control "hashmap-profile-DSL" do + title "Verifying loading of hashmap inputs using profile DSL" + + describe input("dsl_basic_key", value: "dsl_basic_value") do + it { should cmp "dsl_basic_value" } + end + + describe input("dsl_hash_string", value: { "dsl_nested_key_str": "dsl_nested_value_str" } ) do + its(["dsl_nested_key_str"]) { should eq "dsl_nested_value_str" } + end + + describe input("dsl_hash_symbol", value: { dsl_nested_key_sym: :dsl_nested_value_sym } ) do + its([:dsl_nested_key_sym]) { should eq :dsl_nested_value_sym } end end \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb b/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb index bdc751e63..5935155a9 100644 --- a/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb +++ b/test/fixtures/profiles/inputs/via-runner/controls/via-runner.rb @@ -4,7 +4,7 @@ control "test_control_01" do end describe input("test_input_hash_string", value: { "string_key": "string_value_dsl" }) do - its(['string_key']) { should eq 'string_value' } + its(["string_key"]) { should eq "string_value" } end describe input("test_input_hash_symbol", value: { symbol_key: :symbol_value_dsl }) do diff --git a/test/functional/inputs_test.rb b/test/functional/inputs_test.rb index c49343363..b4c7f85e2 100644 --- a/test/functional/inputs_test.rb +++ b/test/functional/inputs_test.rb @@ -455,8 +455,8 @@ describe "inputs" do end end - describe "when a profile is executed with external inputs and inputs defined in metadata file" do - it "should access the values successfully from both input ways" do + describe "when a profile is executed with inputs through external file, metadata file and profile DSL" do + it "should access the values successfully from all input ways" do result = run_inspec_process("exec #{inputs_profiles_path}/hashmap --input-file #{external_attributes_file_path}", json: true) _(result.stderr).must_be_empty assert_json_controls_passing(result) From 82e126726b6732aeac91408035ad141d1d6c7bff Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 7 Apr 2021 16:09:25 +0530 Subject: [PATCH 009/483] Improvements in hashmap profiles Signed-off-by: Nikita Mathur --- .../inputs/hashmap/controls/hashmap_input.rb | 34 ++++++------------- .../inputs/hashmap/external_attributes.yml | 4 --- .../profiles/inputs/hashmap/files/inputs.yml | 3 ++ .../profiles/inputs/hashmap/inspec.yml | 17 ++++------ test/functional/inputs_test.rb | 2 +- 5 files changed, 22 insertions(+), 38 deletions(-) delete mode 100644 test/fixtures/profiles/inputs/hashmap/external_attributes.yml create mode 100644 test/fixtures/profiles/inputs/hashmap/files/inputs.yml diff --git a/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb index 3f3425f62..f26c3d25f 100644 --- a/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb +++ b/test/fixtures/profiles/inputs/hashmap/controls/hashmap_input.rb @@ -1,44 +1,32 @@ -# copyright: 218, The Authors +# copyright: 2021, Chef Software, Inc. title "Verifying loading of hashmap inputs using metadata and external file" control "hashmap-metadata" do title "Verifying loading of hashmap inputs using metadata file" - describe input("metadata_basic_key") do - it { should cmp "metadata_basic_value" } - end - - describe input("metadata_nested_key") do - its(["metadata_nested_key_str"]) { should eq "metadata_nested_value_str" } - its([:metadata_nested_key_sym]) { should eq "metadata_nested_value_sym" } + describe input("metadata_hash") do + its(["metadata_hash_key_str"]) { should eq "metadata_hash_value_str" } + its([:metadata_hash_key_sym]) { should eq "metadata_hash_value_sym" } end end control "hashmap-external-file" do title "Verifying loading of hashmap inputs using external file" - describe input("external_attribute_basic_key") do - it { should cmp "external_attribute_basic_value" } - end - - describe input("external_attribute_nested_key") do - its(["external_attribute_nested_key_str"]) { should eq "external_attribute_nested_value_str" } - its([:external_attribute_nested_key_sym]) { should eq "external_attribute_nested_value_sym" } + describe input("external_input_hash") do + its(["external_input_hash_key_str"]) { should eq "external_input_hash_value_str" } + its([:external_input_hash_key_sym]) { should eq "external_input_hash_value_sym" } end end control "hashmap-profile-DSL" do title "Verifying loading of hashmap inputs using profile DSL" - describe input("dsl_basic_key", value: "dsl_basic_value") do - it { should cmp "dsl_basic_value" } + describe input("dsl_hash_string", value: { "dsl_hash_string_key": "dsl_hash_string_value" } ) do + its(["dsl_hash_string_key"]) { should eq "dsl_hash_string_value" } end - describe input("dsl_hash_string", value: { "dsl_nested_key_str": "dsl_nested_value_str" } ) do - its(["dsl_nested_key_str"]) { should eq "dsl_nested_value_str" } - end - - describe input("dsl_hash_symbol", value: { dsl_nested_key_sym: :dsl_nested_value_sym } ) do - its([:dsl_nested_key_sym]) { should eq :dsl_nested_value_sym } + describe input("dsl_hash_symbol", value: { dsl_hash_symbol_key: :dsl_hash_symbol_value } ) do + its([:dsl_hash_symbol_key]) { should eq :dsl_hash_symbol_value } end end \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/hashmap/external_attributes.yml b/test/fixtures/profiles/inputs/hashmap/external_attributes.yml deleted file mode 100644 index d019dbcb9..000000000 --- a/test/fixtures/profiles/inputs/hashmap/external_attributes.yml +++ /dev/null @@ -1,4 +0,0 @@ -external_attribute_basic_key: external_attribute_basic_value -external_attribute_nested_key: - external_attribute_nested_key_str: external_attribute_nested_value_str - external_attribute_nested_key_sym: external_attribute_nested_value_sym \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/hashmap/files/inputs.yml b/test/fixtures/profiles/inputs/hashmap/files/inputs.yml new file mode 100644 index 000000000..779447013 --- /dev/null +++ b/test/fixtures/profiles/inputs/hashmap/files/inputs.yml @@ -0,0 +1,3 @@ +external_input_hash: + external_input_hash_key_str: external_input_hash_value_str + external_input_hash_key_sym: external_input_hash_value_sym \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/hashmap/inspec.yml b/test/fixtures/profiles/inputs/hashmap/inspec.yml index cd86c511d..07bce703c 100644 --- a/test/fixtures/profiles/inputs/hashmap/inspec.yml +++ b/test/fixtures/profiles/inputs/hashmap/inspec.yml @@ -1,17 +1,14 @@ name: hashmap -title: InSpec Profile -maintainer: The Authors -copyright: The Authors -copyright_email: you@example.com +title: InSpec Profile to verify hashmap inputs +maintainer: Chef Software, Inc. +copyright: Chef Software, Inc. license: Apache-2.0 -summary: A profile that checks loading of hashmap inputs using metadata file and external file. +summary: A profile that checks loading of hashmap inputs version: 0.1.0 supports: platform: os inputs: -- name: metadata_basic_key - value: metadata_basic_value -- name: metadata_nested_key +- name: metadata_hash value: - metadata_nested_key_str: metadata_nested_value_str - metadata_nested_key_sym: metadata_nested_value_sym \ No newline at end of file + metadata_hash_key_str: metadata_hash_value_str + metadata_hash_key_sym: metadata_hash_value_sym \ No newline at end of file diff --git a/test/functional/inputs_test.rb b/test/functional/inputs_test.rb index b4c7f85e2..499651081 100644 --- a/test/functional/inputs_test.rb +++ b/test/functional/inputs_test.rb @@ -6,7 +6,7 @@ require "tempfile" describe "inputs" do include FunctionalHelper let(:inputs_profiles_path) { File.join(profile_path, "inputs") } - let(:external_attributes_file_path) { "#{inputs_profiles_path}/hashmap/external_attributes.yml" } + let(:external_attributes_file_path) { "#{inputs_profiles_path}/hashmap/files/inputs.yml" } parallelize_me! From e348f8ad3fc7765fbb5a5d6b14461c331ecd3555 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 7 Apr 2021 12:44:47 +0000 Subject: [PATCH 010/483] Bump version to 4.30.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4b1b846a..1a7379533 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.30.0](https://github.com/inspec/inspec/tree/v4.30.0) (2021-04-05) + +## [v4.30.1](https://github.com/inspec/inspec/tree/v4.30.1) (2021-04-07) #### Merged Pull Requests -- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) ### Changes since 4.29.3 release #### Merged Pull Requests +- Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) - Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd)) - Fix for Deprecation warning and FilterTable::ExceptionCatcher to show exact failure message. [#5441](https://github.com/inspec/inspec/pull/5441) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 37798a502..51482c327 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.30.0 \ No newline at end of file +4.30.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 670305ec4..96972d09d 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.30.0".freeze + VERSION = "4.30.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index c285f92c6..7fe10235b 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.30.0".freeze + VERSION = "4.30.1".freeze end From 43c9fb5bd4bebb8b0073b18ebe9185c99b2c36c7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 7 Apr 2021 12:51:22 +0000 Subject: [PATCH 011/483] Bump version to 4.30.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a7379533..3cb317cc1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.30.1](https://github.com/inspec/inspec/tree/v4.30.1) (2021-04-07) + +## [v4.30.2](https://github.com/inspec/inspec/tree/v4.30.2) (2021-04-07) #### Merged Pull Requests -- Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) +- Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08)) ### Changes since 4.29.3 release #### Merged Pull Requests +- Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08)) - Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) - Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index 51482c327..b48075a8b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.30.1 \ No newline at end of file +4.30.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 96972d09d..e3b59b659 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.30.1".freeze + VERSION = "4.30.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 7fe10235b..aa24c1f67 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.30.1".freeze + VERSION = "4.30.2".freeze end From e8e5d8eb6f9b616b458a67f80896e7b1ecd97126 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 7 Apr 2021 13:02:12 +0000 Subject: [PATCH 012/483] Bump version to 4.31.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cb317cc1..986039771 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.30.2](https://github.com/inspec/inspec/tree/v4.30.2) (2021-04-07) + +## [v4.31.0](https://github.com/inspec/inspec/tree/v4.31.0) (2021-04-07) -#### Merged Pull Requests -- Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08)) +#### New Features +- Add --docker-url CLI option [#5445](https://github.com/inspec/inspec/pull/5445) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.29.3 release +#### New Features +- Add --docker-url CLI option [#5445](https://github.com/inspec/inspec/pull/5445) ([clintoncwolfe](https://github.com/clintoncwolfe)) + #### Merged Pull Requests - Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08)) - Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index b48075a8b..e8d959f07 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.30.2 \ No newline at end of file +4.31.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index e3b59b659..a7323fce7 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.30.2".freeze + VERSION = "4.31.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index aa24c1f67..94e70f18c 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.30.2".freeze + VERSION = "4.31.0".freeze end From 499bc99c71d7b006dfa87fb38037828da8093bf4 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 7 Apr 2021 18:24:11 +0000 Subject: [PATCH 013/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 29 +++++++++++++---------------- Dockerfile | 2 +- 2 files changed, 14 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 986039771..09a952e04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,27 +1,25 @@ # Change Log - + + + + + + + ## [v4.31.0](https://github.com/inspec/inspec/tree/v4.31.0) (2021-04-07) #### New Features - Add --docker-url CLI option [#5445](https://github.com/inspec/inspec/pull/5445) ([clintoncwolfe](https://github.com/clintoncwolfe)) - - - -### Changes since 4.29.3 release - -#### New Features -- Add --docker-url CLI option [#5445](https://github.com/inspec/inspec/pull/5445) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests -- Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08)) -- Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) -- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd)) -- Fix for Deprecation warning and FilterTable::ExceptionCatcher to show exact failure message. [#5441](https://github.com/inspec/inspec/pull/5441) ([Vasu1105](https://github.com/Vasu1105)) - - +- Fix for Deprecation warning and FilterTable::ExceptionCatcher to show exact failure message. [#5441](https://github.com/inspec/inspec/pull/5441) ([Vasu1105](https://github.com/Vasu1105)) +- Update inputs.md [#5449](https://github.com/inspec/inspec/pull/5449) ([IanMadd](https://github.com/IanMadd)) +- Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) +- Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08)) + ## [v4.29.3](https://github.com/inspec/inspec/tree/v4.29.3) (2021-03-25) #### Bug Fixes @@ -36,7 +34,6 @@ - Update codeowners for docs [#5440](https://github.com/inspec/inspec/pull/5440) ([IanMadd](https://github.com/IanMadd)) - Improve resource page menu titles [#5439](https://github.com/inspec/inspec/pull/5439) ([IanMadd](https://github.com/IanMadd)) - Add m1 support to MacOS build list [#5432](https://github.com/inspec/inspec/pull/5432) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.28.0](https://github.com/inspec/inspec/tree/v4.28.0) (2021-03-17) diff --git a/Dockerfile b/Dockerfile index bf549415b..82a97f109 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.29.3 +ARG VERSION=4.31.0 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 5865cdd1c40d2dd7c4a69898168cf6132916b799 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 8 Apr 2021 12:58:36 +0530 Subject: [PATCH 014/483] Added input and input file option for shell, along with functional test cases Signed-off-by: Nikita Mathur --- lib/inspec/cli.rb | 4 ++++ test/functional/inspec_shell_test.rb | 31 ++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index c47736896..6d990c5dc 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -325,6 +325,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI desc: "Maximum seconds to allow a command to run. Default 3600.", long_desc: "Maximum seconds to allow commands to run. Default 3600. A timed out command is considered an error." option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources." + option :input_file, type: :array, + desc: "Load one or more input files, a YAML file with values for the shell to use" + option :input, type: :array, banner: "name1=value1 name2=value2", + desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures." def shell_func o = config diagnose(o) diff --git a/test/functional/inspec_shell_test.rb b/test/functional/inspec_shell_test.rb index 187242280..f9a53efc5 100644 --- a/test/functional/inspec_shell_test.rb +++ b/test/functional/inspec_shell_test.rb @@ -2,6 +2,7 @@ require "functional/helper" describe "inspec shell tests" do include FunctionalHelper + let(:input_file_from_basic_input_profile) { File.join(profile_path, "inputs", "basic", "files", "flat.yaml") } parallelize_me! @@ -22,6 +23,22 @@ describe "inspec shell tests" do out end + def assert_shell_c_with_inputs(code, input_cmd, input, exit_status, json = false, stderr= "") + json_suffix = " --reporter 'json'" if json + command = "shell -c '#{code.tr("'", '\\\'')}'#{input_cmd} #{input}#{json_suffix}" + # On darwin this value is: + # shell -c 'describe file(\"/Users/nickschwaderer/Documents/inspec/inspec/test/functional/inspec_shell_test.rb\") do it { should exist } end' --reporter 'json'" + # appears to break in windows. + out = inspec(command) + + actual = out.stderr.gsub(/\e\[(\d+)(;\d+)*m/, "") # strip ANSI color codes + _(actual).must_equal stderr + + assert_exit_code exit_status, out + + out + end + it "loads a dependency" do res = inspec("shell -c 'example_config' --depends #{example_profile}") @@ -178,6 +195,20 @@ describe "inspec shell tests" do _(out.stdout).must_include "0 successful" _(out.stdout).must_include "1 failure" end + + it "loads input from external input file" do + skip_windows! # Breakage confirmed + out = assert_shell_c_with_inputs("describe input(\"a_quoted_string\") do it { should cmp \"Should not have quotes\" } end", " --input-file", input_file_from_basic_input_profile, 0) + _(out.stdout).must_include "1 successful" + _(out.stdout).must_include "0 failures" + end + + it "loads input from input cli" do + skip_windows! # Breakage confirmed + out = assert_shell_c_with_inputs("describe input(\"test_input_01\") do it { should cmp \"value_from_cli_01\" } end", " --input", "test_input_01='value_from_cli_01'", 0) + _(out.stdout).must_include "1 successful" + _(out.stdout).must_include "0 failures" + end end # Pry does not support STDIN from windows currently. Skipping these for now. From 53810186dcd225f85cab447e78020e444dc2156f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 8 Apr 2021 13:53:05 +0530 Subject: [PATCH 015/483] Documentation for shell inputs added Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/shell.md | 40 ++++++++++++++++++++++++++++ lib/inspec/cli.rb | 2 +- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/shell.md b/docs-chef-io/content/inspec/shell.md index 2195df63a..6de1d462b 100644 --- a/docs-chef-io/content/inspec/shell.md +++ b/docs-chef-io/content/inspec/shell.md @@ -230,3 +230,43 @@ $ inspec shell --format json -c 'describe file("/Users/test") do it { should exi } } ``` + +## Running Chef InSpec Shell with inputs + +Input option in shell subcommand would allow to more consistently and easily test and work with controls inside shell. + +This subcommand has following two options: +* ``--input=name1=value1 name2=value2`` + Specify one or more inputs directly on the command line to shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures. +* ``--input-file=one two three`` + Load one or more input files, a YAML file with values for the shell to use + +```bash +$ inspec shell --input=input_name=input_value +Welcome to the interactive InSpec Shell +To find out how to use it, type: help + +inspec> control 'my_control' do +inspec> describe input('input_name') do +inspec> it { should cmp 'input_value' } +inspec> end +inspec> end +Profile: inspec-shell + + ✔ my_control: input_value + ✔ input_value is expected to cmp == "input_value" + +Profile Summary: 1 successful control, 0 control failures, 0 controls skipped +Test Summary: 1 successful, 0 failures, 0 skipped +inspec> exit +``` +You may also provide inputs and values via YAML files on the command line to shell. The format can be seen below: + +```yaml +input_name: input_value +another_input: another_value +``` + +```bash +$ inspec shell --input-file= +``` diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 6d990c5dc..9be8127fa 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -328,7 +328,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI option :input_file, type: :array, desc: "Load one or more input files, a YAML file with values for the shell to use" option :input, type: :array, banner: "name1=value1 name2=value2", - desc: "Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures." + desc: "Specify one or more inputs directly on the command line to the shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures." def shell_func o = config diagnose(o) From 8d22d0a3607b8deda074e73457736c701b628ea9 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 8 Apr 2021 16:04:06 +0530 Subject: [PATCH 016/483] Code linting issue fixed Signed-off-by: Nikita Mathur --- test/functional/inspec_shell_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/functional/inspec_shell_test.rb b/test/functional/inspec_shell_test.rb index f9a53efc5..39678deec 100644 --- a/test/functional/inspec_shell_test.rb +++ b/test/functional/inspec_shell_test.rb @@ -23,7 +23,7 @@ describe "inspec shell tests" do out end - def assert_shell_c_with_inputs(code, input_cmd, input, exit_status, json = false, stderr= "") + def assert_shell_c_with_inputs(code, input_cmd, input, exit_status, json = false, stderr = "") json_suffix = " --reporter 'json'" if json command = "shell -c '#{code.tr("'", '\\\'')}'#{input_cmd} #{input}#{json_suffix}" # On darwin this value is: From cbf57c3905d4027f61e6c417e2e4ee7925e8eb2b Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Thu, 8 Apr 2021 14:53:53 -0400 Subject: [PATCH 017/483] Use default command timeout value if timeout is 0 Signed-off-by: Clinton Wolfe --- lib/inspec/resources/command.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/inspec/resources/command.rb b/lib/inspec/resources/command.rb index 89c7c1257..460f6def0 100644 --- a/lib/inspec/resources/command.rb +++ b/lib/inspec/resources/command.rb @@ -36,6 +36,7 @@ module Inspec::Resources # Can access this via Inspec::InspecCLI.commands["exec"].options[:command_timeout].default, # but that may not be loaded for kitchen-inspec and other pure gem consumers default_cli_timeout = 3600 + cli_timeout = default_cli_timeout if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value if cli_timeout != default_cli_timeout @timeout = cli_timeout else From b3a0687fbe3e9fd5fcc652a5e9cfc5bf036356e4 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 8 Apr 2021 19:48:11 +0000 Subject: [PATCH 018/483] Bump version to 4.31.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09a952e04..3ba594a47 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.31.1](https://github.com/inspec/inspec/tree/v4.31.1) (2021-04-08) + +#### Bug Fixes +- Use default command timeout value if timeout is 0 [#5455](https://github.com/inspec/inspec/pull/5455) ([clintoncwolfe](https://github.com/clintoncwolfe)) - + +### Changes since 4.31.0 release + +#### Bug Fixes +- Use default command timeout value if timeout is 0 [#5455](https://github.com/inspec/inspec/pull/5455) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index e8d959f07..4be90f31e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.31.0 \ No newline at end of file +4.31.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index a7323fce7..d32b8bf78 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.31.0".freeze + VERSION = "4.31.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 94e70f18c..a2dea1475 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.31.0".freeze + VERSION = "4.31.1".freeze end From ec6a63541ae01830a1acaf8b8c9f1097e9e0d318 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 8 Apr 2021 20:55:15 +0000 Subject: [PATCH 019/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 19 ++++++++----------- Dockerfile | 2 +- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ba594a47..92756262c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,20 +1,18 @@ # Change Log - + + + + + + + ## [v4.31.1](https://github.com/inspec/inspec/tree/v4.31.1) (2021-04-08) #### Bug Fixes - Use default command timeout value if timeout is 0 [#5455](https://github.com/inspec/inspec/pull/5455) ([clintoncwolfe](https://github.com/clintoncwolfe)) - - - -### Changes since 4.31.0 release - -#### Bug Fixes -- Use default command timeout value if timeout is 0 [#5455](https://github.com/inspec/inspec/pull/5455) ([clintoncwolfe](https://github.com/clintoncwolfe)) - - + ## [v4.31.0](https://github.com/inspec/inspec/tree/v4.31.0) (2021-04-07) #### New Features @@ -26,7 +24,6 @@ - Add timeout option to command resource [#5443](https://github.com/inspec/inspec/pull/5443) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Update platforms doc [#5442](https://github.com/inspec/inspec/pull/5442) ([IanMadd](https://github.com/IanMadd)) - Bug fix for loading hashmap inputs consistently [#5446](https://github.com/inspec/inspec/pull/5446) ([Nik08](https://github.com/Nik08)) - ## [v4.29.3](https://github.com/inspec/inspec/tree/v4.29.3) (2021-03-25) diff --git a/Dockerfile b/Dockerfile index 82a97f109..a498516e2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.31.0 +ARG VERSION=4.31.1 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 6a5ad711ed0e2ffb1385896ef4bec7dff2f50a21 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 9 Apr 2021 13:12:10 +0530 Subject: [PATCH 020/483] Doc updated for shell on inputs from PR review Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/shell.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/shell.md b/docs-chef-io/content/inspec/shell.md index 6de1d462b..8729701ef 100644 --- a/docs-chef-io/content/inspec/shell.md +++ b/docs-chef-io/content/inspec/shell.md @@ -233,9 +233,9 @@ $ inspec shell --format json -c 'describe file("/Users/test") do it { should exi ## Running Chef InSpec Shell with inputs -Input option in shell subcommand would allow to more consistently and easily test and work with controls inside shell. +The input options for the shell command allow you to provide values to profiles that are parameterized. This allows you to work more consistently with these profiles when switching between `shell` and `exec` when using profiles that have inputs. For more details on inputs, see the [inputs reference](/inspec/inputs/). -This subcommand has following two options: +The shell command has following two input options: * ``--input=name1=value1 name2=value2`` Specify one or more inputs directly on the command line to shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures. * ``--input-file=one two three`` From 4c107b273d67b640af34ce5ffd9fdb6834b46fb7 Mon Sep 17 00:00:00 2001 From: IanMadd Date: Mon, 12 Apr 2021 16:18:55 -0700 Subject: [PATCH 021/483] Docs editing Signed-off-by: IanMadd --- docs-chef-io/content/inspec/shell.md | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/docs-chef-io/content/inspec/shell.md b/docs-chef-io/content/inspec/shell.md index 8729701ef..5de5b0d17 100644 --- a/docs-chef-io/content/inspec/shell.md +++ b/docs-chef-io/content/inspec/shell.md @@ -231,15 +231,17 @@ $ inspec shell --format json -c 'describe file("/Users/test") do it { should exi } ``` -## Running Chef InSpec Shell with inputs +## Running Chef InSpec Shell With Inputs -The input options for the shell command allow you to provide values to profiles that are parameterized. This allows you to work more consistently with these profiles when switching between `shell` and `exec` when using profiles that have inputs. For more details on inputs, see the [inputs reference](/inspec/inputs/). +With InSpec [profiles that support inputs](inspec/inputs/#which-profiles-support-inputs), +you can set inputs using the InSpec `shell` command. This allows you to work more consistently with +InSpec profiles when switching between the `shell` and `exec` commands. -The shell command has following two input options: -* ``--input=name1=value1 name2=value2`` - Specify one or more inputs directly on the command line to shell, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures. -* ``--input-file=one two three`` - Load one or more input files, a YAML file with values for the shell to use +For more details on inputs, see the [inputs reference](/inspec/inputs/). + +### Set Inputs with Command-line Options + +The `shell` command accepts one or more inputs in the command line as single-quoted YAML or JSON structures. ```bash $ inspec shell --input=input_name=input_value @@ -260,7 +262,11 @@ Profile Summary: 1 successful control, 0 control failures, 0 controls skipped Test Summary: 1 successful, 0 failures, 0 skipped inspec> exit ``` -You may also provide inputs and values via YAML files on the command line to shell. The format can be seen below: + +### Set Inputs with YAML File + +You can also save inputs and values to one or more YAML files and pass them to `shell` in the command line. +For example: ```yaml input_name: input_value @@ -268,5 +274,5 @@ another_input: another_value ``` ```bash -$ inspec shell --input-file= +inspec shell --input-file= ``` From 7b2cba6579dd4cd3793072c7cd376c413ea078e7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 14 Apr 2021 00:41:45 +0000 Subject: [PATCH 022/483] Bump version to 4.32.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92756262c..f8bdbc627 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.32.0](https://github.com/inspec/inspec/tree/v4.32.0) (2021-04-14) + +#### New Features +- Added ability to pass inputs to InSpec shell using input file and cli [#5452](https://github.com/inspec/inspec/pull/5452) ([Nik08](https://github.com/Nik08)) - + +### Changes since 4.31.1 release + +#### New Features +- Added ability to pass inputs to InSpec shell using input file and cli [#5452](https://github.com/inspec/inspec/pull/5452) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 4be90f31e..7db87d026 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.31.1 \ No newline at end of file +4.32.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index d32b8bf78..ce1430126 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.31.1".freeze + VERSION = "4.32.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index a2dea1475..326082543 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.31.1".freeze + VERSION = "4.32.0".freeze end From bb8c51dbc7515d1f8b92eb30b41b98b60b15ec71 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 13 Apr 2021 21:05:53 -0400 Subject: [PATCH 023/483] Initial implementation of listing source in CLI reporter Signed-off-by: Clinton Wolfe --- docs-chef-io/content/inspec/cli.md | 2 + lib/inspec/base_cli.rb | 2 + lib/inspec/reporters/cli.rb | 63 ++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index c6f14d149..9144a66b6 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -300,6 +300,8 @@ This subcommand has additional options: Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml * ``--reporter-backtrace-inclusion``, ``--no-reporter-backtrace-inclusion`` Include a code backtrace in report data (default: true) +* ``--reporter-include-source`` + Include full source code of controls in the CLI report * ``--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION`` Number of characters to truncate failure messages in report data to (default: no truncation) * ``--self-signed``, ``--no-self-signed`` diff --git a/lib/inspec/base_cli.rb b/lib/inspec/base_cli.rb index 0c4d9e7aa..63c0158f9 100644 --- a/lib/inspec/base_cli.rb +++ b/lib/inspec/base_cli.rb @@ -171,6 +171,8 @@ module Inspec option :command_timeout, type: :numeric, default: 3600, desc: "Maximum seconds to allow commands to run during execution. Default 3600.", long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error." + option :reporter_include_source, type: :boolean, default: false, + desc: "Include full source code of controls in the CLI report" end def self.help(*args) diff --git a/lib/inspec/reporters/cli.rb b/lib/inspec/reporters/cli.rb index a78393a92..9d29c3296 100644 --- a/lib/inspec/reporters/cli.rb +++ b/lib/inspec/reporters/cli.rb @@ -41,12 +41,14 @@ module Inspec::Reporters MULTI_TEST_CONTROL_SUMMARY_MAX_LEN = 60 def render + @src_extent_map = {} run_data[:profiles].each do |profile| if profile[:status] == "skipped" platform = run_data[:platform] output("Skipping profile: '#{profile[:name]}' on unsupported platform: '#{platform[:name]}/#{platform[:release]}'.") next end + read_control_source(profile) @control_count = 0 output("") print_profile_header(profile) @@ -89,6 +91,7 @@ module Inspec::Reporters next if control.results.nil? output(format_control_header(control)) + output(format_control_source(control)) if Inspec::Config.cached[:reporter_include_source] control.results.each do |result| output(format_result(control, result, :standard)) @control_count += 1 @@ -127,6 +130,62 @@ module Inspec::Reporters ) end + def format_control_source(control) + src = @control_source[control.id] + message = "Control Source from #{src[:path]}:#{src[:start]}..#{src[:end]}\n" + message += src[:content] + format_message( + color: "skipped", + indentation: 5, + message: message + ) + end + + def read_control_source(profile) + return unless Inspec::Config.cached[:reporter_include_source] + + @control_source = {} + src_extent_map = {} + + # First pass: build map of paths => ids => [start] + all_unique_controls.each do |control| + id = control[:id] + path = control[:source_location][:ref] + start = control[:source_location][:line] + next if path.nil? || start.nil? + + src_extent_map[path] ||= [] + src_extent_map[path] << { start: start, id: id } + end + + # Now sort the controls by their starting line in their control file + src_extent_map.values.each do |extent_list| + extent_list.sort! { |a, b| a[:start] <=> b[:start] } + end + + # Third pass: Read in files and split into lines + src_extent_map.keys.each do |path| + control_file_lines = File.read(path).lines # TODO error handling + last_line_in_file = control_file_lines.count + extent_list = src_extent_map[path] + extent_list.each_with_index do |extent, idx| + if idx == extent_list.count - 1 # Last entry + extent[:end] = last_line_in_file + else + extent[:end] = extent_list[idx + 1][:start] - 1 + end + + @control_source[extent[:id]] = + { + path: path, + start: extent[:start], + end: extent[:end], + content: control_file_lines.slice(extent[:start] - 1, extent[:end] - extent[:start] + 1).join(""), + } + end + end + end + def format_result(control, result, type) impact = control.impact_string_for_result(result) @@ -312,6 +371,10 @@ module Inspec::Reporters data[:impact] end + def source_location + data[:source_location] + end + def anonymous? id.start_with?("(generated from ") end From 7f9c548a3ccf365571c8812bc2e5e36932cc62fb Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 14 Apr 2021 17:38:27 +0000 Subject: [PATCH 024/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 19 ++++++++----------- Dockerfile | 2 +- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8bdbc627..a8f54b132 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,25 +1,22 @@ # Change Log - + + + + + + + ## [v4.32.0](https://github.com/inspec/inspec/tree/v4.32.0) (2021-04-14) #### New Features - Added ability to pass inputs to InSpec shell using input file and cli [#5452](https://github.com/inspec/inspec/pull/5452) ([Nik08](https://github.com/Nik08)) - - - -### Changes since 4.31.1 release - -#### New Features -- Added ability to pass inputs to InSpec shell using input file and cli [#5452](https://github.com/inspec/inspec/pull/5452) ([Nik08](https://github.com/Nik08)) - - + ## [v4.31.1](https://github.com/inspec/inspec/tree/v4.31.1) (2021-04-08) #### Bug Fixes - Use default command timeout value if timeout is 0 [#5455](https://github.com/inspec/inspec/pull/5455) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.31.0](https://github.com/inspec/inspec/tree/v4.31.0) (2021-04-07) diff --git a/Dockerfile b/Dockerfile index a498516e2..7adce1823 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.31.1 +ARG VERSION=4.32.0 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 73d0df4d02fa1b6b9e6f32b945211c48eb0bb155 Mon Sep 17 00:00:00 2001 From: Tobias Balle-Petersen Date: Thu, 15 Apr 2021 10:07:06 +0200 Subject: [PATCH 025/483] Update postgres_ident_conf.md pg_ident_conf.where changed to postgres_ident.conf.where a few places. --- .../content/inspec/resources/postgres_ident_conf.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/postgres_ident_conf.md b/docs-chef-io/content/inspec/resources/postgres_ident_conf.md index 6fd259a4e..76b0ac00a 100644 --- a/docs-chef-io/content/inspec/resources/postgres_ident_conf.md +++ b/docs-chef-io/content/inspec/resources/postgres_ident_conf.md @@ -47,7 +47,7 @@ where `address` returns a an array of strings that matches the where condition of the filter table - describe pg_ident_conf.where { pg_username == 'name' } do + describe postgres_ident_conf.where { pg_username == 'name' } do its('map_name') { should eq ['value'] } end @@ -55,7 +55,7 @@ where `pg_username` returns a an array of strings that matches the where condition of the filter table - describe pg_ident_conf.where { pg_username == 'name' } do + describe postgres_ident_conf.where { pg_username == 'name' } do its('pg_username') { should eq ['value'] } end @@ -63,7 +63,7 @@ where `system_username` returns a an array of strings that matches the where condition of the filter table - describe pg_ident_conf.where { pg_username == 'name' } do + describe postgres_ident_conf.where { pg_username == 'name' } do its('system_username') { should eq ['value'] } end From ddaaa191ef738f497c41882a6fc8d0f760ba06a7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 15 Apr 2021 20:14:30 +0000 Subject: [PATCH 026/483] Bump version to 4.32.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a8f54b132..7e990f524 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.32.1](https://github.com/inspec/inspec/tree/v4.32.1) (2021-04-15) + +#### Merged Pull Requests +- Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) - + +### Changes since 4.32.0 release + +#### Merged Pull Requests +- Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) diff --git a/VERSION b/VERSION index 7db87d026..03460d784 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.32.0 \ No newline at end of file +4.32.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index ce1430126..87d30b150 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.32.0".freeze + VERSION = "4.32.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 326082543..fa62949e5 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.32.0".freeze + VERSION = "4.32.1".freeze end From 1056b84326403913072c5821739f4ba704a26079 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Thu, 15 Apr 2021 16:16:12 -0400 Subject: [PATCH 027/483] Add functional test for --reporter-include-source Signed-off-by: Clinton Wolfe --- test/functional/inspec_exec_test.rb | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index 0264c0256..e3ebad369 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -1084,4 +1084,35 @@ Test Summary: 2 successful, 0 failures, 0 skipped\n" end end end + + describe "when using the --reporter-include-source option with the CLI reporter" do + let(:profile) { "#{profile_path}/sorted-results/sort-me-1" } # A profile with controls separated in multiple files + let(:run_result) { run_inspec_process("exec #{profile} --reporter-include-source") } + it "includes the control source code" do + _(run_result.stderr).must_be_empty + + expected = %r{Control Source from .+test/fixtures/profiles/sorted-results/sort-me-1/controls/a-uvw.rb:1..6} + _(run_result.stdout).must_match expected + expected = < Date: Fri, 16 Apr 2021 10:57:57 -0400 Subject: [PATCH 028/483] Update tests to handle local omnibus packages from Buildkite artifacts api Signed-off-by: Nathaniel Kierpiec --- omnibus/omnibus-test.ps1 | 13 +++++++++++-- omnibus/omnibus-test.sh | 7 ++++++- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/omnibus/omnibus-test.ps1 b/omnibus/omnibus-test.ps1 index f7bec5715..c526ae82e 100644 --- a/omnibus/omnibus-test.ps1 +++ b/omnibus/omnibus-test.ps1 @@ -10,8 +10,17 @@ If ([string]::IsNullOrEmpty($product)) { $product = "inspec" } $version = "$Env:VERSION" If ([string]::IsNullOrEmpty($version)) { $version = "latest" } -Write-Output "--- Installing $channel $product $version" -$package_file = $(C:\opscode\omnibus-toolchain\bin\install-omnibus-product.ps1 -Product "$product" -Channel "$channel" -Version "$version" | Select-Object -Last 1) +$package_file = "$Env:PACKAGE_FILE" +If ([string]::IsNullOrEmpty($package_file)) { $package_file = "" } + +If ($package_file -eq "") { + Write-Output "--- Installing $channel $product $version" + $package_file = $(.omnibus-buildkite-plugin\install-omnibus-product.ps1 -Product "$product" -Channel "$channel" -Version "$version" | Select-Object -Last 1) +} +Else { + Write-Output "--- Installing $product $version" + $package_file = $(.omnibus-buildkite-plugin\install-omnibus-product.ps1 -Package "$package_file" -Product "$product" -Version "$version" | Select-Object -Last 1) +} Write-Output "--- Verifying omnibus package is signed" C:\opscode\omnibus-toolchain\bin\check-omnibus-package-signed.ps1 "$package_file" diff --git a/omnibus/omnibus-test.sh b/omnibus/omnibus-test.sh index 6f431eb49..c7941568c 100644 --- a/omnibus/omnibus-test.sh +++ b/omnibus/omnibus-test.sh @@ -4,9 +4,14 @@ set -eo pipefail channel="${CHANNEL:-unstable}" product="${PRODUCT:-inspec}" version="${VERSION:-latest}" +package_file=${PACKAGE_FILE:-""} echo "--- Installing $channel $product $version" -package_file="$(/opt/omnibus-toolchain/bin/install-omnibus-product -c "$channel" -P "$product" -v "$version" | tail -n 1)" +if [[ -z $package_file ]]; then + package_file="$(.omnibus-buildkite-plugin/install-omnibus-product.sh -c "$channel" -P "$product" -v "$version" | tail -1)" +else + .omnibus-buildkite-plugin/install-omnibus-product.sh -f "$package_file" -P "$product" -v "$version" &> /dev/null +fi echo "--- Verifying omnibus package is signed" /opt/omnibus-toolchain/bin/check-omnibus-package-signed "$package_file" From c1102dd2abaabde8174b1e5c94783cc2cdabd85a Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Mon, 19 Apr 2021 07:06:54 +0000 Subject: [PATCH 029/483] Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 Updates the requirements on [faraday](https://github.com/lostisland/faraday) to permit the latest version. - [Release notes](https://github.com/lostisland/faraday/releases) - [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md) - [Commits](https://github.com/lostisland/faraday/compare/v0.9.0...v1.4.1) Signed-off-by: dependabot-preview[bot] --- inspec-core.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec-core.gemspec b/inspec-core.gemspec index 96abd574f..251cfc291 100644 --- a/inspec-core.gemspec +++ b/inspec-core.gemspec @@ -35,7 +35,7 @@ Gem::Specification.new do |spec| spec.add_dependency "mixlib-log", "~> 3.0" spec.add_dependency "sslshake", "~> 1.2" spec.add_dependency "parallel", "~> 1.9" - spec.add_dependency "faraday", ">= 0.9.0", "< 1.4" + spec.add_dependency "faraday", ">= 0.9.0", "< 1.5" spec.add_dependency "faraday_middleware", "~> 1.0" spec.add_dependency "tty-table", "~> 0.10" spec.add_dependency "tty-prompt", "~> 0.17" From 7c1db116218a4840ab5f8507302e6f58edfa4fc1 Mon Sep 17 00:00:00 2001 From: Tom Duffield Date: Mon, 19 Apr 2021 15:28:08 -0500 Subject: [PATCH 030/483] Update Dobi annotations to address tagging bug Be explicit when we expect to add the channel and latest tags. Signed-off-by: Tom Duffield --- dobi.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dobi.yaml b/dobi.yaml index 4811c5cfc..038df3910 100644 --- a/dobi.yaml +++ b/dobi.yaml @@ -18,4 +18,5 @@ image=chef: CHANNEL: unstable annotations: tags: - - expeditor:final-channel-tags={{major}},{{major}}.{{minor}} + - expeditor:default-tags={{channel}} + - expeditor:final-channel-tags=latest,{{major}},{{major}}.{{minor}} From e8e437fa4424a03ffa466c87feb64508d314aca7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 20 Apr 2021 17:25:46 +0000 Subject: [PATCH 031/483] Bump version to 4.33.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e990f524..d54527cf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.32.1](https://github.com/inspec/inspec/tree/v4.32.1) (2021-04-15) + +## [v4.33.0](https://github.com/inspec/inspec/tree/v4.33.0) (2021-04-20) -#### Merged Pull Requests -- Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) +#### New Features +- Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.32.0 release +#### New Features +- Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe)) + #### Merged Pull Requests - Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) diff --git a/VERSION b/VERSION index 03460d784..514b2fa0e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.32.1 \ No newline at end of file +4.33.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 87d30b150..aee82c9c8 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.32.1".freeze + VERSION = "4.33.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index fa62949e5..0435ee90b 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.32.1".freeze + VERSION = "4.33.0".freeze end From b3e367da579685c3f5a5c903da70e3362fd8e7b1 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 19 Apr 2021 14:35:14 -0400 Subject: [PATCH 032/483] Remove default of 3600 seconds for command timeout Signed-off-by: Clinton Wolfe --- docs-chef-io/content/inspec/cli.md | 4 ++-- lib/inspec/base_cli.rb | 6 +++--- lib/inspec/cli.rb | 6 +++--- lib/inspec/resources/command.rb | 12 +++--------- test/unit/resources/json_test.rb | 2 +- 5 files changed, 12 insertions(+), 18 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 9144a66b6..1748a074d 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -261,7 +261,7 @@ This subcommand has additional options: * ``--bastion-user=BASTION_USER`` Specifies the bastion user if applicable * ``--command-timeout=SECONDS`` - Maximum seconds to allow a command to run. Default 3600. + Maximum seconds to allow a command to run. * ``--config=CONFIG`` Read configuration from JSON file (`-` reads from stdin). * ``--controls=one two three`` @@ -431,7 +431,7 @@ This subcommand has additional options: * ``-c``, ``--command=COMMAND`` A single command string to run instead of launching the shell * ``--command-timeout=SECONDS`` - Maximum seconds to allow a command to run. Default 3600. + Maximum seconds to allow a command to run. * ``--config=CONFIG`` Read configuration from JSON file (`-` reads from stdin). * ``--depends=one two three`` diff --git a/lib/inspec/base_cli.rb b/lib/inspec/base_cli.rb index 63c0158f9..763a9f857 100644 --- a/lib/inspec/base_cli.rb +++ b/lib/inspec/base_cli.rb @@ -168,9 +168,9 @@ module Inspec desc: "After normal execution order, results are sorted by control ID, or by file (default), or randomly. None uses legacy unsorted mode." option :filter_empty_profiles, type: :boolean, default: false, desc: "Filter empty profiles (profiles without controls) from the report." - option :command_timeout, type: :numeric, default: 3600, - desc: "Maximum seconds to allow commands to run during execution. Default 3600.", - long_desc: "Maximum seconds to allow commands to run during execution. Default 3600. A timed out command is considered an error." + option :command_timeout, type: :numeric, + desc: "Maximum seconds to allow commands to run during execution.", + long_desc: "Maximum seconds to allow commands to run during execution. A timed out command is considered an error." option :reporter_include_source, type: :boolean, default: false, desc: "Include full source code of controls in the CLI report" end diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 9be8127fa..262984fca 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -321,9 +321,9 @@ class Inspec::InspecCLI < Inspec::BaseCLI desc: "A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell" option :distinct_exit, type: :boolean, default: true, desc: "Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures." - option :command_timeout, type: :numeric, default: 3600, - desc: "Maximum seconds to allow a command to run. Default 3600.", - long_desc: "Maximum seconds to allow commands to run. Default 3600. A timed out command is considered an error." + option :command_timeout, type: :numeric, + desc: "Maximum seconds to allow a command to run.", + long_desc: "Maximum seconds to allow commands to run. A timed out command is considered an error." option :inspect, type: :boolean, default: false, desc: "Use verbose/debugging output for resources." option :input_file, type: :array, desc: "Load one or more input files, a YAML file with values for the shell to use" diff --git a/lib/inspec/resources/command.rb b/lib/inspec/resources/command.rb index 460f6def0..2869595e8 100644 --- a/lib/inspec/resources/command.rb +++ b/lib/inspec/resources/command.rb @@ -31,17 +31,11 @@ module Inspec::Resources end @command = cmd - - cli_timeout = Inspec::Config.cached["command_timeout"].to_i + cli_timeout = Inspec::Config.cached["command_timeout"]&.to_i # Can access this via Inspec::InspecCLI.commands["exec"].options[:command_timeout].default, # but that may not be loaded for kitchen-inspec and other pure gem consumers - default_cli_timeout = 3600 - cli_timeout = default_cli_timeout if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value - if cli_timeout != default_cli_timeout - @timeout = cli_timeout - else - @timeout = options[:timeout]&.to_i || default_cli_timeout - end + cli_timeout = nil if cli_timeout == 0 # Under test-kitchen we get a 0 timeout, which can't be a resonable value + @timeout = cli_timeout || options[:timeout]&.to_i if options[:redact_regex] unless options[:redact_regex].is_a?(Regexp) diff --git a/test/unit/resources/json_test.rb b/test/unit/resources/json_test.rb index eb3cd7715..86306f85a 100644 --- a/test/unit/resources/json_test.rb +++ b/test/unit/resources/json_test.rb @@ -95,7 +95,7 @@ describe "Inspec::Resources::JSON" do # stdout:empty, stderr:empty def run_json_cmd(cmd) - Inspec::Config.cached["command_timeout"] = 3600 # Reset to default + Inspec::Config.cached["command_timeout"] = nil # Reset to default quick_resource("json", :linux, command: cmd) end From 6e55c9ed90c29cb6df8a80377af03c118e967847 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 20 Apr 2021 18:42:49 +0000 Subject: [PATCH 033/483] Bump version to 4.33.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d54527cf7..cb427adb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.33.0](https://github.com/inspec/inspec/tree/v4.33.0) (2021-04-20) + +## [v4.33.1](https://github.com/inspec/inspec/tree/v4.33.1) (2021-04-20) -#### New Features -- Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe)) +#### Merged Pull Requests +- Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe)) @@ -14,6 +14,7 @@ - Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) diff --git a/VERSION b/VERSION index 514b2fa0e..83e185385 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.33.0 \ No newline at end of file +4.33.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index aee82c9c8..ad7e1708e 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.33.0".freeze + VERSION = "4.33.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 0435ee90b..02d87dbe5 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.33.0".freeze + VERSION = "4.33.1".freeze end From cbe7e8c03f33c4d7983cdf7803a8c274d30767cc Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Apr 2021 14:35:06 +0530 Subject: [PATCH 034/483] Add selinux resource with basic features support Signed-off-by: Vasu1105 --- .../content/inspec/resources/selinux.md | 40 ++++++++++++++ lib/inspec/resources.rb | 1 + lib/inspec/resources/selinux.rb | 55 +++++++++++++++++++ test/fixtures/cmd/sestatus | 9 +++ test/helpers/mock_loader.rb | 1 + test/unit/resources/selinux_test.rb | 25 +++++++++ 6 files changed, 131 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/selinux.md create mode 100644 lib/inspec/resources/selinux.rb create mode 100644 test/fixtures/cmd/sestatus create mode 100644 test/unit/resources/selinux_test.rb diff --git a/docs-chef-io/content/inspec/resources/selinux.md b/docs-chef-io/content/inspec/resources/selinux.md new file mode 100644 index 000000000..ab12e560c --- /dev/null +++ b/docs-chef-io/content/inspec/resources/selinux.md @@ -0,0 +1,40 @@ ++++ +title = "selinux resource" +draft = false +gh_repo = "inspec" +platform = "linux" + +[menu] + [menu.inspec] + title = "selinux" + identifier = "inspec/resources/os/selinux.md selinux resource" + parent = "inspec/resources/os" ++++ + +Use the `selinux` Chef InSpec audit resource to test the state/mode of SELinux policy. + +SELinux resource extracts and exposes data reported by the command 'sestatus' + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +### Version + +## Syntax + +An `selinux` Chef InSpec audit resource block extracts configuration settings that should be tested: + + describe selinux do + it { should be_installed } + it { should be_enabled } + it { should be_enforcing } + it { should be_permissive } + end + +## Properties + +## Property Examples + diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index ff89a2cb6..6f153e94d 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -103,6 +103,7 @@ require "inspec/resources/rabbitmq_config" require "inspec/resources/registry_key" require "inspec/resources/security_identifier" require "inspec/resources/security_policy" +require "inspec/resources/selinux" require "inspec/resources/service" require "inspec/resources/shadow" require "inspec/resources/ssh_config" diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb new file mode 100644 index 000000000..12dc87a8f --- /dev/null +++ b/lib/inspec/resources/selinux.rb @@ -0,0 +1,55 @@ +require "inspec/resources/command" + +module Inspec::Resources + class Selinux < Inspec.resource(1) + name "selinux" + + supports platform: "unix" + + desc "Use selinux Inspec resource to test state/mode of the selinux policy." + + example <<~EXAMPLE + describe selinux do + it { should be_installed } + it { should be_disabled } + it { should be_permissive } + it { should be_enforcing } + end + EXAMPLE + + def initialize(selinux_path = "/etc/selinux/config") + @path = selinux_path + cmd = inspec.command("sestatus") + if cmd.exit_status != 0 + return skip_resource "#{cmd.stdout}" + end + result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/,"").downcase + @data = Hash[result.scan /([^:]+):([^,]+)[,$]/] + + return if inspec.os.linux? + + @data = [] + skip_resource "The 'selinux' resource is not supported non linux OS." + end + + def installed? + inspec.file(@path).exist? + end + + def disabled? + @data["selinuxstatus"] == 'disabled' unless @data.empty? + end + + def enforcing? + @data["currentmode"] == 'enforcing' unless @data.empty? + end + + def permissive? + @data["currentmode"] == 'permissive' unless @data.empty? + end + + def to_s + "SELinux" + end + end +end \ No newline at end of file diff --git a/test/fixtures/cmd/sestatus b/test/fixtures/cmd/sestatus new file mode 100644 index 000000000..36b375463 --- /dev/null +++ b/test/fixtures/cmd/sestatus @@ -0,0 +1,9 @@ +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux +SELinux root directory: /etc/selinux +Loaded policy name: targeted +Current mode: enforcing +Mode from config file: enforcing +Policy MLS status: enabled +Policy deny_unknown status: allowed +Max kernel policy version: 31 \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 6fc3424c7..0a2353ca0 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -556,6 +556,7 @@ class MockLoader # filesystem command "2e7e0d4546342cee799748ec7e2b1c87ca00afbe590fa422a7c27371eefa88f0" => cmd.call("get-wmiobject-filesystem"), + 'sestatus' => cmd.call("sestatus") } # ports on linux diff --git a/test/unit/resources/selinux_test.rb b/test/unit/resources/selinux_test.rb new file mode 100644 index 000000000..478058f72 --- /dev/null +++ b/test/unit/resources/selinux_test.rb @@ -0,0 +1,25 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/selinux" + +describe "Inspec::Resources::Selinux" do + it "verify selinux state - enforcing" do + resource = load_resource("selinux") + _(resource.enforcing?).must_equal true + end + + it "verify selinux state - permissive" do + resource = load_resource("selinux") + _(resource.permissive?).must_equal false + end + + it "verify selinux disabled " do + resource = load_resource("selinux") + _(resource.disabled?).must_equal false + end + + it "verify selinux on windows" do + resource = MockLoader.new("windows").load_resource("selinux") + _(resource.enforcing?).must_equal nil + end +end From c963b2ac142ddebc61159dc47cc728d253ae38d7 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Apr 2021 15:41:36 +0530 Subject: [PATCH 035/483] fix linting Signed-off-by: Vasu1105 --- lib/inspec/resources/selinux.rb | 14 ++++++++------ test/helpers/mock_loader.rb | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index 12dc87a8f..7b7f4d9c9 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -20,11 +20,13 @@ module Inspec::Resources def initialize(selinux_path = "/etc/selinux/config") @path = selinux_path cmd = inspec.command("sestatus") + if cmd.exit_status != 0 return skip_resource "#{cmd.stdout}" end - result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/,"").downcase - @data = Hash[result.scan /([^:]+):([^,]+)[,$]/] + + result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/, "").downcase + @data = Hash[result.scan(/([^:]+):([^,]+)[,$]/)] return if inspec.os.linux? @@ -37,19 +39,19 @@ module Inspec::Resources end def disabled? - @data["selinuxstatus"] == 'disabled' unless @data.empty? + @data["selinuxstatus"] == "disabled" unless @data.empty? end def enforcing? - @data["currentmode"] == 'enforcing' unless @data.empty? + @data["currentmode"] == "enforcing" unless @data.empty? end def permissive? - @data["currentmode"] == 'permissive' unless @data.empty? + @data["currentmode"] == "permissive" unless @data.empty? end def to_s "SELinux" end end -end \ No newline at end of file +end diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 0a2353ca0..5d02519bc 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -556,7 +556,7 @@ class MockLoader # filesystem command "2e7e0d4546342cee799748ec7e2b1c87ca00afbe590fa422a7c27371eefa88f0" => cmd.call("get-wmiobject-filesystem"), - 'sestatus' => cmd.call("sestatus") + "sestatus" => cmd.call("sestatus"), } # ports on linux From 074e4151ccfaa1fa15da221a63ca10cfcaef65f0 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Apr 2021 18:10:56 +0530 Subject: [PATCH 036/483] Currently only states are getting handled so updated docs part Signed-off-by: Vasu1105 --- lib/inspec/resources/selinux.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index 7b7f4d9c9..c65d5fec1 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -6,7 +6,7 @@ module Inspec::Resources supports platform: "unix" - desc "Use selinux Inspec resource to test state/mode of the selinux policy." + desc "Use selinux Inspec resource to test state of the selinux policy." example <<~EXAMPLE describe selinux do From eb1d9364a0b941b7fb422ba3419046293d64d116 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Apr 2021 18:39:22 +0530 Subject: [PATCH 037/483] Revert "Currently only states are getting handled so updated docs part" This reverts commit 92fb3e4d951989d2fc2096d01b2fbb5dc0469603. --- lib/inspec/resources/selinux.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index c65d5fec1..7b7f4d9c9 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -6,7 +6,7 @@ module Inspec::Resources supports platform: "unix" - desc "Use selinux Inspec resource to test state of the selinux policy." + desc "Use selinux Inspec resource to test state/mode of the selinux policy." example <<~EXAMPLE describe selinux do From bd9d81314dffd1a21ea2425ec561a1f241e8cce1 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Apr 2021 20:26:13 +0530 Subject: [PATCH 038/483] Integrated review comments Signed-off-by: Vasu1105 --- .../content/inspec/resources/selinux.md | 53 ++++++++++++++++--- lib/inspec/resources/selinux.rb | 5 +- test/unit/resources/selinux_test.rb | 16 +++++- 3 files changed, 63 insertions(+), 11 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/selinux.md b/docs-chef-io/content/inspec/resources/selinux.md index ab12e560c..526e84d1a 100644 --- a/docs-chef-io/content/inspec/resources/selinux.md +++ b/docs-chef-io/content/inspec/resources/selinux.md @@ -13,7 +13,7 @@ platform = "linux" Use the `selinux` Chef InSpec audit resource to test the state/mode of SELinux policy. -SELinux resource extracts and exposes data reported by the command 'sestatus' +selinux resource extracts and exposes data reported by the command 'sestatus' ## Availability @@ -25,16 +25,57 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ## Syntax -An `selinux` Chef InSpec audit resource block extracts configuration settings that should be tested: +The `selinux` Chef InSpec resource block tests the state/mode of the SELinux policy. describe selinux do it { should be_installed } - it { should be_enabled } + it { should_not be_disabled } it { should be_enforcing } - it { should be_permissive } + it { should_not be_permissive } end -## Properties +## Examples -## Property Examples +The following examples show how to use this Chef InSpec selinux resource. +### Test if selinux is installed and enabled + +describe selinux do + it { should be_installed } + it { should_not be_disabled } +end + +### Test if selinux is enabled and running in enforcing mode + +describe selinux do + it { should_not be_disabled } + it { should be_enforcing } +end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + +### be_installed + +The `be_installed` matcher tests if the selinux is installed on the system: + + it { should be_installed } + +### be_disabled + +The `be_disabled` matcher tests if the selinux is disabled on the system: + + it { should be_installed } + +### be_enforcing + +The `be_enforcing` matcher tests if the selinux mode is set to enforcing: + + it { should be_installed } + +### be_permissive + +The `be_disabled` matcher tests if the selinux mode is set to permissive: + + it { should be_permissive } diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index 7b7f4d9c9..9d5ddaaa8 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -3,8 +3,7 @@ require "inspec/resources/command" module Inspec::Resources class Selinux < Inspec.resource(1) name "selinux" - - supports platform: "unix" + supports platform: "linux" desc "Use selinux Inspec resource to test state/mode of the selinux policy." @@ -22,7 +21,7 @@ module Inspec::Resources cmd = inspec.command("sestatus") if cmd.exit_status != 0 - return skip_resource "#{cmd.stdout}" + return skip_resource "#{cmd.stderr}" end result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/, "").downcase diff --git a/test/unit/resources/selinux_test.rb b/test/unit/resources/selinux_test.rb index 478058f72..7e473eaec 100644 --- a/test/unit/resources/selinux_test.rb +++ b/test/unit/resources/selinux_test.rb @@ -18,8 +18,20 @@ describe "Inspec::Resources::Selinux" do _(resource.disabled?).must_equal false end + it "verify selinux on linux" do + resource = MockLoader.new(:linux).load_resource("selinux") + _(resource.enforcing?).must_equal true + _(resource.permissive?).must_equal false + _(resource.disabled?).must_equal false + end + it "verify selinux on windows" do - resource = MockLoader.new("windows").load_resource("selinux") - _(resource.enforcing?).must_equal nil + resource = MockLoader.new(:windows).load_resource("selinux") + _(resource.enforcing?).must_be_nil + end + + it "verify selinux on freebsd" do + resource = MockLoader.new(:freebsd12).load_resource("selinux") + _(resource.enforcing?).must_be_nil end end From 790fe5612e49950cd85ad6ea6a39878f11187e2f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 12 Apr 2021 13:22:45 +0530 Subject: [PATCH 039/483] Fixed copy paste Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/selinux.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/selinux.md b/docs-chef-io/content/inspec/resources/selinux.md index 526e84d1a..72b2b97ad 100644 --- a/docs-chef-io/content/inspec/resources/selinux.md +++ b/docs-chef-io/content/inspec/resources/selinux.md @@ -66,16 +66,16 @@ The `be_installed` matcher tests if the selinux is installed on the system: The `be_disabled` matcher tests if the selinux is disabled on the system: - it { should be_installed } + it { should be_disabled } ### be_enforcing The `be_enforcing` matcher tests if the selinux mode is set to enforcing: - it { should be_installed } + it { should be_enforcing } ### be_permissive -The `be_disabled` matcher tests if the selinux mode is set to permissive: +The `be_permissive` matcher tests if the selinux mode is set to permissive: it { should be_permissive } From 58e30cfa81665c3cdacbdd312286aaf21908e971 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 12 Apr 2021 14:38:13 +0530 Subject: [PATCH 040/483] Review comments fixed Signed-off-by: Vasu1105 --- lib/inspec/resources/selinux.rb | 15 ++++++--------- test/fixtures/files/selinux_conf | 11 +++++++++++ test/helpers/mock_loader.rb | 7 +++++++ test/unit/resources/selinux_test.rb | 11 +++++++++-- 4 files changed, 33 insertions(+), 11 deletions(-) create mode 100644 test/fixtures/files/selinux_conf diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index 9d5ddaaa8..ea08a0583 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -21,16 +21,13 @@ module Inspec::Resources cmd = inspec.command("sestatus") if cmd.exit_status != 0 - return skip_resource "#{cmd.stderr}" + # `sestatus` command not found error message comes in stdout so handling both here + out = cmd.stdout + "\n" + cmd.stderr + return skip_resource "Skipping resource: #{out}" end result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/, "").downcase @data = Hash[result.scan(/([^:]+):([^,]+)[,$]/)] - - return if inspec.os.linux? - - @data = [] - skip_resource "The 'selinux' resource is not supported non linux OS." end def installed? @@ -38,15 +35,15 @@ module Inspec::Resources end def disabled? - @data["selinuxstatus"] == "disabled" unless @data.empty? + @data["selinuxstatus"] == "disabled" end def enforcing? - @data["currentmode"] == "enforcing" unless @data.empty? + @data["currentmode"] == "enforcing" end def permissive? - @data["currentmode"] == "permissive" unless @data.empty? + @data["currentmode"] == "permissive" end def to_s diff --git a/test/fixtures/files/selinux_conf b/test/fixtures/files/selinux_conf new file mode 100644 index 000000000..f404efe92 --- /dev/null +++ b/test/fixtures/files/selinux_conf @@ -0,0 +1,11 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=enforcing +# SELINUXTYPE= can take one of three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 5d02519bc..b46a288a7 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -171,6 +171,7 @@ class MockLoader "/etc/cron.d/crondotd" => mockfile.call("crondotd"), "/etc/postfix/main.cf" => mockfile.call("main.cf"), "/etc/postfix/other.cf" => mockfile.call("other.cf"), + "/etc/selinux/selinux_conf" => mockfile.call("selinux_conf"), } # create all mock commands @@ -559,6 +560,12 @@ class MockLoader "sestatus" => cmd.call("sestatus"), } + if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") + mock_cmds.merge!( + "sestatus" => empty.call + ) + end + # ports on linux # allow the ss and/or netstat commands to exist so the later mock is called if @platform && @platform[:name] == "alpine" diff --git a/test/unit/resources/selinux_test.rb b/test/unit/resources/selinux_test.rb index 7e473eaec..74376b6c1 100644 --- a/test/unit/resources/selinux_test.rb +++ b/test/unit/resources/selinux_test.rb @@ -3,6 +3,11 @@ require "inspec/resource" require "inspec/resources/selinux" describe "Inspec::Resources::Selinux" do + it "verify selinux is installed" do + resource = load_resource("selinux", "/etc/selinux/selinux_conf") + _(resource.installed?).must_equal true + end + it "verify selinux state - enforcing" do resource = load_resource("selinux") _(resource.enforcing?).must_equal true @@ -27,11 +32,13 @@ describe "Inspec::Resources::Selinux" do it "verify selinux on windows" do resource = MockLoader.new(:windows).load_resource("selinux") - _(resource.enforcing?).must_be_nil + _(resource.installed?).must_equal false + _(resource.enforcing?).must_equal false end it "verify selinux on freebsd" do resource = MockLoader.new(:freebsd12).load_resource("selinux") - _(resource.enforcing?).must_be_nil + _(resource.installed?).must_equal false + _(resource.enforcing?).must_equal false end end From 6f066695616ac3d94f12338304adffcfaedff0aa Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 21 Apr 2021 11:38:09 +0530 Subject: [PATCH 041/483] Integrated documentation review comments Signed-off-by: Vasu1105 --- .../content/inspec/resources/selinux.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/selinux.md b/docs-chef-io/content/inspec/resources/selinux.md index 72b2b97ad..50ee3b977 100644 --- a/docs-chef-io/content/inspec/resources/selinux.md +++ b/docs-chef-io/content/inspec/resources/selinux.md @@ -11,9 +11,9 @@ platform = "linux" parent = "inspec/resources/os" +++ -Use the `selinux` Chef InSpec audit resource to test the state/mode of SELinux policy. +Use the `selinux` Chef InSpec audit resource to test the state and mode of SELinux policy. -selinux resource extracts and exposes data reported by the command 'sestatus' +The `selinux` resource extracts and exposes data reported by the `sestatus` command. ## Availability @@ -25,7 +25,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ## Syntax -The `selinux` Chef InSpec resource block tests the state/mode of the SELinux policy. +The `selinux` Chef InSpec resource block tests the state and mode of SELinux policy. describe selinux do it { should be_installed } @@ -38,14 +38,14 @@ The `selinux` Chef InSpec resource block tests the state/mode of the SELinux pol The following examples show how to use this Chef InSpec selinux resource. -### Test if selinux is installed and enabled +### Test if SELinux is installed and enabled describe selinux do it { should be_installed } it { should_not be_disabled } end -### Test if selinux is enabled and running in enforcing mode +### Test if SELinux is enabled and running in enforcing mode describe selinux do it { should_not be_disabled } @@ -58,24 +58,24 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ### be_installed -The `be_installed` matcher tests if the selinux is installed on the system: +The `be_installed` matcher tests if the SELinux is installed on the system: it { should be_installed } ### be_disabled -The `be_disabled` matcher tests if the selinux is disabled on the system: +The `be_disabled` matcher tests if the SELinux is disabled on the system: it { should be_disabled } ### be_enforcing -The `be_enforcing` matcher tests if the selinux mode is set to enforcing: +The `be_enforcing` matcher tests if the SELinux mode is set to enforcing: it { should be_enforcing } ### be_permissive -The `be_permissive` matcher tests if the selinux mode is set to permissive: +The `be_permissive` matcher tests if the SELinux mode is set to permissive: it { should be_permissive } From 85ca124809d21e61aa2c62a988c07c8e6d04fa3c Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 14 Apr 2021 19:04:00 +0530 Subject: [PATCH 042/483] Initial commit for regex pattern option in inputs Signed-off-by: Nikita Mathur --- lib/inspec/input.rb | 53 +++++++++++++++++++++++++++++++----- lib/inspec/input_registry.rb | 1 + 2 files changed, 47 insertions(+), 7 deletions(-) diff --git a/lib/inspec/input.rb b/lib/inspec/input.rb index 0e4bc769d..2d2937401 100644 --- a/lib/inspec/input.rb +++ b/lib/inspec/input.rb @@ -19,12 +19,17 @@ module Inspec attr_accessor :input_name attr_accessor :input_value attr_accessor :input_type + attr_accessor :input_pattern end class TypeError < Error attr_accessor :input_type end + class PatternError < Error + attr_accessor :input_pattern + end + class RequiredError < Error attr_accessor :input_name end @@ -45,6 +50,7 @@ module Inspec :file, # File containing the input-changing action, if known :line, # Line in file containing the input-changing action, if known :hit, # if action is :fetch, true if the remote source had the input + :pattern, # Regex Pattern to validate input value ].freeze # Value has a special handler @@ -56,7 +62,6 @@ module Inspec def initialize(properties = {}) @value_has_been_set = false - properties.each do |prop_name, prop_value| if EVENT_PROPERTIES.include? prop_name # OK, save the property @@ -174,7 +179,7 @@ module Inspec # are free to go higher. DEFAULT_PRIORITY_FOR_VALUE_SET = 60 - attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type + attr_reader :description, :events, :identifier, :name, :required, :sensitive, :title, :type, :pattern def initialize(name, options = {}) @name = name @@ -192,7 +197,6 @@ module Inspec # debugging record of when and how the value changed. @events = [] events.push make_creation_event(options) - update(options) end @@ -213,6 +217,7 @@ module Inspec def update(options) _update_set_metadata(options) normalize_type_restriction! + normalize_pattern_restriction! # Values are set by passing events in; but we can also infer an event. if options.key?(:value) || options.key?(:default) @@ -225,8 +230,8 @@ module Inspec end end events << options[:event] if options.key? :event - enforce_type_restriction! + enforce_pattern_restriction! end # We can determine a value: @@ -255,6 +260,7 @@ module Inspec end end event.value = options[:value] if options.key?(:value) + event.pattern = options[:pattern] if options.key?(:pattern) options[:event] = event end @@ -268,6 +274,7 @@ module Inspec @identifier = options[:identifier] if options.key?(:identifier) # TODO: determine if this is ever used @type = options[:type] if options.key?(:type) @sensitive = options[:sensitive] if options.key?(:sensitive) + @pattern = options[:pattern] if options.key?(:pattern) end def make_creation_event(options) @@ -276,7 +283,8 @@ module Inspec action: :create, provider: options[:provider], file: loc.path, - line: loc.lineno + line: loc.lineno, + pattern: options[:pattern] ) end @@ -302,7 +310,7 @@ module Inspec def value=(new_value, priority = DEFAULT_PRIORITY_FOR_VALUE_SET) # Inject a new Event with the new value. location = Event.probe_stack - events << Event.new( + event = Event.new( action: :set, provider: :value_setter, priority: priority, @@ -310,7 +318,10 @@ module Inspec file: location.path, line: location.lineno ) + event.pattern = pattern if pattern + events << event enforce_type_restriction! + enforce_pattern_restriction! end def value @@ -324,7 +335,7 @@ module Inspec def to_hash as_hash = { name: name, options: {} } - %i{description title identifier type required value sensitive}.each do |field| + %i{description title identifier type required value sensitive pattern}.each do |field| val = send(field) next if val.nil? @@ -407,6 +418,34 @@ module Inspec @type = type_req end + def enforce_pattern_restriction! + return unless pattern + return unless has_value? + + string_value = current_value(false).to_s + + valid_pattern = string_value.match?(pattern) + unless valid_pattern + error = Inspec::Input::ValidationError.new + error.input_name = @name + error.input_value = string_value + error.input_pattern = pattern + raise error, "Input '#{error.input_name}' with value '#{error.input_value}' does not validate to pattern '#{error.input_pattern}'." + end + end + + def normalize_pattern_restriction! + return unless pattern + + unless valid_regexp?(pattern) + error = Inspec::Input::PatternError.new + error.input_pattern = pattern + raise error, "Pattern '#{error.input_pattern}' is not a valid regex pattern." + end + @pattern = pattern + end + + def valid_numeric?(value) Float(value) true diff --git a/lib/inspec/input_registry.rb b/lib/inspec/input_registry.rb index 1b2ea9667..db4fe9ce1 100644 --- a/lib/inspec/input_registry.rb +++ b/lib/inspec/input_registry.rb @@ -325,6 +325,7 @@ module Inspec type: input_options[:type], required: input_options[:required], sensitive: input_options[:sensitive], + pattern: input_options[:pattern], event: evt ) end From e77d5331c5d52d08d544c256d45c149a27cf86a0 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 16 Apr 2021 01:05:35 +0530 Subject: [PATCH 043/483] Added new pattern option, fix for input options on dsl and functional test cases for input options Signed-off-by: Nikita Mathur --- lib/inspec/input.rb | 15 +++----- lib/inspec/rule.rb | 10 ++++- .../profiles/inputs/dsl/controls/dsl.rb | 38 +++++++++++++++++++ test/fixtures/profiles/inputs/dsl/inspec.yml | 9 +++++ .../metadata-pattern/controls/pattern.rb | 8 ++++ .../inputs/metadata-pattern/inspec.yml | 14 +++++++ test/functional/inputs_test.rb | 38 +++++++++++++++++++ test/unit/inputs/input_test.rb | 3 ++ 8 files changed, 125 insertions(+), 10 deletions(-) create mode 100644 test/fixtures/profiles/inputs/dsl/controls/dsl.rb create mode 100644 test/fixtures/profiles/inputs/dsl/inspec.yml create mode 100644 test/fixtures/profiles/inputs/metadata-pattern/controls/pattern.rb create mode 100644 test/fixtures/profiles/inputs/metadata-pattern/inspec.yml diff --git a/lib/inspec/input.rb b/lib/inspec/input.rb index 2d2937401..baa450a50 100644 --- a/lib/inspec/input.rb +++ b/lib/inspec/input.rb @@ -50,7 +50,6 @@ module Inspec :file, # File containing the input-changing action, if known :line, # Line in file containing the input-changing action, if known :hit, # if action is :fetch, true if the remote source had the input - :pattern, # Regex Pattern to validate input value ].freeze # Value has a special handler @@ -230,6 +229,8 @@ module Inspec end end events << options[:event] if options.key? :event + + enforce_required_validation! enforce_type_restriction! enforce_pattern_restriction! end @@ -260,7 +261,6 @@ module Inspec end end event.value = options[:value] if options.key?(:value) - event.pattern = options[:pattern] if options.key?(:pattern) options[:event] = event end @@ -283,8 +283,7 @@ module Inspec action: :create, provider: options[:provider], file: loc.path, - line: loc.lineno, - pattern: options[:pattern] + line: loc.lineno ) end @@ -310,7 +309,7 @@ module Inspec def value=(new_value, priority = DEFAULT_PRIORITY_FOR_VALUE_SET) # Inject a new Event with the new value. location = Event.probe_stack - event = Event.new( + events << Event.new( action: :set, provider: :value_setter, priority: priority, @@ -318,14 +317,13 @@ module Inspec file: location.path, line: location.lineno ) - event.pattern = pattern if pattern - events << event + + enforce_required_validation! enforce_type_restriction! enforce_pattern_restriction! end def value - enforce_required_validation! current_value end @@ -445,7 +443,6 @@ module Inspec @pattern = pattern end - def valid_numeric?(value) Float(value) true diff --git a/lib/inspec/rule.rb b/lib/inspec/rule.rb index 2877d47ae..e0a083e90 100644 --- a/lib/inspec/rule.rb +++ b/lib/inspec/rule.rb @@ -180,7 +180,15 @@ module Inspec options[:priority] ||= 20 options[:provider] = :inline_control_code evt = Inspec::Input.infer_event(options) - Inspec::InputRegistry.find_or_register_input(input_name, __profile_id, event: evt).value + Inspec::InputRegistry.find_or_register_input( + input_name, + __profile_id, + type: options[:type], + required: options[:required], + description: options[:description], + pattern: options[:pattern], + event: evt + ).value end end diff --git a/test/fixtures/profiles/inputs/dsl/controls/dsl.rb b/test/fixtures/profiles/inputs/dsl/controls/dsl.rb new file mode 100644 index 000000000..0fafada7d --- /dev/null +++ b/test/fixtures/profiles/inputs/dsl/controls/dsl.rb @@ -0,0 +1,38 @@ +# copyright: 2021, Chef Software, Inc. +title "Testing all option flags on input through DSL" + +control "pattern_flag_success_check" do + describe input("input_value_01", value: 5, pattern: "^\d*[13579]$") do + it { should eq 5 } + end +end + +control "pattern_flag_failure_check" do + describe input("input_value_02", value: 2, pattern: "^\d*[13579]$") do + it { should eq 2 } + end +end + +control "required_flag_success_check" do + describe input("input_value_03", value: 5, required: true) do + it { should eq 5 } + end +end + +control "required_flag_failure_check" do + describe input("input_value_04", required: true) do + it { should eq 5 } + end +end + +control "type_flag_success_check" do + describe input("input_value_05", value: 5, type: "Numeric") do + it { should eq 5 } + end +end + +control "type_flag_failure_check" do + describe input("input_value_06", value: 5, type: "String") do + it { should eq 5 } + end +end \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/dsl/inspec.yml b/test/fixtures/profiles/inputs/dsl/inspec.yml new file mode 100644 index 000000000..c58daa3cb --- /dev/null +++ b/test/fixtures/profiles/inputs/dsl/inspec.yml @@ -0,0 +1,9 @@ +name: dsl +title: InSpec Profile to test all option flags on input through dsl +maintainer: Chef Software, Inc. +copyright: Chef Software, Inc. +license: Apache-2.0 +summary: A profile that tests all option flags on input through dsl +version: 0.1.0 +supports: + platform: os \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/metadata-pattern/controls/pattern.rb b/test/fixtures/profiles/inputs/metadata-pattern/controls/pattern.rb new file mode 100644 index 000000000..e7e544eaf --- /dev/null +++ b/test/fixtures/profiles/inputs/metadata-pattern/controls/pattern.rb @@ -0,0 +1,8 @@ +# copyright: 2021, Chef Software, Inc. +title "Testing :pattern flag" + +control "pattern_flag_checking_odd_num" do + describe input("input_value_01") do + it { should eq 5 } + end +end \ No newline at end of file diff --git a/test/fixtures/profiles/inputs/metadata-pattern/inspec.yml b/test/fixtures/profiles/inputs/metadata-pattern/inspec.yml new file mode 100644 index 000000000..b2c60f295 --- /dev/null +++ b/test/fixtures/profiles/inputs/metadata-pattern/inspec.yml @@ -0,0 +1,14 @@ +name: metadata-pattern +title: InSpec Profile to test :pattern flag on inputs using metadata +maintainer: Chef Software, Inc. +copyright: Chef Software, Inc. +license: Apache-2.0 +summary: A profile that tests the :pattern flag on inputs +version: 0.1.0 +supports: + platform: os +inputs: + - name: input_value_01 + value: 5 + pattern: ^\d*[13579]$ + required: true \ No newline at end of file diff --git a/test/functional/inputs_test.rb b/test/functional/inputs_test.rb index 499651081..3130fb897 100644 --- a/test/functional/inputs_test.rb +++ b/test/functional/inputs_test.rb @@ -462,4 +462,42 @@ describe "inputs" do assert_json_controls_passing(result) end end + + describe "when a profile is used with input options" do + it "should be a success for valid values when pattern flag is passed through metadata file" do + result = run_inspec_process("exec #{inputs_profiles_path}/metadata-pattern", json: true) + _(result.stderr).must_be_empty + assert_json_controls_passing(result) + end + + it "should be a success for valid values when required, type and pattern flag is passed through dsl" do + result = run_inspec_process("exec #{inputs_profiles_path}/dsl --controls pattern_flag_success_check required_flag_success_check type_flag_success_check", json: true) + _(result.stderr).must_be_empty + assert_json_controls_passing(result) + end + + it "should be a failure for invalid value when required flag is passed through dsl" do + result = run_inspec_process("exec #{inputs_profiles_path}/dsl --controls required_flag_failure_check", json: true) + _(result.stderr).must_be_empty + output = JSON.parse(result[0]) + assert_equal "failed", output["profiles"][0]["controls"][0]["results"][0]["status"] + assert_exit_code(100, result) + end + + it "should be a failure for invalid value when type flag is passed through dsl" do + result = run_inspec_process("exec #{inputs_profiles_path}/dsl --controls type_flag_failure_check", json: true) + _(result.stderr).must_be_empty + output = JSON.parse(result[0]) + assert_equal "failed", output["profiles"][0]["controls"][0]["results"][0]["status"] + assert_exit_code(100, result) + end + + it "should be a failure for invalid value when pattern flag is passed through dsl" do + result = run_inspec_process("exec #{inputs_profiles_path}/dsl --controls pattern_flag_failure_check", json: true) + _(result.stderr).must_be_empty + output = JSON.parse(result[0]) + assert_equal "failed", output["profiles"][0]["controls"][0]["results"][0]["status"] + assert_exit_code(100, result) + end + end end diff --git a/test/unit/inputs/input_test.rb b/test/unit/inputs/input_test.rb index abc855fb0..b4e350415 100644 --- a/test/unit/inputs/input_test.rb +++ b/test/unit/inputs/input_test.rb @@ -15,6 +15,7 @@ describe Inspec::Input do required: true, title: "how is this different than description", type: "Numeric", + pattern: "^[0-9][0-9]$", }.each do |field, value| it "should be able to recall the #{field} field" do opts[field] = value @@ -32,6 +33,7 @@ describe Inspec::Input do title: "Best input ever", description: "important", type: "Numeric", + pattern: "^[0-9][0-9]$", required: true) _(input.to_hash).must_equal({ @@ -41,6 +43,7 @@ describe Inspec::Input do title: "Best input ever", description: "important", type: "Numeric", + pattern: "^[0-9][0-9]$", required: true, }, }) From 7fc144c4bf3bed46caacc4d3f84c73fe164c8a87 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 16 Apr 2021 13:36:31 +0530 Subject: [PATCH 044/483] Doc changes for pattern flag in inputs Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/inputs.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs-chef-io/content/inspec/inputs.md b/docs-chef-io/content/inspec/inputs.md index 138e33fa3..6e992cea1 100644 --- a/docs-chef-io/content/inspec/inputs.md +++ b/docs-chef-io/content/inspec/inputs.md @@ -416,6 +416,13 @@ input values that are used as test results. Allowed in: Metadata +### Pattern + +Optional, `Regexp`. It should have a value of a regular expression. This feature helps +in validating input value by matching it with the provided regular expression. + +Allowed in: DSL, Metadata + ## Advanced Topics ### Debugging Inputs with the Event Log From ea6760c2c0315cd1f8ab041f4f645bd60e89295b Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 16 Apr 2021 15:20:39 +0530 Subject: [PATCH 045/483] Undid changes of required validation to fix build errors Signed-off-by: Nikita Mathur --- lib/inspec/input.rb | 3 +-- test/functional/inputs_test.rb | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/lib/inspec/input.rb b/lib/inspec/input.rb index baa450a50..06668e039 100644 --- a/lib/inspec/input.rb +++ b/lib/inspec/input.rb @@ -230,7 +230,6 @@ module Inspec end events << options[:event] if options.key? :event - enforce_required_validation! enforce_type_restriction! enforce_pattern_restriction! end @@ -318,12 +317,12 @@ module Inspec line: location.lineno ) - enforce_required_validation! enforce_type_restriction! enforce_pattern_restriction! end def value + enforce_required_validation! current_value end diff --git a/test/functional/inputs_test.rb b/test/functional/inputs_test.rb index 3130fb897..e60ea4da9 100644 --- a/test/functional/inputs_test.rb +++ b/test/functional/inputs_test.rb @@ -478,10 +478,8 @@ describe "inputs" do it "should be a failure for invalid value when required flag is passed through dsl" do result = run_inspec_process("exec #{inputs_profiles_path}/dsl --controls required_flag_failure_check", json: true) - _(result.stderr).must_be_empty - output = JSON.parse(result[0]) - assert_equal "failed", output["profiles"][0]["controls"][0]["results"][0]["status"] - assert_exit_code(100, result) + _(result.stderr).must_include "Input 'input_value_04' is required and does not have a value.\n" + assert_exit_code 1, result end it "should be a failure for invalid value when type flag is passed through dsl" do From cf8a5eb1c5028d4ea8563f19e2ba130d86b8d397 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 19 Apr 2021 12:56:44 +0530 Subject: [PATCH 046/483] Fix to build issue in inputs unit test Signed-off-by: Nikita Mathur --- lib/inspec/objects/input.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/objects/input.rb b/lib/inspec/objects/input.rb index f17641925..f8fb3f5d9 100644 --- a/lib/inspec/objects/input.rb +++ b/lib/inspec/objects/input.rb @@ -20,7 +20,7 @@ module Inspec def to_hash as_hash = { name: name, options: {} } - %i{description title identifier type required value}.each do |field| + %i{description title identifier type required value pattern}.each do |field| val = send(field) next if val.nil? From ed312b07d339853079e0a10976e21b1035f2e420 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 21 Apr 2021 12:33:28 +0530 Subject: [PATCH 047/483] Docs review changes in inputs doc for pattern Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/inputs.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/inputs.md b/docs-chef-io/content/inspec/inputs.md index 6e992cea1..b4aa7476c 100644 --- a/docs-chef-io/content/inspec/inputs.md +++ b/docs-chef-io/content/inspec/inputs.md @@ -418,8 +418,7 @@ Allowed in: Metadata ### Pattern -Optional, `Regexp`. It should have a value of a regular expression. This feature helps -in validating input value by matching it with the provided regular expression. +Optional, `Regexp`. This feature validates the input by matching it with the provided regular expression. Allowed in: DSL, Metadata From 8773dfaeddec3e507b1200def6a465a5f3c674f3 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 21 Apr 2021 20:23:06 +0000 Subject: [PATCH 048/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 27 ++++++++++++--------------- Dockerfile | 2 +- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb427adb1..3b89d66f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,29 +1,26 @@ # Change Log - -## [v4.33.1](https://github.com/inspec/inspec/tree/v4.33.1) (2021-04-20) - -#### Merged Pull Requests -- Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe)) + - -### Changes since 4.32.0 release - -#### New Features -- Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe)) - -#### Merged Pull Requests -- Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) + +## [v4.33.1](https://github.com/inspec/inspec/tree/v4.33.1) (2021-04-21) + +#### New Features +- Optionally include controls source code in CLI reporter [#5465](https://github.com/inspec/inspec/pull/5465) ([clintoncwolfe](https://github.com/clintoncwolfe)) + +#### Merged Pull Requests +- Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) +- Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe)) + + ## [v4.32.0](https://github.com/inspec/inspec/tree/v4.32.0) (2021-04-14) #### New Features - Added ability to pass inputs to InSpec shell using input file and cli [#5452](https://github.com/inspec/inspec/pull/5452) ([Nik08](https://github.com/Nik08)) - ## [v4.31.1](https://github.com/inspec/inspec/tree/v4.31.1) (2021-04-08) diff --git a/Dockerfile b/Dockerfile index 7adce1823..2c0469242 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.32.0 +ARG VERSION=4.33.1 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From ad41645526d56302f9543fabfe042287af0d0747 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 21 Apr 2021 23:32:23 +0000 Subject: [PATCH 049/483] Bump version to 4.34.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b89d66f6..875fe0165 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.34.0](https://github.com/inspec/inspec/tree/v4.34.0) (2021-04-21) + +#### New Features +- Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105)) - + +### Changes since 4.33.1 release + +#### New Features +- Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 83e185385..47a16f575 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.33.1 \ No newline at end of file +4.34.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index ad7e1708e..1f9de9a58 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.33.1".freeze + VERSION = "4.34.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 02d87dbe5..34d4048b8 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.33.1".freeze + VERSION = "4.34.0".freeze end From 2308bad51b0ac14e0e45942348e2a8a72b20c849 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 21 Apr 2021 23:35:41 +0000 Subject: [PATCH 050/483] Bump version to 4.35.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 875fe0165..0a82cbe26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.34.0](https://github.com/inspec/inspec/tree/v4.34.0) (2021-04-21) + +## [v4.35.0](https://github.com/inspec/inspec/tree/v4.35.0) (2021-04-21) #### New Features -- Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105)) +- New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08)) ### Changes since 4.33.1 release #### New Features +- New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08)) - Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 47a16f575..12ab49b5e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.34.0 \ No newline at end of file +4.35.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 1f9de9a58..1600001a9 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.34.0".freeze + VERSION = "4.35.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 34d4048b8..e3f0d3914 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.34.0".freeze + VERSION = "4.35.0".freeze end From 295d0746290e9c1b94f8dc2ae1597e3ef6fe9d1b Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 21 Apr 2021 23:45:52 +0000 Subject: [PATCH 051/483] Bump version to 4.35.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a82cbe26..55679490e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.35.0](https://github.com/inspec/inspec/tree/v4.35.0) (2021-04-21) + +## [v4.35.1](https://github.com/inspec/inspec/tree/v4.35.1) (2021-04-21) -#### New Features -- New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08)) +#### Merged Pull Requests +- Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) ### Changes since 4.33.1 release +#### Merged Pull Requests +- Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) + #### New Features - New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08)) - Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 12ab49b5e..b890e9364 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.35.0 \ No newline at end of file +4.35.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 1600001a9..0731eebf6 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.35.0".freeze + VERSION = "4.35.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index e3f0d3914..d10592652 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.35.0".freeze + VERSION = "4.35.1".freeze end From fe0020ce50e74b5b3c6f3e69fff76125955b2254 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 15 Apr 2021 19:58:12 +0530 Subject: [PATCH 052/483] Add selinux resource support for modules and booleans Signed-off-by: Vasu1105 --- lib/inspec/resources/selinux.rb | 74 +++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index ea08a0583..36d84bcdb 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -1,6 +1,49 @@ require "inspec/resources/command" +require "inspec/utils/filter" module Inspec::Resources + class SelinuxModuleFilter + # use filtertable for SELinux Modules + filter = FilterTable.create + filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? } + filter.register_column(:names, field: :name) + filter.register_column(:status, field: :status) + filter.register_column(:states, field: :state) + filter.register_column(:priorities , field: :priority) + filter.register_custom_matcher(:enabled?) { |x| x.states[0] == "enabled" } + filter.register_custom_matcher(:installed?) { |x| x.status[0] == "installed" } + filter.install_filter_methods_on_resource(self, :modules) + + attr_reader :modules + def initialize(modules) + @modules = modules + end + + def to_s + "SElinux modules" + end + end + + class SelinuxBooleanFilter + # use filtertable for SELinux Booleans + filter = FilterTable.create + filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? } + filter.register_column(:names, field: :name) + filter.register_column(:states, field: :state) + filter.register_column(:defaults, field: :default) + filter.register_custom_matcher(:on?) { |x| x.states[0] == "on" } + filter.install_filter_methods_on_resource(self, :booleans) + + attr_reader :booleans + def initialize(booleans) + @booleans = booleans + end + + def to_s + "SElinux booleans" + end + end + class Selinux < Inspec.resource(1) name "selinux" supports platform: "linux" @@ -46,8 +89,39 @@ module Inspec::Resources @data["currentmode"] == "permissive" end + def modules + SelinuxModuleFilter.new(parse_modules) + end + + def booleans + SelinuxBooleanFilter.new(parse_booleans) + end + def to_s "SELinux" end + + private + + def parse_modules + raw_modules = inspec.command("semodule -lfull").stdout + r_modules = [] + raw_modules.each_line do |entry| + data = entry.split.map(&:strip) + state = data.length == 4 ? data[3] : "enabled" + r_modules.push({ name: data[1], status: "installed", state: state, priority: data[0] }) + end + r_modules + end + + def parse_booleans + raw_booleans = inspec.command("semanage boolean -l -n").stdout + r_booleans = [] + raw_booleans.each_line do |entry| + data = entry.scan(/([^(,)]+)/).flatten.map(&:strip) + r_booleans.push({ name: data[0], state: data[1], default: data[2] }) + end + r_booleans + end end end From 76dca7f97c854b72c6e97d82579d72d030bacd9b Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 16 Apr 2021 20:07:06 +0530 Subject: [PATCH 053/483] Adds policy property, unit test and documentation for modules and booleans Signed-off-by: Vasu1105 --- .../content/inspec/resources/selinux.md | 85 ++++++++++++++++++- lib/inspec/resources/selinux.rb | 29 ++++++- test/fixtures/cmd/semanage-boolean | 3 + test/fixtures/cmd/semodule-lfull | 3 + test/helpers/mock_loader.rb | 6 +- test/unit/resources/selinux_test.rb | 32 ++++++- 6 files changed, 149 insertions(+), 9 deletions(-) create mode 100644 test/fixtures/cmd/semanage-boolean create mode 100644 test/fixtures/cmd/semodule-lfull diff --git a/docs-chef-io/content/inspec/resources/selinux.md b/docs-chef-io/content/inspec/resources/selinux.md index 50ee3b977..50f9f34c7 100644 --- a/docs-chef-io/content/inspec/resources/selinux.md +++ b/docs-chef-io/content/inspec/resources/selinux.md @@ -11,9 +11,9 @@ platform = "linux" parent = "inspec/resources/os" +++ -Use the `selinux` Chef InSpec audit resource to test the state and mode of SELinux policy. +Use the `selinux` Chef Inspec audit resource to test the configuration data of the SELinux policy, SELinux modules and SELinux booleans. -The `selinux` resource extracts and exposes data reported by the `sestatus` command. +The `selinux` resource extracts and exposes data reported by the `sestatus`, `semodule -lfull`and `semanage boolean -l -n` command. ## Availability @@ -34,6 +34,41 @@ The `selinux` Chef InSpec resource block tests the state and mode of SELinux pol it { should_not be_permissive } end +The `selinux` resource block also declares allows you to write test for many modules: + + describe selinux.modules.where("zebra") do + it { should exist } + it { should be_installed } + it { should be_enabled } + end + +or: + describe selinux.modules.where(status: "installed") do + it { should exist } + its('count') { should cmp 404 } + end + +where + +- `.where()` may specify a specific item and value, to which the resource parameters are compared +- `name`, `status`, `state`, `priority` are valid parameters for `modules` + +The `selinux` resource block also declares allows you to write test for many booleans: + + describe selinux.booleans.where(name: "httpd_enable_homedirs") do + it { should_not be_on } + end + +or: + + describe selinux.booleans.where(name: "xend_run_blktap", state: "on") do + it { should exist } + its('defaults') { should cmp "on" } + end + +- `.where()` may specify a specific item and value, to which the resource parameters are compared +- `name`, `state`, `default` are valid parameters for `booleans` + ## Examples The following examples show how to use this Chef InSpec selinux resource. @@ -52,13 +87,18 @@ describe selinux do it { should be_enforcing } end +### Test if selinux policy type +describe selinux do + its('policy') { should eq "targeted"} +end + ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). ### be_installed -The `be_installed` matcher tests if the SELinux is installed on the system: +The `be_installed` matcher tests if the SElinux policy or SElinux modules is installed on the system: it { should be_installed } @@ -79,3 +119,42 @@ The `be_enforcing` matcher tests if the SELinux mode is set to enforcing: The `be_permissive` matcher tests if the SELinux mode is set to permissive: it { should be_permissive } + +### be_on +The `be_on` matcher tests if the selinux boolean is on. + +### be_enabled +The `be_enabled` matcher tests if the selinux module is enabled + +## Resource Parameters + +- `names`, `status`, `states`, `priorities`, are valid parameters for `modules` + +- `names`, `status`, `states`, `defaults`, are valid parameters for `booleans` + +## Resource Parameter Examples + +### modules + +`modules` returns the information about modules as returned by [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html). + +Note: semodule -l command does not provide version information in newer versions of linux based systems like RHEL8 and Centos8 so we are not supporting that option [REF](https://access.redhat.com/solutions/2760071). + +describe selinux.modules do + its("names") { should include "zebra" } + its("status") { should include "installed" } + its("states") { should include "enabled" } + its("priorities") { should include "100" } +end + +### booleans + +`booleans` returns the information about boolean as returned by [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) + +describe selinux.booleans do + its("names") { should include "httpd_enable_homedirs" } + its("states") { should include "on" } + its("states") { should include "off" } + its("defaults") { should include "on" } + its("defaults") { should include "off" } +end diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index 36d84bcdb..876039a66 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -48,7 +48,7 @@ module Inspec::Resources name "selinux" supports platform: "linux" - desc "Use selinux Inspec resource to test state/mode of the selinux policy." + desc "Use selinux Chef Inspec resource to test the configuration data of the selinux policy, selinux modules and selinux booleans." example <<~EXAMPLE describe selinux do @@ -57,6 +57,29 @@ module Inspec::Resources it { should be_permissive } it { should be_enforcing } end + + describe selinux do + its('policy') { should eq "targeted"} + end + + describe selinux.modules.where("zebra") do + it { should exist } + it { should be_installed } + it { should be_enabled } + end + + describe selinux.modules.where(status: "installed") do + it { should exist } + its('count') { should cmp 404 } + end + + describe selinux.booleans.where(name: "xend_run_blktap") do + it { should be_on } + end + + describe selinux.booleans.where { name == "xend_run_blktap" && state == "on" } do + it { should exist } + end EXAMPLE def initialize(selinux_path = "/etc/selinux/config") @@ -89,6 +112,10 @@ module Inspec::Resources @data["currentmode"] == "permissive" end + def policy + @data["loadedpolicyname"] + end + def modules SelinuxModuleFilter.new(parse_modules) end diff --git a/test/fixtures/cmd/semanage-boolean b/test/fixtures/cmd/semanage-boolean new file mode 100644 index 000000000..74dda0792 --- /dev/null +++ b/test/fixtures/cmd/semanage-boolean @@ -0,0 +1,3 @@ +xen_use_nfs (off , off) Allow xen to use nfs +xend_run_blktap (on , on) Allow xend to run blktap +zebra_write_config (off , off) Allow zebra to write config \ No newline at end of file diff --git a/test/fixtures/cmd/semodule-lfull b/test/fixtures/cmd/semodule-lfull new file mode 100644 index 000000000..743ab07cf --- /dev/null +++ b/test/fixtures/cmd/semodule-lfull @@ -0,0 +1,3 @@ +100 foo pp +100 bar pp disabled +100 baz pp \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index b46a288a7..df4386489 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -558,11 +558,15 @@ class MockLoader # filesystem command "2e7e0d4546342cee799748ec7e2b1c87ca00afbe590fa422a7c27371eefa88f0" => cmd.call("get-wmiobject-filesystem"), "sestatus" => cmd.call("sestatus"), + "semodule -lfull" => cmd.call("semodule-lfull"), + "semanage boolean -l -n" => cmd.call("semanage-boolean"), } if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") mock_cmds.merge!( - "sestatus" => empty.call + "sestatus" => empty.call, + "semodule -lfull" => empty.call, + "semanage boolean -l -n" => empty.call, ) end diff --git a/test/unit/resources/selinux_test.rb b/test/unit/resources/selinux_test.rb index 74376b6c1..8225da6f4 100644 --- a/test/unit/resources/selinux_test.rb +++ b/test/unit/resources/selinux_test.rb @@ -3,26 +3,29 @@ require "inspec/resource" require "inspec/resources/selinux" describe "Inspec::Resources::Selinux" do + let(:resource) { load_resource("selinux") } + it "verify selinux is installed" do resource = load_resource("selinux", "/etc/selinux/selinux_conf") _(resource.installed?).must_equal true end it "verify selinux state - enforcing" do - resource = load_resource("selinux") _(resource.enforcing?).must_equal true end it "verify selinux state - permissive" do - resource = load_resource("selinux") _(resource.permissive?).must_equal false end - it "verify selinux disabled " do - resource = load_resource("selinux") + it "verify selinux disabled" do _(resource.disabled?).must_equal false end + it "verify selinux policy type is targeted" do + _(resource.policy).must_equal "targeted" + end + it "verify selinux on linux" do resource = MockLoader.new(:linux).load_resource("selinux") _(resource.enforcing?).must_equal true @@ -41,4 +44,25 @@ describe "Inspec::Resources::Selinux" do _(resource.installed?).must_equal false _(resource.enforcing?).must_equal false end + + it "verify selinux.modules is exist" do + _(resource.modules.exist?).must_equal true + end + + it "verify selinux.modules parsing" do + _(resource.modules.names).must_equal %w{foo bar baz} + _(resource.modules.states).must_equal %w{enabled disabled enabled} + _(resource.modules.status).must_equal %w{installed installed installed} + _(resource.modules.priorities).must_equal %w{100 100 100} + end + + it "verify selinux.booleans is exist" do + _(resource.booleans.exist?).must_equal true + end + + it "verify selinux.booleans parsing" do + _(resource.booleans.names).must_equal %w{xen_use_nfs xend_run_blktap zebra_write_config} + _(resource.booleans.states).must_equal %w{off on off} + _(resource.booleans.defaults).must_equal %w{off on off} + end end From 622a4ed47c627cfc811567185ebb5cbef35d4127 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 22 Apr 2021 12:15:06 +0530 Subject: [PATCH 054/483] Few minor doc changes in the selinux readme Signed-off-by: Vasu1105 --- .../content/inspec/resources/selinux.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/selinux.md b/docs-chef-io/content/inspec/resources/selinux.md index 50f9f34c7..04714e637 100644 --- a/docs-chef-io/content/inspec/resources/selinux.md +++ b/docs-chef-io/content/inspec/resources/selinux.md @@ -23,6 +23,8 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ### Version +This resource first became available in v4.35.1 of InSpec. + ## Syntax The `selinux` Chef InSpec resource block tests the state and mode of SELinux policy. @@ -121,24 +123,30 @@ The `be_permissive` matcher tests if the SELinux mode is set to permissive: it { should be_permissive } ### be_on -The `be_on` matcher tests if the selinux boolean is on. + +The `be_on` matcher tests if the SELinux boolean is on: + + it { should be_on } ### be_enabled -The `be_enabled` matcher tests if the selinux module is enabled + +The `be_enabled` matcher tests if the SElinux module is enabled: + + it { should be_enabled } ## Resource Parameters -- `names`, `status`, `states`, `priorities`, are valid parameters for `modules` +- `names`, `status`, `states`, `priorities`, are valid parameters for SELinux `modules` -- `names`, `status`, `states`, `defaults`, are valid parameters for `booleans` +- `names`, `status`, `states`, `defaults`, are valid parameters for SELinux `booleans` ## Resource Parameter Examples ### modules -`modules` returns the information about modules as returned by [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html). +`modules` returns the information about SELinux modules as returned by [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html). -Note: semodule -l command does not provide version information in newer versions of linux based systems like RHEL8 and Centos8 so we are not supporting that option [REF](https://access.redhat.com/solutions/2760071). +Note: The `semodule -l` command does not provide `version` information in newer versions of Linux based systems like RHEL8 and Centos8 so we are not supporting that option [REF](https://access.redhat.com/solutions/2760071). describe selinux.modules do its("names") { should include "zebra" } @@ -149,7 +157,7 @@ end ### booleans -`booleans` returns the information about boolean as returned by [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) +`booleans` returns the information about SELinux booleans as returned by [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) describe selinux.booleans do its("names") { should include "httpd_enable_homedirs" } From a09fb159d37ba2b76823227769b025d408aba546 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 22 Apr 2021 12:52:50 +0530 Subject: [PATCH 055/483] Fix lintstyle Signed-off-by: Vasu1105 --- test/helpers/mock_loader.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index df4386489..45b96817b 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -566,7 +566,7 @@ class MockLoader mock_cmds.merge!( "sestatus" => empty.call, "semodule -lfull" => empty.call, - "semanage boolean -l -n" => empty.call, + "semanage boolean -l -n" => empty.call ) end From b70f3166d4cacc7f557d1dfdbc923c10e8187a14 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 23 Apr 2021 13:47:55 +0530 Subject: [PATCH 056/483] New property members_array added for group and groups resources and updated documentation Signed-off-by: Nikita Mathur --- .../content/inspec/resources/group.md | 14 +++++++++++++ .../content/inspec/resources/groups.md | 14 +++++++++++++ lib/inspec/resources/groups.rb | 21 ++++++++++++++----- test/unit/resources/group_test.rb | 15 +++++++++++++ test/unit/resources/groups_test.rb | 5 +++++ 5 files changed, 64 insertions(+), 5 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/group.md b/docs-chef-io/content/inspec/resources/group.md index 9885dd057..49c81644d 100644 --- a/docs-chef-io/content/inspec/resources/group.md +++ b/docs-chef-io/content/inspec/resources/group.md @@ -62,6 +62,20 @@ The `members` property tests the members that belong to the group: its('members') { should include 'root' } +where `members` returns +- Array of group members for **Windows Platform**. +Example: `["member1", "member2"]` +- CSV formatted string of group members for **Non-Windows Platforms**. +Example: `"member1,member2"` + + +### members_array + +The `members_array` property tests the members that belong to a group just like `members` property. +But the value returned by this property is always an array of group members. + + its('members_array') { should include 'root' } + ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/docs-chef-io/content/inspec/resources/groups.md b/docs-chef-io/content/inspec/resources/groups.md index a05687e62..57aaeee04 100644 --- a/docs-chef-io/content/inspec/resources/groups.md +++ b/docs-chef-io/content/inspec/resources/groups.md @@ -74,6 +74,20 @@ The `members` property tests the members that belong to a group: its('members') { should include 'root' } its('members') { should include 'Administrator' } +where `members` returns +- Array of group members for **Windows Platform**. +Example: `["member1", "member2"]` +- Single element array with CSV formatted string of group members for **Non-Windows Platforms**. +Example: `["member1,member2"]` + +### members_array + +The `members_array` property tests the group members just like `members` property. +But the value returned by this property is always an array of group members. + + its('members_array') { should include 'root' } + its('members_array') { should include 'Administrator' } + ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/lib/inspec/resources/groups.rb b/lib/inspec/resources/groups.rb index 64e1b369c..f7bfe726a 100644 --- a/lib/inspec/resources/groups.rb +++ b/lib/inspec/resources/groups.rb @@ -49,10 +49,11 @@ module Inspec::Resources filter = FilterTable.create filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? } - filter.register_column(:names, field: "name") - .register_column(:gids, field: "gid") - .register_column(:domains, field: "domain") - .register_column(:members, field: "members", style: :simple) + filter.register_column(:names, field: "name") + .register_column(:gids, field: "gid") + .register_column(:domains, field: "domain") + .register_column(:members, field: "members", style: :simple) + .register_column(:members_array, field: "members_array", style: :simple) filter.install_filter_methods_on_resource(self, :collect_group_details) def to_s @@ -63,7 +64,13 @@ module Inspec::Resources # collects information about every group def collect_group_details - return @groups_cache ||= @group_provider.groups unless @group_provider.nil? + unless @group_provider.nil? + modified_groups_info = @group_provider.groups + unless modified_groups_info.empty? + modified_groups_info.each { |hashmap| hashmap["members_array"] = hashmap["members"].is_a?(Array) ? hashmap["members"] : hashmap["members"]&.split(",") } + end + return @groups_cache ||= modified_groups_info + end [] end @@ -114,6 +121,10 @@ module Inspec::Resources flatten_entry(group_info, "members") end + def members_array + flatten_entry(group_info, "members_array") || [] + end + def local # at this point the implementation only returns local groups true diff --git a/test/unit/resources/group_test.rb b/test/unit/resources/group_test.rb index 16c4dd95f..3cab79fa3 100644 --- a/test/unit/resources/group_test.rb +++ b/test/unit/resources/group_test.rb @@ -22,6 +22,12 @@ describe "Inspec::Resources::Group" do _(resource.members).must_equal "www-data,root" end + it "verify group on ubuntu with members_array" do + resource = MockLoader.new(:ubuntu1404).load_resource("group", "www-data") + _(resource.exists?).must_equal true + _(resource.members_array).must_equal %w{www-data root} + end + # ubuntu with non-existent group it "verify group on ubuntu" do resource = MockLoader.new(:ubuntu1404).load_resource("group", "nogroup") @@ -65,6 +71,14 @@ describe "Inspec::Resources::Group" do _(resource.exists?).must_equal true _(resource.gid).must_equal "S-1-5-32-547" _(resource.members).must_equal [] + _(resource.members_array).must_equal [] + end + + it "verify administrator group members_array property on windows" do + resource = MockLoader.new(:windows).load_resource("group", "Administrators") + _(resource.exists?).must_equal true + _(resource.gid).must_equal "S-1-5-32-544" + _(resource.members_array).must_equal ["Administrators", "Domain Admins"] end # windows non-existent group @@ -73,6 +87,7 @@ describe "Inspec::Resources::Group" do _(resource.exists?).must_equal false _(resource.gid).must_be_nil _(resource.members).must_be_nil + _(resource.members_array).must_equal [] end # undefined diff --git a/test/unit/resources/groups_test.rb b/test/unit/resources/groups_test.rb index d8fd3664e..98390e6a8 100644 --- a/test/unit/resources/groups_test.rb +++ b/test/unit/resources/groups_test.rb @@ -35,6 +35,10 @@ describe "groups resource on unix platform" do _(resource.where { name == "www-data" }.members).must_equal ["www-data,root"] end + it "retrieves members_array via name" do + _(resource.where { name == "www-data" }.members_array).must_equal %w{www-data root} + end + it "retrieves entries via members regexp" do _(resource.where { members =~ /root/ }.members).must_equal ["www-data,root"] _(resource.where { members =~ /root/ }.exist?).must_equal true @@ -74,6 +78,7 @@ describe "groups resource on windows platform" do it "retrieves members via name" do _(resource.where { name == "Administrators" }.members).must_equal ["Administrators", "Domain Admins"] + _(resource.where { name == "Administrators" }.members_array).must_equal ["Administrators", "Domain Admins"] _(resource.where { name == "Administrators" }.exist?).must_equal true end From 3725aa4598e5ffd68255847573b3dcef7fef3457 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 23 Apr 2021 13:59:36 +0530 Subject: [PATCH 057/483] This function was only returning boolean if profile_config_exist and was returning nil if condition was failed so updated the method to return false Signed-off-by: Vasu1105 --- lib/inspec/control_eval_context.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index 58c408fb6..fd38d7d4f 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -194,6 +194,7 @@ module Inspec # Check if the given control exist in the --controls option def control_exist_in_controls_list?(id) + id_exist_in_list = false if profile_config_exist? id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion| # Try to see if the inclusion is a regex, and if it matches From 81d5f7d079511dd82b9698ee709a16c1e8fe87b9 Mon Sep 17 00:00:00 2001 From: Tom Duffield Date: Fri, 23 Apr 2021 16:06:05 -0500 Subject: [PATCH 058/483] Remove pipeline-specific logic from test scripts This logic has been moved into the Omnibus Buildkite Plugin. These scripts can now be used outside of the Buildkite pipelines. Signed-off-by: Tom Duffield --- omnibus/omnibus-test.ps1 | 28 +--------------------------- omnibus/omnibus-test.sh | 31 ------------------------------- 2 files changed, 1 insertion(+), 58 deletions(-) diff --git a/omnibus/omnibus-test.ps1 b/omnibus/omnibus-test.ps1 index c526ae82e..a87c9d4c0 100644 --- a/omnibus/omnibus-test.ps1 +++ b/omnibus/omnibus-test.ps1 @@ -1,36 +1,10 @@ # Stop script execution when a non-terminating error occurs $ErrorActionPreference = "Stop" -$channel = "$Env:CHANNEL" -If ([string]::IsNullOrEmpty($channel)) { $channel = "unstable" } - -$product = "$Env:PRODUCT" -If ([string]::IsNullOrEmpty($product)) { $product = "inspec" } - -$version = "$Env:VERSION" -If ([string]::IsNullOrEmpty($version)) { $version = "latest" } - -$package_file = "$Env:PACKAGE_FILE" -If ([string]::IsNullOrEmpty($package_file)) { $package_file = "" } - -If ($package_file -eq "") { - Write-Output "--- Installing $channel $product $version" - $package_file = $(.omnibus-buildkite-plugin\install-omnibus-product.ps1 -Product "$product" -Channel "$channel" -Version "$version" | Select-Object -Last 1) -} -Else { - Write-Output "--- Installing $product $version" - $package_file = $(.omnibus-buildkite-plugin\install-omnibus-product.ps1 -Package "$package_file" -Product "$product" -Version "$version" | Select-Object -Last 1) -} - -Write-Output "--- Verifying omnibus package is signed" -C:\opscode\omnibus-toolchain\bin\check-omnibus-package-signed.ps1 "$package_file" - -Write-Output "--- Running verification for $channel $product $version" - # reload Env:PATH to ensure it gets any changes that the install made (e.g. C:\opscode\inspec\bin\ ) $Env:PATH = [System.Environment]::GetEnvironmentVariable("Path", "Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path", "User") -$Env:Path = "C:\opscode\$product\bin;C:\opscode\$product\embedded\bin;$Env:PATH" +$Env:Path = "C:\opscode\inspec\bin;C:\opscode\inspec\embedded\bin;$Env:PATH" Write-Host "+++ Testing $Plan" Set-Location test/artifact diff --git a/omnibus/omnibus-test.sh b/omnibus/omnibus-test.sh index c7941568c..b3799799c 100644 --- a/omnibus/omnibus-test.sh +++ b/omnibus/omnibus-test.sh @@ -1,37 +1,6 @@ #!/bin/bash set -eo pipefail -channel="${CHANNEL:-unstable}" -product="${PRODUCT:-inspec}" -version="${VERSION:-latest}" -package_file=${PACKAGE_FILE:-""} - -echo "--- Installing $channel $product $version" -if [[ -z $package_file ]]; then - package_file="$(.omnibus-buildkite-plugin/install-omnibus-product.sh -c "$channel" -P "$product" -v "$version" | tail -1)" -else - .omnibus-buildkite-plugin/install-omnibus-product.sh -f "$package_file" -P "$product" -v "$version" &> /dev/null -fi - -echo "--- Verifying omnibus package is signed" -/opt/omnibus-toolchain/bin/check-omnibus-package-signed "$package_file" - -sudo rm -f "$package_file" - -echo "--- Verifying ownership of package files" - -export INSTALL_DIR=/opt/inspec -NONROOT_FILES="$(find "$INSTALL_DIR" ! -user 0 -print)" -if [[ "$NONROOT_FILES" == "" ]]; then - echo "Packages files are owned by root. Continuing verification." -else - echo "Exiting with an error because the following files are not owned by root:" - echo "$NONROOT_FILES" - exit 1 -fi - -echo "--- Running verification for $channel $product $version" - export CHEF_LICENSE="accept-no-persist" project_root="$(pwd)" export project_root From ecf60297b2378f2501eef8bc26f5e6355b58907e Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 26 Apr 2021 12:37:18 +0530 Subject: [PATCH 059/483] Updated docs as per review comments Signed-off-by: Vasu1105 --- .../content/inspec/resources/selinux.md | 71 ++++++++++--------- lib/inspec/resources/selinux.rb | 6 +- 2 files changed, 41 insertions(+), 36 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/selinux.md b/docs-chef-io/content/inspec/resources/selinux.md index 04714e637..5fda1c36f 100644 --- a/docs-chef-io/content/inspec/resources/selinux.md +++ b/docs-chef-io/content/inspec/resources/selinux.md @@ -11,9 +11,9 @@ platform = "linux" parent = "inspec/resources/os" +++ -Use the `selinux` Chef Inspec audit resource to test the configuration data of the SELinux policy, SELinux modules and SELinux booleans. +Use the `selinux` Chef InSpec audit resource to test the configuration data of the SELinux policy, SELinux modules and SELinux booleans. -The `selinux` resource extracts and exposes data reported by the `sestatus`, `semodule -lfull`and `semanage boolean -l -n` command. +The `selinux` resource extracts and exposes data reported by the `sestatus`, `semodule -lfull`, and `semanage boolean -l -n` command. ## Availability @@ -36,7 +36,7 @@ The `selinux` Chef InSpec resource block tests the state and mode of SELinux pol it { should_not be_permissive } end -The `selinux` resource block also declares allows you to write test for many modules: +The `selinux` resource block also allows you to write tests for multiple modules: describe selinux.modules.where("zebra") do it { should exist } @@ -45,31 +45,32 @@ The `selinux` resource block also declares allows you to write test for many mod end or: + describe selinux.modules.where(status: "installed") do it { should exist } its('count') { should cmp 404 } end -where +where: -- `.where()` may specify a specific item and value, to which the resource parameters are compared -- `name`, `status`, `state`, `priority` are valid parameters for `modules` +- `.where()` specifies the parameter and expected value. +- `name`, `status`, `state`, and `priority` are valid parameters. -The `selinux` resource block also declares allows you to write test for many booleans: +The `selinux` resource block also allows you to write tests for multiple booleans: describe selinux.booleans.where(name: "httpd_enable_homedirs") do - it { should_not be_on } + it { should_not be_on } end or: - describe selinux.booleans.where(name: "xend_run_blktap", state: "on") do - it { should exist } - its('defaults') { should cmp "on" } - end + describe selinux.booleans.where(name: "xend_run_blktap", state: "on") do + it { should exist } + its('defaults') { should cmp "on" } + end -- `.where()` may specify a specific item and value, to which the resource parameters are compared -- `name`, `state`, `default` are valid parameters for `booleans` +- `.where()` specifies the parameter and expected value. +- `name`, `state`, and `default` are valid parameters for `booleans`. ## Examples @@ -77,22 +78,23 @@ The following examples show how to use this Chef InSpec selinux resource. ### Test if SELinux is installed and enabled -describe selinux do - it { should be_installed } - it { should_not be_disabled } -end + describe selinux do + it { should be_installed } + it { should_not be_disabled } + end ### Test if SELinux is enabled and running in enforcing mode -describe selinux do - it { should_not be_disabled } - it { should be_enforcing } -end + describe selinux do + it { should_not be_disabled } + it { should be_enforcing } + end -### Test if selinux policy type -describe selinux do - its('policy') { should eq "targeted"} -end +### Test the selinux policy type + + describe selinux do + its('policy') { should eq "targeted"} + end ## Matchers @@ -100,7 +102,7 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ### be_installed -The `be_installed` matcher tests if the SElinux policy or SElinux modules is installed on the system: +The `be_installed` matcher tests if the SElinux policy or SElinux modules are installed on the system: it { should be_installed } @@ -136,29 +138,31 @@ The `be_enabled` matcher tests if the SElinux module is enabled: ## Resource Parameters -- `names`, `status`, `states`, `priorities`, are valid parameters for SELinux `modules` +- `names`, `status`, `states`, and `priorities` are valid parameters for SELinux policy modules. -- `names`, `status`, `states`, `defaults`, are valid parameters for SELinux `booleans` +- `names`, `status`, `states`, and `defaults` are valid parameters for SELinux `booleans`. ## Resource Parameter Examples ### modules -`modules` returns the information about SELinux modules as returned by [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html). +`modules` returns information about SELinux modules using the [semodule -lfull](https://man7.org/linux/man-pages/man8/semodule.8.html) command. -Note: The `semodule -l` command does not provide `version` information in newer versions of Linux based systems like RHEL8 and Centos8 so we are not supporting that option [REF](https://access.redhat.com/solutions/2760071). +Note: The `semodule -l` command [does not provide version information](https://access.redhat.com/solutions/2760071) for newer versions of Linux-based systems like RHEL8 and Centos8, so we do not support that option. +```ruby describe selinux.modules do its("names") { should include "zebra" } its("status") { should include "installed" } its("states") { should include "enabled" } its("priorities") { should include "100" } end - +``` ### booleans -`booleans` returns the information about SELinux booleans as returned by [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) +`booleans` returns information about SELinux booleans using the [semanage boolean -l -n](https://man7.org/linux/man-pages/man8/semanage-boolean.8.html) command. +```ruby describe selinux.booleans do its("names") { should include "httpd_enable_homedirs" } its("states") { should include "on" } @@ -166,3 +170,4 @@ describe selinux.booleans do its("defaults") { should include "on" } its("defaults") { should include "off" } end +``` \ No newline at end of file diff --git a/lib/inspec/resources/selinux.rb b/lib/inspec/resources/selinux.rb index 876039a66..6e7e527f0 100644 --- a/lib/inspec/resources/selinux.rb +++ b/lib/inspec/resources/selinux.rb @@ -20,7 +20,7 @@ module Inspec::Resources end def to_s - "SElinux modules" + "SELinux modules" end end @@ -40,7 +40,7 @@ module Inspec::Resources end def to_s - "SElinux booleans" + "SELinux booleans" end end @@ -48,7 +48,7 @@ module Inspec::Resources name "selinux" supports platform: "linux" - desc "Use selinux Chef Inspec resource to test the configuration data of the selinux policy, selinux modules and selinux booleans." + desc "Use the selinux Chef InSpec resource to test the configuration data of the SELinux policy, SELinux modules, and SELinux booleans." example <<~EXAMPLE describe selinux do From de718163e1fdf2795c797f1503ac08605ce9abb1 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 26 Apr 2021 13:28:21 +0530 Subject: [PATCH 060/483] Doc review changes for group and groups resources Signed-off-by: Nikita Mathur --- .../content/inspec/resources/group.md | 19 ++++++++++++------- .../content/inspec/resources/groups.md | 18 +++++++++++------- 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/group.md b/docs-chef-io/content/inspec/resources/group.md index 49c81644d..ccf4d8d4e 100644 --- a/docs-chef-io/content/inspec/resources/group.md +++ b/docs-chef-io/content/inspec/resources/group.md @@ -62,17 +62,22 @@ The `members` property tests the members that belong to the group: its('members') { should include 'root' } -where `members` returns -- Array of group members for **Windows Platform**. -Example: `["member1", "member2"]` -- CSV formatted string of group members for **Non-Windows Platforms**. -Example: `"member1,member2"` +where `members` returns: + +- an array of group members for **Windows Platform**. + + Example: `["member1", "member2"]` + +- a CSV formatted string of group members for **Non-Windows Platforms**. + + Example: `"member1,member2"` ### members_array -The `members_array` property tests the members that belong to a group just like `members` property. -But the value returned by this property is always an array of group members. +The `members_array` property tests the members that belong to a group just like the +`members` property, +but the value returned by this property is always an array of group members. its('members_array') { should include 'root' } diff --git a/docs-chef-io/content/inspec/resources/groups.md b/docs-chef-io/content/inspec/resources/groups.md index 57aaeee04..812793c26 100644 --- a/docs-chef-io/content/inspec/resources/groups.md +++ b/docs-chef-io/content/inspec/resources/groups.md @@ -74,16 +74,20 @@ The `members` property tests the members that belong to a group: its('members') { should include 'root' } its('members') { should include 'Administrator' } -where `members` returns -- Array of group members for **Windows Platform**. -Example: `["member1", "member2"]` -- Single element array with CSV formatted string of group members for **Non-Windows Platforms**. -Example: `["member1,member2"]` +where `members` returns: + +- an array of group members for **Windows Platform**. + + Example: `["member1", "member2"]` + +- a single element array with CSV formatted string of group members for **Non-Windows Platforms**. + + Example: `["member1,member2"]` ### members_array -The `members_array` property tests the group members just like `members` property. -But the value returned by this property is always an array of group members. +The `members_array` property tests the group members just like the `members` property, +but the value returned by this property is always an array of group members. its('members_array') { should include 'root' } its('members_array') { should include 'Administrator' } From 1a96a4f0a8a681b38ee43ba10b2f949556435f20 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 26 Apr 2021 20:15:02 +0530 Subject: [PATCH 061/483] Group and groups doc updated clearly about local and etc groups Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/resources/group.md | 6 ++++++ docs-chef-io/content/inspec/resources/groups.md | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/docs-chef-io/content/inspec/resources/group.md b/docs-chef-io/content/inspec/resources/group.md index 9885dd057..a2648434a 100644 --- a/docs-chef-io/content/inspec/resources/group.md +++ b/docs-chef-io/content/inspec/resources/group.md @@ -13,6 +13,12 @@ platform = "os" Use the `group` Chef InSpec audit resource to test a single group on the system. +Following system group is used in the `group` resource: + +- in **Non-Windows** system, resource only works with a group listed in file `/etc/group` and not a local group. +- in **Windows** system, resource only works with a local group. + + ## Availability ### Installation diff --git a/docs-chef-io/content/inspec/resources/groups.md b/docs-chef-io/content/inspec/resources/groups.md index a05687e62..e6a89d648 100644 --- a/docs-chef-io/content/inspec/resources/groups.md +++ b/docs-chef-io/content/inspec/resources/groups.md @@ -13,6 +13,11 @@ platform = "os" Use the `groups` Chef InSpec audit resource to test multiple groups on the system. +Following system groups are used in the `groups` resource: + +- in **Non-Windows** system, resource only works with groups listed in file `/etc/group` and not local groups. +- in **Windows** system, resource only works with local groups. + ## Availability ### Installation From 52f1d6a00282f456b0d428e2f4cb8da6bc457064 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 26 Apr 2021 20:24:20 +0530 Subject: [PATCH 062/483] Some doc improv added for group and groups resources Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/resources/group.md | 5 +++-- docs-chef-io/content/inspec/resources/groups.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/group.md b/docs-chef-io/content/inspec/resources/group.md index a2648434a..5e2134692 100644 --- a/docs-chef-io/content/inspec/resources/group.md +++ b/docs-chef-io/content/inspec/resources/group.md @@ -15,8 +15,9 @@ Use the `group` Chef InSpec audit resource to test a single group on the system. Following system group is used in the `group` resource: -- in **Non-Windows** system, resource only works with a group listed in file `/etc/group` and not a local group. -- in **Windows** system, resource only works with a local group. +- in **Non-Windows** system, resource only works with a group listed in file `/etc/group` and not a local group of the system. + +- in **Windows** system, resource only works with a local group of the system. ## Availability diff --git a/docs-chef-io/content/inspec/resources/groups.md b/docs-chef-io/content/inspec/resources/groups.md index e6a89d648..c558c029a 100644 --- a/docs-chef-io/content/inspec/resources/groups.md +++ b/docs-chef-io/content/inspec/resources/groups.md @@ -15,8 +15,9 @@ Use the `groups` Chef InSpec audit resource to test multiple groups on the syste Following system groups are used in the `groups` resource: -- in **Non-Windows** system, resource only works with groups listed in file `/etc/group` and not local groups. -- in **Windows** system, resource only works with local groups. +- in **Non-Windows** system, resource only works with groups listed in file `/etc/group` and not local groups of the system. + +- in **Windows** system, resource only works with local groups of the system. ## Availability From 6e73969278db321bb9d59d4985a7ca15c29862f3 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 27 Apr 2021 02:40:12 +0000 Subject: [PATCH 063/483] Bump version to 4.35.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 55679490e..d849d7e4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.35.1](https://github.com/inspec/inspec/tree/v4.35.1) (2021-04-21) + +## [v4.35.2](https://github.com/inspec/inspec/tree/v4.35.2) (2021-04-27) #### Merged Pull Requests -- Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) +- Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.33.1 release #### Merged Pull Requests +- Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) - Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) #### New Features diff --git a/VERSION b/VERSION index b890e9364..92ad5f5e1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.35.1 \ No newline at end of file +4.35.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 0731eebf6..696df8e00 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.35.1".freeze + VERSION = "4.35.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index d10592652..0de59466a 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.35.1".freeze + VERSION = "4.35.2".freeze end From c042c93917a07f3e1bbdb248d170f7688ca6124e Mon Sep 17 00:00:00 2001 From: jayashri garud Date: Tue, 27 Apr 2021 11:59:41 +0530 Subject: [PATCH 064/483] updating Gemfile to support environment variables Signed-off-by: jayashri garud --- omnibus/Gemfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/omnibus/Gemfile b/omnibus/Gemfile index 4caac9c47..54c1f29d4 100644 --- a/omnibus/Gemfile +++ b/omnibus/Gemfile @@ -1,7 +1,7 @@ source "https://rubygems.org" -gem "omnibus", git: "https://github.com/chef/omnibus", branch: "master" -gem "omnibus-software", git: "https://github.com/chef/omnibus-software", branch: "master" +gem "omnibus", github: ENV.fetch("OMNIBUS_GITHUB_REPO", "chef/omnibus"), branch: ENV.fetch("OMNIBUS_GITHUB_BRANCH", "master") +gem "omnibus-software", github: ENV.fetch("OMNIBUS_SOFTWARE_GITHUB_REPO", "chef/omnibus-software"), branch: ENV.fetch("OMNIBUS_SOFTWARE_GITHUB_BRANCH", "master") gem "artifactory" gem "ffi", ">= 1.9.14", "!= 1.13.0" From cb2abf2e10906bba4df24b2ed18ec51b0931eff2 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 27 Apr 2021 13:00:07 +0000 Subject: [PATCH 065/483] Bump version to 4.36.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d849d7e4a..bd77d7361 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.35.2](https://github.com/inspec/inspec/tree/v4.35.2) (2021-04-27) + +## [v4.36.0](https://github.com/inspec/inspec/tree/v4.36.0) (2021-04-27) -#### Merged Pull Requests -- Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) +#### Enhancements +- Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.33.1 release +#### Enhancements +- Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) + #### Merged Pull Requests - Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) - Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) diff --git a/VERSION b/VERSION index 92ad5f5e1..9249c74a0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.35.2 \ No newline at end of file +4.36.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 696df8e00..226095a46 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.35.2".freeze + VERSION = "4.36.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 0de59466a..228dc8682 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.35.2".freeze + VERSION = "4.36.0".freeze end From 57c14841507386d5c40c9bb9e52f3d2d64912408 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 27 Apr 2021 19:29:13 +0530 Subject: [PATCH 066/483] Adds one more profile inside the require_controls_test to check inheritance Signed-off-by: Vasu1105 --- .../dependencies/require_controls_test/controls/example1.rb | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 test/fixtures/profiles/dependencies/require_controls_test/controls/example1.rb diff --git a/test/fixtures/profiles/dependencies/require_controls_test/controls/example1.rb b/test/fixtures/profiles/dependencies/require_controls_test/controls/example1.rb new file mode 100644 index 000000000..1d50bd0a8 --- /dev/null +++ b/test/fixtures/profiles/dependencies/require_controls_test/controls/example1.rb @@ -0,0 +1,3 @@ +require_controls 'profile_b' do + control 'profileb-2' +end From 03d72d4dc09be43fd740b19b30d71df3a18e0d34 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 27 Apr 2021 21:16:46 +0530 Subject: [PATCH 067/483] Doc change for groups related to members in non windows platform Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/resources/groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/groups.md b/docs-chef-io/content/inspec/resources/groups.md index 812793c26..5b85bb116 100644 --- a/docs-chef-io/content/inspec/resources/groups.md +++ b/docs-chef-io/content/inspec/resources/groups.md @@ -80,7 +80,7 @@ where `members` returns: Example: `["member1", "member2"]` -- a single element array with CSV formatted string of group members for **Non-Windows Platforms**. +- a single element array that contains a CSV string of group members for **Non-Windows Platforms**. Example: `["member1,member2"]` From 4d05db1a05a2e83cdb7c2637f29f3f03cca853af Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 28 Apr 2021 12:25:08 +0530 Subject: [PATCH 068/483] Doc review changes made for group and groups resource doc Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/resources/group.md | 6 +++--- docs-chef-io/content/inspec/resources/groups.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/group.md b/docs-chef-io/content/inspec/resources/group.md index 5e2134692..d2aaa0bea 100644 --- a/docs-chef-io/content/inspec/resources/group.md +++ b/docs-chef-io/content/inspec/resources/group.md @@ -13,11 +13,11 @@ platform = "os" Use the `group` Chef InSpec audit resource to test a single group on the system. -Following system group is used in the `group` resource: +The `group` resource uses the following system groups: -- in **Non-Windows** system, resource only works with a group listed in file `/etc/group` and not a local group of the system. +- On **non-Windows** systems the group resource tests a local group defined in the`/etc/group` file. -- in **Windows** system, resource only works with a local group of the system. +- On **Windows** systems the group resource tests a local group defined by Local Users and Groups. ## Availability diff --git a/docs-chef-io/content/inspec/resources/groups.md b/docs-chef-io/content/inspec/resources/groups.md index c558c029a..3514c6b47 100644 --- a/docs-chef-io/content/inspec/resources/groups.md +++ b/docs-chef-io/content/inspec/resources/groups.md @@ -13,11 +13,11 @@ platform = "os" Use the `groups` Chef InSpec audit resource to test multiple groups on the system. -Following system groups are used in the `groups` resource: +The `groups` resource uses the following system groups: -- in **Non-Windows** system, resource only works with groups listed in file `/etc/group` and not local groups of the system. +- On **non-Windows** systems the group resource tests local groups defined in the`/etc/group` file. -- in **Windows** system, resource only works with local groups of the system. +- On **Windows** systems the group resource tests local groups defined by Local Users and Groups. ## Availability From c56b0987613d5f920cb9d70d03161e0e79273245 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 28 Apr 2021 11:34:49 +0530 Subject: [PATCH 069/483] Fix for undefined method + for nil class error Signed-off-by: Vasu1105 --- lib/inspec/profile_context.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/profile_context.rb b/lib/inspec/profile_context.rb index deea0246f..bc2df0e58 100644 --- a/lib/inspec/profile_context.rb +++ b/lib/inspec/profile_context.rb @@ -91,7 +91,7 @@ module Inspec end def all_controls - ret = @rules.values + ret = @rules.values.reject(&:nil?) ret += @control_subcontexts.map(&:all_rules).flatten ret end From 0fdd546c40a1184d0dace5d11abfa91db32ddf6e Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 28 Apr 2021 16:28:23 +0000 Subject: [PATCH 070/483] Bump version to 4.36.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd77d7361..43fe64dde 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.36.0](https://github.com/inspec/inspec/tree/v4.36.0) (2021-04-27) + +## [v4.36.1](https://github.com/inspec/inspec/tree/v4.36.1) (2021-04-28) -#### Enhancements -- Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) +#### Merged Pull Requests +- updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) @@ -14,6 +14,7 @@ - Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) #### Merged Pull Requests +- updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) - Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) - Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) diff --git a/VERSION b/VERSION index 9249c74a0..105528a5f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.0 \ No newline at end of file +4.36.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 226095a46..44ef47fb3 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.0".freeze + VERSION = "4.36.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 228dc8682..ea2efef2f 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.0".freeze + VERSION = "4.36.1".freeze end From 597b33e51cad848ad36312b8bc511970938939be Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 28 Apr 2021 16:32:07 +0000 Subject: [PATCH 071/483] Bump version to 4.36.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43fe64dde..79deb4021 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.36.1](https://github.com/inspec/inspec/tree/v4.36.1) (2021-04-28) + +## [v4.36.2](https://github.com/inspec/inspec/tree/v4.36.2) (2021-04-28) #### Merged Pull Requests -- updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) +- Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08)) @@ -14,6 +14,7 @@ - Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) #### Merged Pull Requests +- Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08)) - updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) - Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) - Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) diff --git a/VERSION b/VERSION index 105528a5f..846f86fbc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.1 \ No newline at end of file +4.36.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 44ef47fb3..ee5750af9 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.1".freeze + VERSION = "4.36.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index ea2efef2f..5d4fcca38 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.1".freeze + VERSION = "4.36.2".freeze end From ab401b6d64817d161c85335dc6f3724f039dfe12 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 28 Apr 2021 16:34:51 +0000 Subject: [PATCH 072/483] Bump version to 4.36.3 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79deb4021..3a64bb758 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.36.2](https://github.com/inspec/inspec/tree/v4.36.2) (2021-04-28) + +## [v4.36.3](https://github.com/inspec/inspec/tree/v4.36.3) (2021-04-28) #### Merged Pull Requests -- Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08)) +- Added new property `members_array` for group & groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08)) @@ -14,6 +14,7 @@ - Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) #### Merged Pull Requests +- Added new property `members_array` for group & groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08)) - Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08)) - updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) - Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 846f86fbc..1eeacabf2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.2 \ No newline at end of file +4.36.3 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index ee5750af9..da500d357 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.2".freeze + VERSION = "4.36.3".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 5d4fcca38..50d183971 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.2".freeze + VERSION = "4.36.3".freeze end From 457e544724f0dc22113efd4c3a4b9f41b5223c34 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 19 Apr 2021 18:40:34 +0530 Subject: [PATCH 073/483] Fix for non-existent member for group resource Signed-off-by: Nikita Mathur --- lib/inspec/resources/groups.rb | 2 +- test/fixtures/files/etcgroup | 3 ++- test/unit/resources/etc_group_test.rb | 6 +++--- test/unit/resources/group_test.rb | 16 +++++++++++++++- test/unit/resources/groups_test.rb | 12 ++++++------ 5 files changed, 27 insertions(+), 12 deletions(-) diff --git a/lib/inspec/resources/groups.rb b/lib/inspec/resources/groups.rb index f7bfe726a..a354e8e8a 100644 --- a/lib/inspec/resources/groups.rb +++ b/lib/inspec/resources/groups.rb @@ -118,7 +118,7 @@ module Inspec::Resources end def members - flatten_entry(group_info, "members") + flatten_entry(group_info, "members") || [] end def members_array diff --git a/test/fixtures/files/etcgroup b/test/fixtures/files/etcgroup index 3dc879da9..ad92d77a5 100644 --- a/test/fixtures/files/etcgroup +++ b/test/fixtures/files/etcgroup @@ -1,4 +1,5 @@ # comment root:x:0: www-data:x:33:www-data,root -GroupWithCaps:x:999: \ No newline at end of file +GroupWithCaps:x:999: +sftpusers:x:1000:sftponly \ No newline at end of file diff --git a/test/unit/resources/etc_group_test.rb b/test/unit/resources/etc_group_test.rb index b53fecdc6..7075ae814 100644 --- a/test/unit/resources/etc_group_test.rb +++ b/test/unit/resources/etc_group_test.rb @@ -6,9 +6,9 @@ describe "Inspec::Resources::EtcGroup" do let(:resource) { load_resource("etc_group") } it "verify /etc/group config parsing" do - _(resource.gids).must_equal [0, 33, 999] - _(resource.groups).must_equal %w{ root www-data GroupWithCaps } - _(resource.users).must_equal %w{ www-data root } + _(resource.gids).must_equal [0, 33, 999, 1000] + _(resource.groups).must_equal %w{ root www-data GroupWithCaps sftpusers } + _(resource.users).must_equal %w{ www-data root sftponly } end it "verify group filter with no users" do diff --git a/test/unit/resources/group_test.rb b/test/unit/resources/group_test.rb index 3cab79fa3..f5c3826c4 100644 --- a/test/unit/resources/group_test.rb +++ b/test/unit/resources/group_test.rb @@ -86,7 +86,7 @@ describe "Inspec::Resources::Group" do resource = MockLoader.new(:windows).load_resource("group", "dhcp") _(resource.exists?).must_equal false _(resource.gid).must_be_nil - _(resource.members).must_be_nil + _(resource.members).must_equal [] _(resource.members_array).must_equal [] end @@ -96,4 +96,18 @@ describe "Inspec::Resources::Group" do _(resource.exists?).must_equal false _(resource.gid).must_be_nil end + + # centos7 + it "verify group on centos7 with members" do + resource = MockLoader.new(:centos7).load_resource("group", "sftpusers") + _(resource.exists?).must_equal true + _(resource.members).must_include "sftponly" + end + + # centos with non-existent group member + it "verify non-existent group member on centos" do + resource = MockLoader.new(:centos7).load_resource("group", "root") + _(resource.exists?).must_equal true + _(resource.members).must_equal [] + end end diff --git a/test/unit/resources/groups_test.rb b/test/unit/resources/groups_test.rb index 98390e6a8..2dda3a9fc 100644 --- a/test/unit/resources/groups_test.rb +++ b/test/unit/resources/groups_test.rb @@ -7,18 +7,18 @@ describe "groups resource on unix platform" do describe "no arguments" do it "finds all group names" do - _(resource.names.count).must_equal 3 - _(resource.names).must_equal %w{root www-data GroupWithCaps} + _(resource.names.count).must_equal 4 + _(resource.names).must_equal %w{root www-data GroupWithCaps sftpusers} end it "finds all group gids" do - _(resource.gids.count).must_equal 3 - _(resource.gids).must_equal [0, 33, 999] + _(resource.gids.count).must_equal 4 + _(resource.gids).must_equal [0, 33, 999, 1000] end it "finds no group domains" do - _(resource.domains.count).must_equal 3 - _(resource.domains).must_equal [nil, nil, nil] + _(resource.domains.count).must_equal 4 + _(resource.domains).must_equal [nil, nil, nil, nil] end end From 7693363a1a09a9d89c9627ab3835df1951ec4a32 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 22 Apr 2021 18:46:02 +0530 Subject: [PATCH 074/483] Fix for default null values compatible for both windows and non-windows system Signed-off-by: Nikita Mathur --- lib/inspec/resources/groups.rb | 6 +++++- test/unit/resources/group_test.rb | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/inspec/resources/groups.rb b/lib/inspec/resources/groups.rb index a354e8e8a..13e4b22c5 100644 --- a/lib/inspec/resources/groups.rb +++ b/lib/inspec/resources/groups.rb @@ -118,7 +118,7 @@ module Inspec::Resources end def members - flatten_entry(group_info, "members") || [] + flatten_entry(group_info, "members") || empty_value_for_members end def members_array @@ -152,6 +152,10 @@ module Inspec::Resources group = @group.dup @groups_cache ||= inspec.groups.where { name == group } end + + def empty_value_for_members + inspec.os.windows? ? [] : "" + end end class GroupInfo diff --git a/test/unit/resources/group_test.rb b/test/unit/resources/group_test.rb index f5c3826c4..35e562bfb 100644 --- a/test/unit/resources/group_test.rb +++ b/test/unit/resources/group_test.rb @@ -108,6 +108,6 @@ describe "Inspec::Resources::Group" do it "verify non-existent group member on centos" do resource = MockLoader.new(:centos7).load_resource("group", "root") _(resource.exists?).must_equal true - _(resource.members).must_equal [] + _(resource.members).must_equal "" end end From 4cd7a4012a868f6664f6fce8d2ea5173215d0a50 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 28 Apr 2021 20:10:06 +0000 Subject: [PATCH 075/483] Bump version to 4.36.4 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a64bb758..d47815505 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.36.3](https://github.com/inspec/inspec/tree/v4.36.3) (2021-04-28) + +## [v4.36.4](https://github.com/inspec/inspec/tree/v4.36.4) (2021-04-28) -#### Merged Pull Requests -- Added new property `members_array` for group & groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08)) +#### Bug Fixes +- Fix for group resource when member does not exist [#5470](https://github.com/inspec/inspec/pull/5470) ([Nik08](https://github.com/Nik08)) ### Changes since 4.33.1 release +#### Bug Fixes +- Fix for group resource when member does not exist [#5470](https://github.com/inspec/inspec/pull/5470) ([Nik08](https://github.com/Nik08)) + #### Enhancements - Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 1eeacabf2..8bd94aeb1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.3 \ No newline at end of file +4.36.4 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index da500d357..f9146d907 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.3".freeze + VERSION = "4.36.4".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 50d183971..2167935fb 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.3".freeze + VERSION = "4.36.4".freeze end From cf1ec576ce362a4e73184aff06278c1750da460a Mon Sep 17 00:00:00 2001 From: "dependabot-preview[bot]" <27856297+dependabot-preview[bot]@users.noreply.github.com> Date: Wed, 28 Apr 2021 22:35:59 +0000 Subject: [PATCH 076/483] Upgrade to GitHub-native Dependabot --- .github/dependabot.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..2780fafdc --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: +- package-ecosystem: bundler + directory: "/" + schedule: + interval: daily + open-pull-requests-limit: 10 + ignore: + - dependency-name: chefstyle + versions: + - 1.6.1 + - 1.6.2 From 8a93f08a13d6bde8f87e447ff4246801bef80f8c Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 29 Apr 2021 00:02:39 +0000 Subject: [PATCH 077/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 47 ++++++++++++++++++++++------------------------- Dockerfile | 2 +- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d47815505..fe2e6e9f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,34 +1,32 @@ # Change Log - -## [v4.36.4](https://github.com/inspec/inspec/tree/v4.36.4) (2021-04-28) - -#### Bug Fixes -- Fix for group resource when member does not exist [#5470](https://github.com/inspec/inspec/pull/5470) ([Nik08](https://github.com/Nik08)) + - -### Changes since 4.33.1 release - -#### Bug Fixes -- Fix for group resource when member does not exist [#5470](https://github.com/inspec/inspec/pull/5470) ([Nik08](https://github.com/Nik08)) - -#### Enhancements -- Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) - -#### Merged Pull Requests -- Added new property `members_array` for group & groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08)) -- Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08)) -- updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) -- Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) -- Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) - -#### New Features -- New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08)) -- Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105)) + +## [v4.36.4](https://github.com/inspec/inspec/tree/v4.36.4) (2021-04-29) + +#### New Features +- Add selinux resource with basic feature support [#5458](https://github.com/inspec/inspec/pull/5458) ([Vasu1105](https://github.com/Vasu1105)) +- New input option `pattern` added for DSL and metadata inputs [#5466](https://github.com/inspec/inspec/pull/5466) ([Nik08](https://github.com/Nik08)) + +#### Enhancements +- Add selinux resource support for modules and booleans [#5463](https://github.com/inspec/inspec/pull/5463) ([Vasu1105](https://github.com/Vasu1105)) + +#### Bug Fixes +- Fix for group resource when member does not exist [#5470](https://github.com/inspec/inspec/pull/5470) ([Nik08](https://github.com/Nik08)) + +#### Merged Pull Requests +- Update faraday requirement from >= 0.9.0, < 1.4 to >= 0.9.0, < 1.5 [#5469](https://github.com/inspec/inspec/pull/5469) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) +- Minor fix - Method expected to return boolean but it was returning nil if condition check fails [#5480](https://github.com/inspec/inspec/pull/5480) ([Vasu1105](https://github.com/Vasu1105)) +- updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) +- Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08)) +- Added new property `members_array` for group & groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08)) + + ## [v4.33.1](https://github.com/inspec/inspec/tree/v4.33.1) (2021-04-21) #### New Features @@ -37,7 +35,6 @@ #### Merged Pull Requests - Update postgres_ident_conf.md [#5461](https://github.com/inspec/inspec/pull/5461) ([tobiasbp](https://github.com/tobiasbp)) - Remove default of 3600 seconds for command timeout [#5472](https://github.com/inspec/inspec/pull/5472) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.32.0](https://github.com/inspec/inspec/tree/v4.32.0) (2021-04-14) diff --git a/Dockerfile b/Dockerfile index 2c0469242..3ecacd584 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.33.1 +ARG VERSION=4.36.4 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 260077bb7a0b93cb94ea6484e7614c7288deb399 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 28 Apr 2021 20:25:18 -0400 Subject: [PATCH 078/483] Add CI-CD docs Signed-off-by: Clinton Wolfe --- dev-docs/ci-cd.md | 133 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 dev-docs/ci-cd.md diff --git a/dev-docs/ci-cd.md b/dev-docs/ci-cd.md new file mode 100644 index 000000000..4c41c613e --- /dev/null +++ b/dev-docs/ci-cd.md @@ -0,0 +1,133 @@ +# About InSpec's Continuous Integration and Continuous Delivery Setup + +## Major Components + +### Expeditor + +[Expeditor](https://expeditor.chef.io/) is the main coordinator of all CI-CD activity at Chef. It is configured through a [YAML file](https://github.com/inspec/inspec/blob/master/.expeditor/config.yml). + +### BuildKite + +[Buildkite](https://buildkite.com/chef) is the engine that actually executes all of the tests and builds for InSpec. While Buildkite coordinates all of the work, the actual infrastructure is managed by Chef in a variety of locations, including various clouds and datacenters. + +Buildkite is divided into two orgs, [Chef](https://buildkite.com/chef) and [Chef-OSS](https://buildkite.com/chef-oss) (Open Source Software). Chef is private and Chef-OSS is public. + +You will need to have an account on BuildKite and be a member of both orgs to fully utilize the system. + +### Rakefile + +The [Rakefile](https://github.com/inspec/inspec/blob/master/Rakefile) defines the tests harness to be run. Most of the test scripts come down to executing "rake test" or similar. + +### Omnibus + +Omnibus is a system for building OS-specific packages of software, including all dependencies including Ruby runtimes. We use Omnibus to make RPMs, DEBs, MSIs, DMGs, and several other OS-specific formats that deploy inspec and its dependencies natively to the OS. + +The omnibus configuration for InSpec is stored at https://github.com/inspec/inspec/tree/master/omnibus and the main configuration file is [inspec.rb](https://github.com/inspec/inspec/blob/master/omnibus/config/projects/inspec.rb). + +### Rubygems + +InSpec is published as a set of 4 gems - inspec, inspec-core, inspec-bin, and inspec-core-bin. When we release a new version to the public (a process we call "promotion" and typically happens on Wednesdays), we publish to rubygems.org. + +Rubygems are configured by declaring them in the expeditor configuration file in the `rubygems` section. + +### Artifactory + +Artifactory stores build artifacts (such as RPMs, MSIs, and gems) on a temporary basis. Artifactory is protected by the Progress VPN. [Artifactory inspec package search](http://artifactory.chef.co/ui/packages?name=inspec&type=packages). + +## What Happens when... + +### A PR is opened + +When a PR is opened, the subscription [workload: pull_request_opened:{{agent_id}}:*](https://github.com/inspec/inspec/blob/cb2abf2e10906bba4df24b2ed18ec51b0931eff2/.expeditor/config.yml#L173) is activated. In addition, several defaults also apply. + +One default pipeline that gets activated is the Buildkite [master verify pipeline](https://buildkite.com/chef-oss/inspec-inspec-master-verify). This default is documented [here](https://expeditor.chef.io/docs/pipelines/verify/). + +#### verify pipeline + +The verify pipeline runs the linter, the unit tests, and the functional tests. It verifies that the code being submitted is sound. + +The verify pipeline is defined first in the [verify.pipeline.yml](https://github.com/inspec/inspec/blob/master/.expeditor/verify.pipeline.yml) file, which defines the separate Ruby versions, platforms, and environment variables to be passed to each one. Each runner calls a shell script, either [verify.sh](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/verify.sh) or [verify.ps1](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/verify.ps1). These scripts are thin wrappers that install Bundler dependencies from a cache, then call into the Rakefile. + +#### habitat artifact pipeline + +The habitat artifact pipeline runs a smoke test to verify that the habitat build of inspec is valid. + +The habitat artifact pipeline is defined first in the [artifact.habitat.yml](https://github.com/inspec/inspec/blob/master/.expeditor/artifact.habitat.yml) file. It simply defines a linux runner and a windows runner, each with a dedicated script, [artifact.habitat.test.sh](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/artifact.habitat.test.sh) or [artifact.habitat.test.ps1](https://github.com/inspec/inspec/blob/master/.expeditor/buildkite/artifact.habitat.test.ps1). The scripts install habitat, setup an origin key, build the package, and then run a [Rakefile](https://github.com/inspec/inspec/blob/master/test/artifact/Rakefile) + + +### A PR is merged + +When a PR is merged, the Expeditor actions under `merge_actions` are executed. + +Watch the Slack channel #inspec-notify for messages about the success or failure of various steps. + +Connect to the Progress VPN to fetch Expeditor logs in the event of a failure. + +#### Version Bumping + +This is controlled by the `built_in:bump_version` and `bash:.expeditor/update_version.sh` subscriptions. + +If there are no GitHub labels on the PR, the patchlevel of the version will be bumped by executing the [.expeditor/update_version.sh](https://github.com/inspec/inspec/blob/master/.expeditor/update_version.sh) script. First the VERSION file is updated, then the script runs to update the versions in the Ruby files. + +`built_in:bump_version` is in charge of bumping versions in VERSION, and is controlled by GitHub labels on the PR. Most, though not all, PRs should not have any Expeditor control labels. + +Here are the Expeditor control labels, and the circumstances under which they should be used: + + * Expeditor: Bump Minor Version - Use when a significant new feature is being released. + * Expeditor: Bump Major Version - Use when a major release is made - rarely used. + * Expeditor: Skip Version Bump - Use for non-code-change PRs, such as website or CI changes. + +#### Build Omnibus Packages + +This is controlled by the `trigger_pipeline:omnibus/release` subscription. + +The Omnibus build creates operating-system-specific packages for each platform on which we release Chef InSpec. Its [expeditor configuration](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L133) drives a [Buildkite configuration](https://github.com/inspec/inspec/blob/master/.expeditor/release.omnibus.yml), which lists exactly which platforms to build. + +The Omnibus build is generally reliable, if somewhat slow. + +When the omnibus build succeeds, omnitruck delivers the packages to various package repos in `unstable` channels for public consumption. The packages are also delivered to [Artifactory](http://artifactory.chef.co/ui/repos/tree/General/omnibus-unstable-local%2Fcom%2Fgetchef%2Finspec) (VPN required) + +#### Chef Habitat Build + +The Chef Habitat build creates Habitat .hart packages for Linux and Windows. The [Expeditor configuration](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L138) drives a [Buildkite configuration](https://github.com/inspec/inspec/blob/master/.expeditor/build.habitat.yml). + +When the hab build succeeds, the packages will be placed on the Hab builder in the `unstable` channel for public consumption. + +#### Docker Image Built and Released + +We also release a Docker image (see [expeditor config](https://github.com/inspec/inspec/blob/44fe144732e1e0abb2594957a880c5f1821e7774/.expeditor/config.yml#L150)), which contains a Linux system and Chef InSpec installed from a gem, with the ENTRYPOINT of the Docker image being `inspec` (see [Dockerfile](https://github.com/inspec/inspec/blob/master/Dockerfile)). It's a simple way to ship the dependencies of `inspec`. + +When it succeeds, the Docker build is labeled as `current`. + +#### Gems Built and Placed on Artifactory + +The `inspec`, `inspec-bin`, `inspec-core`, and `inspec-core-bin` gems are all built and placed on the internal Chef [Artifactory](http://artifactory.chef.co/ui/packages?name=inspec&type=packages) (VPN required) server. During promotion later, they publish to rubygems.org. + +The difference between the gems is as follows: + + * `inspec` is a library gem, with full heavyweight dependencies, not encumbered by commercial licensing + * `inspec-bin` contains an `inspec` executable and is encumbered by commercial licensing + * `inspec-core` is a library gem, with lightweight dependencies and no compilation required at install time, and is not encumbered by commercial licensing + * `inspec-core-bin` contains an `inspec` executable and is encumbered by commercial licensing + +### A release is promoted + +When expeditor is told to promote a release, using the slack command `/expeditor promote inspec/inspec:master 4.36.4` (for example), Expeditor automatically promotes the Omnibus packages from the unstable channel to the stable channel, publishing them to the various downloads sites. It also creates the `artifact_published:stable` event, which has numerous [actions subscribed](https://github.com/inspec/inspec/blob/8a93f08a13d6bde8f87e447ff4246801bef80f8c/.expeditor/config.yml#L158). + +Some of the more important ones: + +#### Update and publish the docker image + +The Dockerfile is updated - mainly to update version numbers - and then the published Docker image is tagged with the labels "stable" and "latest". + +#### Rubygems are published to rubygems,org + +The gems are taken from Artifactory and published to Rubygems.org. This is done using an Expeditor built-in action. The gems must be owned by the user `chef`. + +#### Release notes are published + +The [pending release notes](https://github.com/inspec/inspec/wiki/Pending-Release-Notes) are copied to AWS S3 by a [script](https://github.com/inspec/inspec/blob/master/.expeditor/publish-release-notes.sh), and then reset back to an empty state. Another [script](https://github.com/inspec/inspec/blob/master/.expeditor/announce-release.sh) takes the release notes from S3 and creates a post on Discourse. + + + + From 231d5620406d67bfb35608f06058af23698d98e9 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 29 Apr 2021 13:59:17 +0530 Subject: [PATCH 079/483] Using compact Signed-off-by: Vasu1105 --- lib/inspec/profile_context.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/profile_context.rb b/lib/inspec/profile_context.rb index bc2df0e58..aa298e869 100644 --- a/lib/inspec/profile_context.rb +++ b/lib/inspec/profile_context.rb @@ -91,7 +91,7 @@ module Inspec end def all_controls - ret = @rules.values.reject(&:nil?) + ret = @rules.values.compact ret += @control_subcontexts.map(&:all_rules).flatten ret end From a4d822ae43d7b35557a4e640a7954f54d4b8ab8e Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 30 Apr 2021 17:19:33 +0530 Subject: [PATCH 080/483] Inspec automate command extended for compliances Signed-off-by: Nikita Mathur --- README.md | 22 ++-- dev-docs/compliance.md | 7 +- docs-chef-io/content/inspec/cli.md | 4 + .../content/inspec/plugin_kitchen_inspec.md | 5 + lib/inspec/cli.rb | 4 + lib/inspec/plugin/v2/loader.rb | 9 ++ lib/plugins/inspec-compliance/README.md | 112 +++++++++++++++++- .../lib/inspec-compliance.rb | 5 + .../lib/inspec-compliance/api/login.rb | 4 +- .../lib/inspec-compliance/cli.rb | 15 ++- .../lib/inspec-compliance/target.rb | 9 +- .../test/functional/inspec_compliance_test.rb | 50 ++++++++ 12 files changed, 220 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 016b05200..ceca3d9d6 100644 --- a/README.md +++ b/README.md @@ -177,17 +177,17 @@ You should now be able to run: ```bash $ inspec --help Commands: - inspec archive PATH # archive a profile to tar.gz (default) ... - inspec check PATH # verify all tests at the specified PATH - inspec compliance SUBCOMMAND ... # Chef Compliance commands - inspec detect # detect the target OS - inspec exec PATH(S) # run all test files at the specified PATH. - inspec help [COMMAND] # Describe available commands or one spe... - inspec init TEMPLATE ... # Scaffolds a new project - inspec json PATH # read all tests in PATH and generate a ... - inspec shell # open an interactive debugging shell - inspec supermarket SUBCOMMAND ... # Supermarket commands - inspec version # prints the version of this tool + inspec archive PATH # archive a profile to tar.gz (default) ... + inspec check PATH # verify all tests at the specified PATH + inspec compliance SUBCOMMAND or automate SUBCOMMAND ... # Chef Compliance commands + inspec detect # detect the target OS + inspec exec PATH(S) # run all test files at the specified PATH. + inspec help [COMMAND] # Describe available commands or one spe... + inspec init TEMPLATE ... # Scaffolds a new project + inspec json PATH # read all tests in PATH and generate a ... + inspec shell # open an interactive debugging shell + inspec supermarket SUBCOMMAND ... # Supermarket commands + inspec version # prints the version of this tool Options: [--diagnose], [--no-diagnose] # Show diagnostics (versions, configurations) diff --git a/dev-docs/compliance.md b/dev-docs/compliance.md index 384c3c83d..589cc697a 100644 --- a/dev-docs/compliance.md +++ b/dev-docs/compliance.md @@ -8,6 +8,8 @@ The `compliance` set of subcommands handle user-initiated communication with Che When Automate initiates scans, the `compliance` subcommand is not used. +An alternate subcommand to `compliance` is `automate`. And it works similarly using `inspec automate`. + ## Operational Notes ### Obtaining an a test Automate server @@ -65,9 +67,10 @@ There are several other minor commands not listed here - see `lib/cli.rb` for a ### login -Saves a credentials file locally. Future invocations of `inspec compliance` use the credentials file to authenticate. +Saves a credentials file locally. Future invocations of `inspec compliance` or `inspec automate` use the credentials file to authenticate. -`be inspec compliance login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` +`be inspec compliance login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` or +`be inspec automate login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` Here are the results of running login, from `.inspec/compliance/config.json`: diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 1748a074d..c7bf3fd5b 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -187,6 +187,10 @@ Chef Automate: inspec compliance login inspec exec compliance://username/linux-baseline ``` +An alternate command for login: +``` +inspec automate login +``` Chef Supermarket: ``` diff --git a/docs-chef-io/content/inspec/plugin_kitchen_inspec.md b/docs-chef-io/content/inspec/plugin_kitchen_inspec.md index 432e529c3..15bac1604 100644 --- a/docs-chef-io/content/inspec/plugin_kitchen_inspec.md +++ b/docs-chef-io/content/inspec/plugin_kitchen_inspec.md @@ -40,6 +40,11 @@ inspec compliance login https://compliance.test --user admin --insecure --token where `--insecure` is required when using self-signed certificates. +An alternate command for login: +```bash +inspec automate login https://compliance.test --user admin --insecure --token '' +``` + Use a compliance profile from the Chef Supermarket: ```YML diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 262984fca..b05af6971 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -221,6 +221,10 @@ class Inspec::InspecCLI < Inspec::BaseCLI #{Inspec::Dist::EXEC_NAME} compliance login #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline ``` + An alternate command for login: + ``` + #{Inspec::Dist::EXEC_NAME} automate login + ``` Supermarket: ``` diff --git a/lib/inspec/plugin/v2/loader.rb b/lib/inspec/plugin/v2/loader.rb index 15e1b3076..dd110ff3d 100644 --- a/lib/inspec/plugin/v2/loader.rb +++ b/lib/inspec/plugin/v2/loader.rb @@ -117,6 +117,15 @@ module Inspec::Plugin::V2 # `inspec dosomething` => activate the :dosomething hook activate_me ||= cli_args.include?(act.activator_name.to_s) + # Only one compliance command to be activated at one time. + # Since both commands are defined in the same class, + # activators were not getting fetched uniquely. + if cli_args.include?("automate") && act.activator_name.to_s.eql?("compliance") + activate_me = false + elsif cli_args.include?("compliance") && act.activator_name.to_s.eql?("automate") + activate_me = false + end + # OK, activate. if activate_me act.activate diff --git a/lib/plugins/inspec-compliance/README.md b/lib/plugins/inspec-compliance/README.md index c6c709c47..f876a667a 100644 --- a/lib/plugins/inspec-compliance/README.md +++ b/lib/plugins/inspec-compliance/README.md @@ -6,6 +6,7 @@ This extensions offers the following features: - execute profiles directly from Chef Automate/Chef Compliance locally - upload a local profile to Chef Automate/Chef Compliance +The subcommand `compliance` has an alternate `automate`. And it works similarly using `inspec automate`. To use the CLI, this InSpec add-on adds the following commands: * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance @@ -14,12 +15,21 @@ To use the CLI, this InSpec add-on adds the following commands: * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance + Similar to these CLI commands are: + + * `$ inspec automate login` - authentication of the API token against Chef Automate/Chef Compliance + * `$ inspec automate profiles` - list all available Compliance profiles + * `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance + * `$ inspec automate logout` - logout of Chef Automate/Chef Compliance + Compliance profiles can be executed in two ways: -- via compliance exec: `inspec compliance exec profile` +- via compliance exec: `inspec compliance exec profile` or `inspec automate exec profile` - via compliance scheme: `inspec exec compliance://profile` + + ## Usage ### Command options @@ -37,6 +47,21 @@ Commands: inspec compliance version # displays the version of the Chef Compliance server ``` +or + +``` +$ inspec automate +Commands: + inspec automate download PROFILE # downloads a profile from Chef Compliance + inspec automate exec PROFILE # executes a Chef Compliance profile + inspec automate help [COMMAND] # Describe subcommands or one specific subcommand + inspec automate login SERVER # Log in to a Chef Automate/Chef Compliance SERVER + inspec automate logout # user logout from Chef Compliance + inspec automate profiles # list all available profiles in Chef Compliance + inspec automate upload PATH # uploads a local profile to Chef Compliance + inspec automate version # displays the version of the Chef Compliance server +``` + ### Login with Chef Automate 2 You will need an API token for authentication. You can retrieve one via the admin section of your A2 web gui. @@ -67,6 +92,12 @@ You will need an access token for authentication. You can retrieve one via [UI]( $ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE' ``` +or + +``` +$ inspec automate login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE' +``` + ### Login with Chef Compliance You will need an access token for authentication. You can retrieve one via: @@ -79,6 +110,12 @@ You can choose the access token (`--token`) or the refresh token (`--refresh_tok $ inspec compliance login https://compliance.test --user admin --insecure --token '...' ``` +or + +``` +$ inspec automate login https://compliance.test --user admin --insecure --token '...' +``` + ### List available profiles via Chef Compliance / Automate ``` @@ -103,6 +140,30 @@ Available profiles: * cis/cis-ubuntu14.04lts-level2 ``` +or + +``` +$ inspec automate profiles +Available profiles: +------------------- + * base/apache + * base/linux + * base/mysql + * base/postgres + * base/ssh + * base/windows + * cis/cis-centos6-level1 + * cis/cis-centos6-level2 + * cis/cis-centos7-level1 + * cis/cis-centos7-level2 + * cis/cis-rhel7-level1 + * cis/cis-rhel7-level2 + * cis/cis-ubuntu12.04lts-level1 + * cis/cis-ubuntu12.04lts-level2 + * cis/cis-ubuntu14.04lts-level1 + * cis/cis-ubuntu14.04lts-level2 +``` + ### Upload a profile to Chef Compliance / Automate ``` @@ -144,6 +205,47 @@ Available profiles: * cis/cis-ubuntu14.04lts-level2 ``` +or + +``` +$ inspec automate version +Chef Compliance version: 1.0.11 +➜ inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec automate upload examples/profile +I, [2016-05-06T14:27:20.907547 #37592] INFO -- : Checking profile in examples/profile +I, [2016-05-06T14:27:20.907668 #37592] INFO -- : Metadata OK. +I, [2016-05-06T14:27:20.968584 #37592] INFO -- : Found 4 controls. +I, [2016-05-06T14:27:20.968638 #37592] INFO -- : Control definitions OK. +Profile is valid +Generate temporary profile archive at /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz +I, [2016-05-06T14:27:21.020017 #37592] INFO -- : Generate archive /var/folders/jy/2bnrfb4s36jbjtzllvhhyqhw0000gn/T/profile20160506-37592-1tf326f.tar.gz. +I, [2016-05-06T14:27:21.024837 #37592] INFO -- : Finished archive generation. +Start upload to admin/profile +Uploading to Chef Compliance +Successfully uploaded profile + +# display all profiles +$ inspec automate profiles +Available profiles: +------------------- + * admin/profile + * base/apache + * base/linux + * base/mysql + * base/postgres + * base/ssh + * base/windows + * cis/cis-centos6-level1 + * cis/cis-centos6-level2 + * cis/cis-centos7-level1 + * cis/cis-centos7-level2 + * cis/cis-rhel7-level1 + * cis/cis-rhel7-level2 + * cis/cis-ubuntu12.04lts-level1 + * cis/cis-ubuntu12.04lts-level2 + * cis/cis-ubuntu14.04lts-level1 + * cis/cis-ubuntu14.04lts-level2 +``` + ### Run a profile from Chef Compliance / Chef Automate on Workstation ``` @@ -179,6 +281,14 @@ $ inspec compliance logout Successfully logged out ``` +or + +``` +$ inspec automate logout +Successfully logged out +``` + + ## Integration Tests At this point of time, InSpec is not able to pick up the token directly, therefore the integration test is semi-automatic at this point of time: diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance.rb index 035cf3eee..4dfeca5c2 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance.rb @@ -7,6 +7,11 @@ module InspecPlugins require_relative "inspec-compliance/cli" InspecPlugins::Compliance::CLI end + + cli_command :automate do + require_relative "inspec-compliance/cli" + InspecPlugins::Compliance::CLI + end end autoload :Configuration, "plugins/inspec-compliance/lib/inspec-compliance/configuration" diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb index ad49dfbcf..d22c0f559 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb @@ -9,7 +9,7 @@ module InspecPlugins class CannotDetermineServerType < StandardError; end def login(options) - raise ArgumentError, "Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"] + raise ArgumentError, "Please specify a server using `#{EXEC_NAME} compliance login https://SERVER` or `#{EXEC_NAME} automate login https://SERVER`" unless options["server"] options["server"] = URI("https://#{options["server"]}").to_s if URI(options["server"]).scheme.nil? @@ -179,7 +179,7 @@ module InspecPlugins def self.compliance_verify_thor_options(o) error_msg = [] - error_msg.push("Please specify a server using `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil? + error_msg.push("Please specify a server using `#{EXEC_NAME} compliance login https://SERVER` or `#{EXEC_NAME} automate login https://SERVER`") if o["server"].nil? if o["user"].nil? && o["refresh_token"].nil? error_msg.push("Please specify a `--user='USER'` or a `--refresh-token='TOKEN'`") diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb index a070476a7..bdadc12dd 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb @@ -6,8 +6,7 @@ module InspecPlugins module Compliance class CLI < Inspec.plugin(2, :cli_command) include Inspec::Dist - - subcommand_desc "compliance SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands" + subcommand_desc "compliance SUBCOMMAND or automate SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands" # desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER' desc "login", "Log in to a #{COMPLIANCE_PRODUCT_NAME}/#{AUTOMATE_PRODUCT_NAME} SERVER" @@ -65,7 +64,7 @@ module InspecPlugins exit 1 end rescue InspecPlugins::Compliance::ServerConfigurationMissing - $stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} compliance login`" + $stderr.puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`" exit 1 end @@ -167,7 +166,7 @@ module InspecPlugins # determine user information if (config["token"].nil? && config["refresh_token"].nil?) || config["user"].nil? - error.call("Please login via `#{EXEC_NAME} compliance login`") + error.call("Please login via `#{EXEC_NAME} #{subcommand_name} login`") end # read profile name from inspec.yml @@ -233,7 +232,7 @@ module InspecPlugins exit 1 end rescue InspecPlugins::Compliance::ServerConfigurationMissing - puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} compliance login`" + puts "\nServer configuration information is missing. Please login using `#{EXEC_NAME} #{subcommand_name} login`" exit 1 end @@ -258,9 +257,13 @@ module InspecPlugins def loggedin(config) serverknown = !config["server"].nil? - puts "You need to login first with `#{EXEC_NAME} compliance login`" unless serverknown + puts "You need to login first with `#{EXEC_NAME} #{subcommand_name} login`" unless serverknown serverknown end + + def subcommand_name + @_invocations[Inspec::InspecCLI]&.first || "automate" + end end # register the subcommand to InSpec CLI registry diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb index d74acef82..d331c2a51 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb @@ -34,13 +34,13 @@ module InspecPlugins if config["token"].nil? && config["refresh_token"].nil? if config["server_type"] == "automate" server = "automate" - msg = "#{EXEC_NAME} compliance login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN" + msg = "#{EXEC_NAME} compliance or automate login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN" elsif config["server_type"] == "automate2" server = "automate2" - msg = "#{EXEC_NAME} compliance login https://your_automate2_server --user USER --token APITOKEN" + msg = "#{EXEC_NAME} compliance or automate login https://your_automate2_server --user USER --token APITOKEN" else server = "compliance" - msg = "#{EXEC_NAME} compliance login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' " + msg = "#{EXEC_NAME} compliance or automate login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' " end raise Inspec::FetcherFailure, <<~EOF @@ -136,7 +136,8 @@ module InspecPlugins if m.nil? raise "Unable to determine compliance profile name. This can be caused by " \ "an incorrect server in your configuration. Try to login to compliance " \ - "via the `#{EXEC_NAME} compliance login` command." + "via the `#{EXEC_NAME} compliance login` command or " \ + "via the `#{EXEC_NAME} automate login` command." end "#{m[:owner]}/#{m[:id]}" diff --git a/lib/plugins/inspec-compliance/test/functional/inspec_compliance_test.rb b/lib/plugins/inspec-compliance/test/functional/inspec_compliance_test.rb index 1b9dd117e..b28436212 100644 --- a/lib/plugins/inspec-compliance/test/functional/inspec_compliance_test.rb +++ b/lib/plugins/inspec-compliance/test/functional/inspec_compliance_test.rb @@ -50,4 +50,54 @@ class ComplianceCli < Minitest::Test assert_exit_code 0, out # TODO: make this error end + + ## testing automate command for compliances + + def test_help_output_using_automate_cmd + out = run_inspec_process("automate help") + + assert_includes out.stdout, "inspec automate exec PROFILE" + + assert_exit_code 0, out + end + + def test_logout_command_using_automate_cmd + out = run_inspec_process("automate logout") + + assert_includes out.stdout, "" + + assert_exit_code 0, out + end + + def test_error_login_with_invalid_url_using_automate_cmd + out = run_inspec_process("automate login") + + assert_includes out.stderr, 'ERROR: "inspec automate login" was called with no arguments' + + assert_exit_code 1, out + end + + def test_profile_list_without_auth_using_automate_cmd + out = run_inspec_process("automate profiles") + + assert_includes out.stdout, "You need to login first with `inspec automate login`" + + assert_exit_code 0, out # TODO: make this error + end + + def test_error_upload_without_args_using_automate_cmd + out = run_inspec_process("automate upload") + + assert_includes out.stderr, 'ERROR: "inspec automate upload" was called with no arguments' + + assert_exit_code 1, out + end + + def test_error_upload_with_fake_path_using_automate_cmd + out = run_inspec_process("automate upload /path/to/dir") + + assert_includes out.stdout, "You need to login first with `inspec automate login`" + + assert_exit_code 0, out # TODO: make this error + end end From 89848feedb1e657e330abbef5750bdcd31dce5d3 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 30 Apr 2021 12:17:41 -0700 Subject: [PATCH 081/483] Make sure we use chef-telemetry 1.0.8+ This version drops the http dep which greatly reduces the overall size of deps. Signed-off-by: Tim Smith --- inspec-core.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec-core.gemspec b/inspec-core.gemspec index 251cfc291..0ecc8ad4d 100644 --- a/inspec-core.gemspec +++ b/inspec-core.gemspec @@ -23,7 +23,7 @@ Gem::Specification.new do |spec| .reject { |f| File.directory?(f) } # Implementation dependencies - spec.add_dependency "chef-telemetry", "~> 1.0" + spec.add_dependency "chef-telemetry", "~> 1.0", ">= 1.0.8" # 1.0.8+ removes the http dep spec.add_dependency "license-acceptance", ">= 0.2.13", "< 3.0" spec.add_dependency "thor", ">= 0.20", "< 2.0" spec.add_dependency "method_source", ">= 0.8", "< 2.0" From 05782c665fff00685cfa8080e9e0ada19f09b751 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 30 Apr 2021 12:18:38 -0700 Subject: [PATCH 082/483] Update Ruby in omnibus packages to 2.7.3 This resolves a large number of bugs and fixes several CVEs Signed-off-by: Tim Smith --- omnibus_overrides.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/omnibus_overrides.rb b/omnibus_overrides.rb index 488204d6a..87de6c30a 100644 --- a/omnibus_overrides.rb +++ b/omnibus_overrides.rb @@ -3,7 +3,7 @@ # grab the current train release from rubygems.org train_stable = /^train \((.*)\)/.match(`gem list ^train$ --remote`)[1] override "train", version: "v#{train_stable}" -override "ruby", version: "2.7.2" +override "ruby", version: "2.7.3" # Mac m1 override "openssl", version: "1.1.1j" if mac_os_x? From a0d15f290807d2c3561370cbe3fad2c08fcb80d1 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Fri, 30 Apr 2021 12:20:01 -0700 Subject: [PATCH 083/483] Update openssl to 1.1.1k on macos This resolves several CVEs Signed-off-by: Tim Smith --- omnibus_overrides.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/omnibus_overrides.rb b/omnibus_overrides.rb index 488204d6a..a86c753fa 100644 --- a/omnibus_overrides.rb +++ b/omnibus_overrides.rb @@ -6,4 +6,4 @@ override "train", version: "v#{train_stable}" override "ruby", version: "2.7.2" # Mac m1 -override "openssl", version: "1.1.1j" if mac_os_x? +override "openssl", version: "1.1.1k" if mac_os_x? From 66bf825c5f458b6678a9defa56c9a35a5a31c57c Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 3 May 2021 00:36:56 +0000 Subject: [PATCH 084/483] Update CHANGELOG.md with details from pull request #5493 Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe2e6e9f9..15533ea00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## Unreleased + +#### Merged Pull Requests +- Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) - + +### Changes since 4.36.4 release + +#### Merged Pull Requests +- Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) From 99251e903ebc782d89587fb5d497bb1bee395ba7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 3 May 2021 00:38:46 +0000 Subject: [PATCH 085/483] Update CHANGELOG.md with details from pull request #5492 Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 15533ea00..2d7563b80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ ## Unreleased #### Merged Pull Requests +- Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) - Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) @@ -11,6 +12,7 @@ ### Changes since 4.36.4 release #### Merged Pull Requests +- Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) - Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) From 7100701a93967e8e25f4bd623569824db4f0a9c7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 3 May 2021 00:40:52 +0000 Subject: [PATCH 086/483] Bump version to 4.36.5 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 6 ++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d7563b80..0a913fb05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,10 @@ # Change Log - -## Unreleased + +## [v4.36.5](https://github.com/inspec/inspec/tree/v4.36.5) (2021-05-03) #### Merged Pull Requests +- Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) - Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) - Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) @@ -12,6 +13,7 @@ ### Changes since 4.36.4 release #### Merged Pull Requests +- Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) - Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) - Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) diff --git a/VERSION b/VERSION index 8bd94aeb1..ce6975ba0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.4 \ No newline at end of file +4.36.5 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index f9146d907..8ffda0933 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.4".freeze + VERSION = "4.36.5".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 2167935fb..5dc161caa 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.4".freeze + VERSION = "4.36.5".freeze end From dde2017becc145b0785324cde7492d6185ec4fb1 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 3 May 2021 00:51:13 +0000 Subject: [PATCH 087/483] Update CHANGELOG.md with details from pull request #5488 Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a913fb05..36c3e302c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,18 +1,17 @@ # Change Log - -## [v4.36.5](https://github.com/inspec/inspec/tree/v4.36.5) (2021-05-03) + +## Unreleased #### Merged Pull Requests -- Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) -- Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) -- Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) +- Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) ### Changes since 4.36.4 release #### Merged Pull Requests +- Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) - Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) - Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) - Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) From 3dc64f0d9d5475907d00e2b488b188c077bc5fd9 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 11 Aug 2020 11:31:34 -0400 Subject: [PATCH 088/483] Comment out aspirational test suites in kitchen.yml Signed-off-by: Clinton Wolfe --- kitchen.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/kitchen.yml b/kitchen.yml index bafe4699e..d710f13f9 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -117,6 +117,10 @@ suites: docker: true application: false -- name: resources-database -- name: resources-unix -- name: resources-windows +# These are planned for the future +# Suites which exercise resources that exercise databases +# - name: resources-database +# Unix-only resources +# - name: resources-unix +# Windows-only resources +# - name: resources-windows From 55732b848a46a2c300de974213f7f03b8a23c0be Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 11 Aug 2020 17:15:38 -0400 Subject: [PATCH 089/483] Do not use audit cookbook for resource testing Signed-off-by: Clinton Wolfe --- dev-docs/integration-testing.md | 8 ++-- kitchen.yml | 17 ++------ .../install_inspec/recipes/default.rb | 7 +++- .../policies/default/controls/_debug_spec.rb | 1 + .../policies/default/controls/audit_spec.rb | 39 ------------------- 5 files changed, 13 insertions(+), 59 deletions(-) delete mode 100644 test/kitchen/policies/default/controls/audit_spec.rb diff --git a/dev-docs/integration-testing.md b/dev-docs/integration-testing.md index 51b531167..35b370064 100644 --- a/dev-docs/integration-testing.md +++ b/dev-docs/integration-testing.md @@ -2,7 +2,7 @@ ## Introduction -Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker as our backend. You should install and have Docker running befor you run any tests. +Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker (kitchen-dokken) as our backend. You should install and have Docker running before you run any tests. ### How to run specific integrations @@ -23,8 +23,6 @@ bundle exec rake test:integration[default-ubuntu-1604] We run the test/integration/default profile at the end of each integration test in the verify stage. This confirms that our current code is compatible with test kitchen. -### Audit Testing +### Why no audit cookbook testing? -For Audit cookbook testing Chef InSpec sets up some special hooks. The integration rake command will bundle up the current checkout into a gem which is passed along to test kitchen in the os_prepare cookbook. When this cookbook is run it will install the local inspec gem. Audit will then use this gem accordingly when running in the post chef-client validators. The .kitchen.yml is setup to export the audit report to a json file which we look for and confirm the structure in the test/integration/default/controls/audit_spec.rb file. - -In the validation file we confirm that the file was created from audit and that the structure looks correct. We also validate that the inspec ran with audit is the same that the current branch is using. This validates that audit did not use a older version for some reason. +Audit cookbook testing is handled in the audit cookbook repo. In addition, the audit cookbook restricts which InSpec gem can be installed, forcing the installation from Rubygems for Chef clients 15+. Since we need to test with the from-source inspec gem, we can't use that approach. Instead, we don't test using audit cookbook here. diff --git a/kitchen.yml b/kitchen.yml index d710f13f9..d4bb28afe 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -1,7 +1,7 @@ --- driver: name: dokken - chef_version: 14.12.9 + chef_version: :latest privileged: true # because Docker and SystemD/Upstart transport: @@ -97,22 +97,11 @@ suites: - name: resources-core run_list: - recipe[os_prepare] - - recipe[audit] verifier: inspec_tests: - - test/kitchen/policies/resources-core + # TODO - split these out into core, database, unix, and windows resources + - test/kitchen/policies/default attributes: - audit: - attributes: - audit_attribute: 'Attribute Override!' - insecure: true - reporter: ['json-file','chef-automate'] - fetcher: 'chef-automate' - json_file: - location: /tmp/json_export.json - profiles: - - name: integration - url: https://github.com/inspec/inspec-integration-profile/archive/master.zip osprepare: docker: true application: false diff --git a/test/kitchen/cookbooks/install_inspec/recipes/default.rb b/test/kitchen/cookbooks/install_inspec/recipes/default.rb index 44e72e665..1c729e462 100644 --- a/test/kitchen/cookbooks/install_inspec/recipes/default.rb +++ b/test/kitchen/cookbooks/install_inspec/recipes/default.rb @@ -8,10 +8,15 @@ cookbook_file "/root/inspec-core-bin.gem" do action :create end +# Must explicitly remove then re-install as it has an executable file +# conflict with the incoming package +chef_gem "inspec-core" do + action :remove +end chef_gem "inspec-core" do source "/root/inspec-core.gem" - action :upgrade + action :install end chef_gem "inspec-core-bin" do diff --git a/test/kitchen/policies/default/controls/_debug_spec.rb b/test/kitchen/policies/default/controls/_debug_spec.rb index 49e392612..26add41b0 100644 --- a/test/kitchen/policies/default/controls/_debug_spec.rb +++ b/test/kitchen/policies/default/controls/_debug_spec.rb @@ -2,6 +2,7 @@ $stderr.puts "-----------------------------------" $stderr.puts " TEST ENVIRONMENT " $stderr.puts "-----------------------------------" $stderr.puts " Docker: #{!ENV['DOCKER'].nil?}" +$stderr.puts " InSpec: #{Inspec::VERSION}" $stderr.puts " OS name: #{os[:name] || 'unknown' }" $stderr.puts "OS release: #{os[:release] || 'unknown'}" $stderr.puts " OS family: #{os[:family] || 'unknown'}" diff --git a/test/kitchen/policies/default/controls/audit_spec.rb b/test/kitchen/policies/default/controls/audit_spec.rb deleted file mode 100644 index a10299250..000000000 --- a/test/kitchen/policies/default/controls/audit_spec.rb +++ /dev/null @@ -1,39 +0,0 @@ -# This file tests the audit validation which runs as part of the -# chef-client process. This is setup to export to a json file in the .kitchen.yml -# -# For more info please see docs/dev/integratin_test.md - -control 'Test audit cookbook json exist' do - describe file('/tmp/json_export.json') do - it { should exist } - its('size') { should > 0 } - end -end - -# Grab bundled inspec version. This should be the same as the one -# passed for audit cookbook. If its not, you should do a `bundle install` -inspec_version = Inspec::VERSION -# or: Gem.loaded_specs['inspec'].version.to_s rescue Inspec::VERSION - -control 'Test audit cookbook json output' do - describe json('/tmp/json_export.json') do - its(['platform', 'name']) { should eq platform.name } - its(['statistics', 'duration']) { should > 0 } - its('version') { should cmp inspec_version } - end -end - -# make sure all tests passed -file = file('/tmp/json_export.json') -if file.exist? - json = JSON.parse(file.content) - json['profiles'].first['controls'].each do |child_control| - child_control['results'].each do |result| - control result['code_desc'] do - describe json(content: result.to_json) do - its('status') { should cmp 'passed' } - end - end - end - end -end From 3df3e11c475ad1c98776f2e32a46f62a7b11a61e Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 12 Aug 2020 13:02:29 -0400 Subject: [PATCH 090/483] We're not talking to automate, don't pretend we are Signed-off-by: Clinton Wolfe --- kitchen.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/kitchen.yml b/kitchen.yml index d4bb28afe..adbd8993c 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -14,11 +14,6 @@ lifecycle: provisioner: name: dokken - client_rb: - data_collector.server_url: <%= ENV['COLLECTOR_URL'] %> - data_collector.token: <%= ENV['COLLECTOR_TOKEN'] %> - ssl_verify_mode: :verify_none - verify_api_cert: false verifier: name: inspec From 79468b721ec6ff2c840e87cf25b9efab309ca09f Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 12 Aug 2020 13:08:32 -0400 Subject: [PATCH 091/483] Add commentary to kitchen.yml Signed-off-by: Clinton Wolfe --- kitchen.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kitchen.yml b/kitchen.yml index adbd8993c..4215e6971 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -8,6 +8,9 @@ transport: name: dokken lifecycle: + # The purpose of this code is to build the InSpec gems from source and then make them available + # to the install_inspec cookbook, which will install the gems. This means that the inspec used + # during the Kitchen Verify phase will be the version from source. pre_converge: - local: cd inspec-bin && gem build inspec-core-bin.gemspec --output ../test/kitchen/cookbooks/install_inspec/files/inspec-core-bin.gem - local: gem build inspec-core.gemspec --output test/kitchen/cookbooks/install_inspec/files/inspec-core.gem @@ -19,6 +22,9 @@ verifier: name: inspec sudo: true +# Test against every supported target platform for which we have a dokken image. +# If we don't have a dokken image, see kitchen.chef.yml for Vagrant-based testing. +# Try to keep this list up to date! platforms: - name: amazonlinux driver: From d9d021a8614dfbd8c4ca6dea7c6adb7884778bc4 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Thu, 13 Aug 2020 12:18:42 -0400 Subject: [PATCH 092/483] Update versions of dokken images used and get most of them working; oraclelinux 8 is not working Signed-off-by: Clinton Wolfe --- kitchen.yml | 34 ++++++++++++++----- .../cookbooks/os_prepare/recipes/iptables.rb | 10 +++--- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/kitchen.yml b/kitchen.yml index 4215e6971..fcd86ae31 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -25,12 +25,13 @@ verifier: # Test against every supported target platform for which we have a dokken image. # If we don't have a dokken image, see kitchen.chef.yml for Vagrant-based testing. # Try to keep this list up to date! +# Visit https://hub.docker.com/search and https://github.com/test-kitchen/dokken-images to search for new images platforms: + - name: amazonlinux driver: image: dokken/amazonlinux pid_one_command: /sbin/init - - name: amazonlinux-2 driver: image: dokken/amazonlinux-2 @@ -40,11 +41,14 @@ platforms: driver: image: dokken/centos-6 pid_one_command: /sbin/init - - name: centos-7 driver: image: dokken/centos-7 pid_one_command: /usr/lib/systemd/systemd +- name: centos-8 + driver: + image: dokken/centos-8 + pid_one_command: /usr/lib/systemd/systemd - name: debian-9 driver: @@ -52,7 +56,6 @@ platforms: pid_one_command: /bin/systemd intermediate_instructions: - RUN /usr/bin/apt-get update -y - - name: debian-10 driver: image: dokken/debian-10 @@ -60,20 +63,30 @@ platforms: intermediate_instructions: - RUN /usr/bin/apt-get update -y -- name: fedora-29 +- name: fedora-30 driver: - image: dokken/fedora-29 + image: dokken/fedora-30 + pid_one_command: /usr/lib/systemd/systemd +- name: fedora-31 + driver: + image: dokken/fedora-31 pid_one_command: /usr/lib/systemd/systemd - name: oraclelinux-6 driver: image: dokken/oraclelinux-6 pid_one_command: /sbin/init - - name: oraclelinux-7 driver: image: dokken/oraclelinux-7 pid_one_command: /usr/lib/systemd/systemd +# [2020-08-12T17:38:38+00:00] FATAL: RuntimeError: dnf_package[openssh-server] (ssh-hardening::server line 47) had an error: RuntimeError: dnf-helper.py had stderr output: +# Errors during downloading metadata for repository 'ol8_baseos_latest': +# - Curl error (6): Couldn't resolve host name for https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/repodata/repomd.xml [Could not resolve host: yum$ociregion.oracle.com] +# - name: oraclelinux-8 +# driver: +# image: dokken/oraclelinux-8 +# pid_one_command: /usr/lib/systemd/systemd - name: opensuse-leap driver: @@ -86,16 +99,21 @@ platforms: pid_one_command: /bin/systemd intermediate_instructions: - RUN /usr/bin/apt-get update -y - - name: ubuntu-18.04 driver: image: dokken/ubuntu-18.04 pid_one_command: /bin/systemd intermediate_instructions: - RUN /usr/bin/apt-get update -y +- name: ubuntu-20.04 + driver: + image: dokken/ubuntu-20.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update -y suites: -- name: resources-core +- name: resources run_list: - recipe[os_prepare] verifier: diff --git a/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb b/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb index 99842b7f8..c9fe86165 100644 --- a/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb +++ b/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb @@ -1,8 +1,10 @@ if platform_family?("rhel", "debian", "fedora", "amazon", "suse") - package value_for_platform_family( - %w{centos oracle} => %w{iptables iptables-ipv6}, - "default" => [ "iptables" ] - ) + package "iptables" + + if platform?("centos", "oracle") + package value_for_platform([ "centos", "oracle" ] => {"< 8" => "iptables-ipv6", ">= 8" => "iptables"}) + end + # IPv4 execute "iptables -A INPUT -i eth0 -p tcp -m tcp "\ "--dport 80 -m state --state NEW -m comment "\ From e8572d96e0bf417addce48dab84ce46db9c5cd6b Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Thu, 13 Aug 2020 13:44:40 -0400 Subject: [PATCH 093/483] Add buildkite definition for Dokken kitchen jobs Signed-off-by: Clinton Wolfe --- .expeditor/integration.resources.yml | 21 ++++++++++++++++++++- kitchen.yml => kitchen.dokken.yml | 0 2 files changed, 20 insertions(+), 1 deletion(-) rename kitchen.yml => kitchen.dokken.yml (100%) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index 792d60054..f8c37c73d 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -1 +1,20 @@ -# +--- +expeditor: + defaults: + buildkite: + timeout_in_minutes: 45 + retry: + automatic: + limit: 1 + +steps: + - label: integration-test-kitchen + command: + - RAKE_TASK=test:integration /workdir/.expeditor/buildkite/verify.sh + expeditor: + executor: + docker: + environment: + - CONCURRENCY: 5 + - DOCKER: 1 + image: ruby:2.7 diff --git a/kitchen.yml b/kitchen.dokken.yml similarity index 100% rename from kitchen.yml rename to kitchen.dokken.yml From 531abc0f301f8b9019983ea5c5a409630d21f93b Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Fri, 23 Oct 2020 10:52:32 -0400 Subject: [PATCH 094/483] Set Kitchenfile path for resource testing Signed-off-by: Clinton Wolfe --- .expeditor/integration.resources.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index f8c37c73d..71518b378 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -17,4 +17,5 @@ steps: environment: - CONCURRENCY: 5 - DOCKER: 1 + - KITCHEN_YAML: kitchen.dokken.yml image: ruby:2.7 From f5c8f67c2bc3279fcdb8843d01383b233104915f Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Fri, 23 Oct 2020 11:54:39 -0400 Subject: [PATCH 095/483] Do not build inspec gem locally or install in os_prepare Signed-off-by: Clinton Wolfe --- kitchen.dokken.yml | 8 -------- test/kitchen/cookbooks/os_prepare/recipes/default.rb | 4 ---- 2 files changed, 12 deletions(-) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index fcd86ae31..d8e388cf0 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -7,14 +7,6 @@ driver: transport: name: dokken -lifecycle: - # The purpose of this code is to build the InSpec gems from source and then make them available - # to the install_inspec cookbook, which will install the gems. This means that the inspec used - # during the Kitchen Verify phase will be the version from source. - pre_converge: - - local: cd inspec-bin && gem build inspec-core-bin.gemspec --output ../test/kitchen/cookbooks/install_inspec/files/inspec-core-bin.gem - - local: gem build inspec-core.gemspec --output test/kitchen/cookbooks/install_inspec/files/inspec-core.gem - provisioner: name: dokken diff --git a/test/kitchen/cookbooks/os_prepare/recipes/default.rb b/test/kitchen/cookbooks/os_prepare/recipes/default.rb index ff332190c..971bf7934 100644 --- a/test/kitchen/cookbooks/os_prepare/recipes/default.rb +++ b/test/kitchen/cookbooks/os_prepare/recipes/default.rb @@ -3,10 +3,6 @@ apt_update if platform_family?("debian") -# inject the current inspec gem for use with audit cookbook -# this is generated via Rake test:integration -include_recipe("install_inspec") - def uuid_from_string(string) require "digest/sha1" hash = Digest::SHA1.new From 26cc73f608be8d4450268b5e5b6876d765f86b48 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Fri, 23 Oct 2020 12:49:58 -0400 Subject: [PATCH 096/483] Add note about oraclelinux-8 Signed-off-by: Clinton Wolfe --- kitchen.dokken.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index d8e388cf0..c3d76ca62 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -72,6 +72,7 @@ platforms: driver: image: dokken/oraclelinux-7 pid_one_command: /usr/lib/systemd/systemd +# TODO: oraclelinux-8 is disabled because it currently fails with the following error: # [2020-08-12T17:38:38+00:00] FATAL: RuntimeError: dnf_package[openssh-server] (ssh-hardening::server line 47) had an error: RuntimeError: dnf-helper.py had stderr output: # Errors during downloading metadata for repository 'ol8_baseos_latest': # - Curl error (6): Couldn't resolve host name for https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/repodata/repomd.xml [Could not resolve host: yum$ociregion.oracle.com] From 37f39582cc940131981c1fed9f580edfefef6d0a Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Fri, 23 Oct 2020 12:57:46 -0400 Subject: [PATCH 097/483] Disable opensuse testing for now Signed-off-by: Clinton Wolfe --- kitchen.dokken.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index c3d76ca62..02d3fd8dc 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -81,10 +81,12 @@ platforms: # image: dokken/oraclelinux-8 # pid_one_command: /usr/lib/systemd/systemd -- name: opensuse-leap - driver: - image: dokken/opensuse-leap-42 - pid_one_command: /bin/systemd +# TODO: opensuse-leap is disabled because of the following error: +# [2020-10-23T16:08:49+00:00] FATAL: Chef::Exceptions::ProviderNotFound: package[openssh-server] (ssh-hardening::server line 47) had an error: Chef::Exceptions::ProviderNotFound: Cannot find a provider for package[openssh-server] on linux version 4.19.76-linuxkit +# - name: opensuse-leap +# driver: +# image: dokken/opensuse-leap-15 +# pid_one_command: /bin/systemd - name: ubuntu-16.04 driver: From 099060e38d7e166970562c612b0d545771e77398 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Fri, 23 Oct 2020 16:53:30 -0400 Subject: [PATCH 098/483] Seems more stable with concurrency 3, may increase later Signed-off-by: Clinton Wolfe --- .expeditor/integration.resources.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index 71518b378..f951067c6 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -2,7 +2,7 @@ expeditor: defaults: buildkite: - timeout_in_minutes: 45 + timeout_in_minutes: 60 retry: automatic: limit: 1 @@ -15,7 +15,7 @@ steps: executor: docker: environment: - - CONCURRENCY: 5 + - CONCURRENCY: 3 - DOCKER: 1 - KITCHEN_YAML: kitchen.dokken.yml image: ruby:2.7 From a8298b42b7d172db2077b8aa723abca225dfb311 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Fri, 23 Oct 2020 17:06:47 -0400 Subject: [PATCH 099/483] Rename test:integration to test:kitchen for clarity in Rakefile Signed-off-by: Clinton Wolfe --- .expeditor/integration.resources.yml | 4 ++-- Rakefile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index f951067c6..3506d22a8 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -8,9 +8,9 @@ expeditor: limit: 1 steps: - - label: integration-test-kitchen + - label: Resource-Platform Tests command: - - RAKE_TASK=test:integration /workdir/.expeditor/buildkite/verify.sh + - RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh expeditor: executor: docker: diff --git a/Rakefile b/Rakefile index 152aca3fd..1c42a7c38 100755 --- a/Rakefile +++ b/Rakefile @@ -255,14 +255,14 @@ namespace :test do # Inject a prerequisite task task unit: [:accept_license] - task :integration, [:os] do |task, args| + task :kitchen, [:os] do |task, args| concurrency = ENV["CONCURRENCY"] || 1 os = args[:os] || ENV["OS"] || "" ENV["DOCKER"] = "true" if ENV["docker"].nil? sh("bundle exec kitchen test -c #{concurrency} #{os}") end # Inject a prerequisite task - task integration: [:accept_license] + task kitchen: [:accept_license] task :ssh, [:target] do |_t, args| tests_path = File.join(File.dirname(__FILE__), "test", "integration", "test", "integration", "default") From 0b4a9a397bc25a7b0c7e9f923149f1ec1fff2b21 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 2 May 2021 21:13:43 -0400 Subject: [PATCH 100/483] Remove EOL'd platforms Signed-off-by: Clinton Wolfe --- kitchen.dokken.yml | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index 02d3fd8dc..d6eab4f43 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -29,10 +29,6 @@ platforms: image: dokken/amazonlinux-2 pid_one_command: /usr/lib/systemd/systemd -- name: centos-6 - driver: - image: dokken/centos-6 - pid_one_command: /sbin/init - name: centos-7 driver: image: dokken/centos-7 @@ -55,19 +51,11 @@ platforms: intermediate_instructions: - RUN /usr/bin/apt-get update -y -- name: fedora-30 +- name: fedora-latest driver: - image: dokken/fedora-30 - pid_one_command: /usr/lib/systemd/systemd -- name: fedora-31 - driver: - image: dokken/fedora-31 + image: dokken/fedora-latest pid_one_command: /usr/lib/systemd/systemd -- name: oraclelinux-6 - driver: - image: dokken/oraclelinux-6 - pid_one_command: /sbin/init - name: oraclelinux-7 driver: image: dokken/oraclelinux-7 @@ -88,12 +76,6 @@ platforms: # image: dokken/opensuse-leap-15 # pid_one_command: /bin/systemd -- name: ubuntu-16.04 - driver: - image: dokken/ubuntu-16.04 - pid_one_command: /bin/systemd - intermediate_instructions: - - RUN /usr/bin/apt-get update -y - name: ubuntu-18.04 driver: image: dokken/ubuntu-18.04 From ca14b2a901a71a5b59abee1b52ca7283189e8654 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 2 May 2021 21:53:24 -0400 Subject: [PATCH 101/483] Conditionally include a kitchen group in the gemfile for ruby 2.7+ Signed-off-by: Clinton Wolfe --- Gemfile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Gemfile b/Gemfile index 773609741..0b007d6fa 100644 --- a/Gemfile +++ b/Gemfile @@ -48,3 +48,16 @@ end group :deploy do gem "inquirer" end + +# Only include Test Kitchen support if we are on Ruby 2.7 or higher +# as chef-zero support requires Ruby 2.6 +# See https://github.com/inspec/inspec/pull/5341 +if Gem.ruby_version >= Gem::Version.new("2.7.0") + group :kitchen do + gem "berkshelf" + gem "test-kitchen", ">= 2.8" + gem "kitchen-inspec", ">= 2.0" + gem "kitchen-dokken", ">= 2.11" + gem "git" + end +end From 2c0cd30f256c6ba101ad9e2f95b61d624a10697b Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 2 May 2021 22:00:38 -0400 Subject: [PATCH 102/483] Exclude fedora from installing iptables, as it causes a conflict Signed-off-by: Clinton Wolfe --- test/kitchen/cookbooks/os_prepare/recipes/iptables.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb b/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb index c9fe86165..8a52e5573 100644 --- a/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb +++ b/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb @@ -1,10 +1,11 @@ -if platform_family?("rhel", "debian", "fedora", "amazon", "suse") +if platform_family?("rhel", "debian", "amazon", "suse") package "iptables" - if platform?("centos", "oracle") package value_for_platform([ "centos", "oracle" ] => {"< 8" => "iptables-ipv6", ">= 8" => "iptables"}) end +end +if platform_family?("rhel", "debian", "fedora", "amazon", "suse") # IPv4 execute "iptables -A INPUT -i eth0 -p tcp -m tcp "\ "--dport 80 -m state --state NEW -m comment "\ From 1edf2fea135b5ef3625c7d6db836477882ba22ed Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 2 May 2021 22:12:31 -0400 Subject: [PATCH 103/483] Enable now-working platforms, and remove EOL amazonlinux 1 Signed-off-by: Clinton Wolfe --- kitchen.dokken.yml | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index d6eab4f43..ec9f6ecfe 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -20,10 +20,6 @@ verifier: # Visit https://hub.docker.com/search and https://github.com/test-kitchen/dokken-images to search for new images platforms: -- name: amazonlinux - driver: - image: dokken/amazonlinux - pid_one_command: /sbin/init - name: amazonlinux-2 driver: image: dokken/amazonlinux-2 @@ -60,21 +56,15 @@ platforms: driver: image: dokken/oraclelinux-7 pid_one_command: /usr/lib/systemd/systemd -# TODO: oraclelinux-8 is disabled because it currently fails with the following error: -# [2020-08-12T17:38:38+00:00] FATAL: RuntimeError: dnf_package[openssh-server] (ssh-hardening::server line 47) had an error: RuntimeError: dnf-helper.py had stderr output: -# Errors during downloading metadata for repository 'ol8_baseos_latest': -# - Curl error (6): Couldn't resolve host name for https://yum$ociregion.oracle.com/repo/OracleLinux/OL8/baseos/latest/x86_64/repodata/repomd.xml [Could not resolve host: yum$ociregion.oracle.com] -# - name: oraclelinux-8 -# driver: -# image: dokken/oraclelinux-8 -# pid_one_command: /usr/lib/systemd/systemd +- name: oraclelinux-8 + driver: + image: dokken/oraclelinux-8 + pid_one_command: /usr/lib/systemd/systemd -# TODO: opensuse-leap is disabled because of the following error: -# [2020-10-23T16:08:49+00:00] FATAL: Chef::Exceptions::ProviderNotFound: package[openssh-server] (ssh-hardening::server line 47) had an error: Chef::Exceptions::ProviderNotFound: Cannot find a provider for package[openssh-server] on linux version 4.19.76-linuxkit -# - name: opensuse-leap -# driver: -# image: dokken/opensuse-leap-15 -# pid_one_command: /bin/systemd +- name: opensuse-leap + driver: + image: dokken/opensuse-leap-15 + pid_one_command: /bin/systemd - name: ubuntu-18.04 driver: From 3178569290e96c50486b657c799473beb0e158dd Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 2 May 2021 22:39:25 -0400 Subject: [PATCH 104/483] Run resource integration pipeline when opening PRs Signed-off-by: Clinton Wolfe --- .expeditor/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.expeditor/config.yml b/.expeditor/config.yml index 6b14a70ec..009f2b8d1 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -182,3 +182,4 @@ subscriptions: - inspec/inspec-core-team - trigger_pipeline:coverage - trigger_pipeline:artifact/habitat + - trigger_pipeline:integration/resources From 072a8c438f78209823b993c393678635d007d002 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 3 May 2021 13:45:54 +0530 Subject: [PATCH 105/483] Presenting automate command as alias in both the content and dev docs Signed-off-by: Nikita Mathur --- dev-docs/compliance.md | 2 +- docs-chef-io/content/inspec/cli.md | 4 +++- docs-chef-io/content/inspec/plugin_kitchen_inspec.md | 3 ++- lib/inspec/cli.rb | 2 +- lib/plugins/inspec-compliance/README.md | 2 +- 5 files changed, 8 insertions(+), 5 deletions(-) diff --git a/dev-docs/compliance.md b/dev-docs/compliance.md index 589cc697a..e26c66ae5 100644 --- a/dev-docs/compliance.md +++ b/dev-docs/compliance.md @@ -8,7 +8,7 @@ The `compliance` set of subcommands handle user-initiated communication with Che When Automate initiates scans, the `compliance` subcommand is not used. -An alternate subcommand to `compliance` is `automate`. And it works similarly using `inspec automate`. +`inspec automate` is an alias for `inspec compliance` and works the same way ## Operational Notes diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index c7bf3fd5b..dc1552c23 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -187,7 +187,9 @@ Chef Automate: inspec compliance login inspec exec compliance://username/linux-baseline ``` -An alternate command for login: + +`inspec automate` is an alias for `inspec compliance` and works the same way: + ``` inspec automate login ``` diff --git a/docs-chef-io/content/inspec/plugin_kitchen_inspec.md b/docs-chef-io/content/inspec/plugin_kitchen_inspec.md index 15bac1604..b0229e7f7 100644 --- a/docs-chef-io/content/inspec/plugin_kitchen_inspec.md +++ b/docs-chef-io/content/inspec/plugin_kitchen_inspec.md @@ -40,7 +40,8 @@ inspec compliance login https://compliance.test --user admin --insecure --token where `--insecure` is required when using self-signed certificates. -An alternate command for login: +`inspec automate` is an alias for `inspec compliance` and works the same way: + ```bash inspec automate login https://compliance.test --user admin --insecure --token '' ``` diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index b05af6971..70c865705 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -221,7 +221,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI #{Inspec::Dist::EXEC_NAME} compliance login #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline ``` - An alternate command for login: + `inspec automate` is an alias for `inspec compliance` and works the same way: ``` #{Inspec::Dist::EXEC_NAME} automate login ``` diff --git a/lib/plugins/inspec-compliance/README.md b/lib/plugins/inspec-compliance/README.md index f876a667a..6d1d0a596 100644 --- a/lib/plugins/inspec-compliance/README.md +++ b/lib/plugins/inspec-compliance/README.md @@ -6,7 +6,7 @@ This extensions offers the following features: - execute profiles directly from Chef Automate/Chef Compliance locally - upload a local profile to Chef Automate/Chef Compliance -The subcommand `compliance` has an alternate `automate`. And it works similarly using `inspec automate`. +`inspec automate` is an alias for `inspec compliance` and works the same way. To use the CLI, this InSpec add-on adds the following commands: * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance From d18520363bea41789275a88266335602104f5297 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Mon, 3 May 2021 10:48:11 -0700 Subject: [PATCH 106/483] Fix bad link Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/shell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/shell.md b/docs-chef-io/content/inspec/shell.md index 5de5b0d17..8e501256a 100644 --- a/docs-chef-io/content/inspec/shell.md +++ b/docs-chef-io/content/inspec/shell.md @@ -233,7 +233,7 @@ $ inspec shell --format json -c 'describe file("/Users/test") do it { should exi ## Running Chef InSpec Shell With Inputs -With InSpec [profiles that support inputs](inspec/inputs/#which-profiles-support-inputs), +With InSpec [profiles that support inputs]({{< relref "inputs/#which-profiles-support-inputs" >}}), you can set inputs using the InSpec `shell` command. This allows you to work more consistently with InSpec profiles when switching between the `shell` and `exec` commands. From e9c82c62de64d1a7a65ded4777318c9ccd1c398b Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 16:52:29 -0400 Subject: [PATCH 107/483] Correct configuration for pull request trigger for integreation/resources pipeline Signed-off-by: Clinton Wolfe --- .expeditor/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.expeditor/config.yml b/.expeditor/config.yml index 009f2b8d1..a47ad2506 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -40,6 +40,7 @@ pipelines: - integration/resources: description: Test core resources with test-kitchen. definition: .expeditor/integration.resources.yml + trigger: pull_request # This breaks expeditor as it does not yet exist # - integration/libraries: # description: Integration with plugins, gems, resource packs. @@ -182,4 +183,3 @@ subscriptions: - inspec/inspec-core-team - trigger_pipeline:coverage - trigger_pipeline:artifact/habitat - - trigger_pipeline:integration/resources From 0589d2434d3e37b257820c7851694b0592e5b943 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 3 May 2021 21:03:04 +0000 Subject: [PATCH 108/483] Bump version to 4.36.6 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 10 ++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36c3e302c..35146146b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,10 @@ # Change Log - -## Unreleased + +## [v4.36.6](https://github.com/inspec/inspec/tree/v4.36.6) (2021-05-03) + +#### Enhancements +- Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests - Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) @@ -10,6 +13,9 @@ ### Changes since 4.36.4 release +#### Enhancements +- Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) + #### Merged Pull Requests - Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) - Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) diff --git a/VERSION b/VERSION index ce6975ba0..82bf43985 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.5 \ No newline at end of file +4.36.6 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 8ffda0933..f71480a8d 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.5".freeze + VERSION = "4.36.6".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 5dc161caa..821e64c2d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.5".freeze + VERSION = "4.36.6".freeze end From 6817ed5aa9a230a1e0f0e5626154b94998bdb470 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 17:03:39 -0400 Subject: [PATCH 109/483] Remove outdated instructions about testing AWS and Azure resources Signed-off-by: Clinton Wolfe --- README.md | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/README.md b/README.md index 016b05200..0a668c51d 100644 --- a/README.md +++ b/README.md @@ -445,18 +445,6 @@ You may test all instances in parallel with: bundle exec kitchen test -c ``` -### AWS Tests - -Use the rake task `bundle exec rake test:aws` to test the AWS resources against a pair of real AWS accounts. - -Please see [TESTING_AGAINST_AWS.md](./test/integration/aws/TESTING_AGAINST_AWS.md) for details on how to setup the needed AWS accounts to perform testing. - -### Azure Tests - -Use the rake task `bundle exec rake test:azure` to test the Azure resources against an Azure account. - -Please see [TESTING_AGAINST_AZURE.md](./test/integration/azure/TESTING_AGAINST_AZURE.md) for details on how to setup the needed Azure accounts to perform testing. - ## License | | | From 904dd03cb7cabbc7b3b974b38c0c2065dfd8e022 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 17:21:38 -0400 Subject: [PATCH 110/483] Update kitchenfile name Signed-off-by: Clinton Wolfe --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0a668c51d..1d9d75471 100644 --- a/README.md +++ b/README.md @@ -430,19 +430,19 @@ In addition, these test require Docker to be available on your machine or a remo List the various test instances available: ```bash -bundle exec kitchen list +KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen list ``` -The platforms and test suites are configured in the `.kitchen.yml` file. Once you know which instance you wish to test, test that instance: +The platforms and test suites are configured in the `kitchen.dokken.yml` file. Once you know which instance you wish to test, test that instance: ```bash -bundle exec kitchen test +KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test ``` You may test all instances in parallel with: ```bash -bundle exec kitchen test -c +KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test -c 3 ``` ## License From e290877e33c427e5f0ad25116c8714c0bf0b034e Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 18:15:41 -0400 Subject: [PATCH 111/483] Inline env vars in invocation Signed-off-by: Clinton Wolfe --- .expeditor/integration.resources.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index 3506d22a8..a3c06fe97 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -10,12 +10,8 @@ expeditor: steps: - label: Resource-Platform Tests command: - - RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh + - CONCURRENCY=3 DOCKER=1 KITCHEN_YAML=kitchen.dokken.yml RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh expeditor: executor: docker: - environment: - - CONCURRENCY: 3 - - DOCKER: 1 - - KITCHEN_YAML: kitchen.dokken.yml image: ruby:2.7 From cf8bcfb9fac2056f2d20665cccdafbd2017d6467 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 19:30:01 -0400 Subject: [PATCH 112/483] Borrow docker setup script from chef/chef and try a single suite Signed-off-by: Clinton Wolfe --- .expeditor/buildkite/bk_linux_exec.sh | 51 +++++++++++++++++++++++++++ .expeditor/integration.resources.yml | 25 ++++++++++--- 2 files changed, 71 insertions(+), 5 deletions(-) create mode 100755 .expeditor/buildkite/bk_linux_exec.sh diff --git a/.expeditor/buildkite/bk_linux_exec.sh b/.expeditor/buildkite/bk_linux_exec.sh new file mode 100755 index 000000000..b5cbebc5d --- /dev/null +++ b/.expeditor/buildkite/bk_linux_exec.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# Enable IPv6 in docker +echo "--- Enabling ipv6 on docker" +sudo systemctl stop docker +dockerd_config="/etc/docker/daemon.json" +sudo echo "$(jq '. + {"ipv6": true, "fixed-cidr-v6": "2001:2019:6002::/80", "ip-forward": false}' $dockerd_config)" > $dockerd_config +sudo systemctl start docker + +# Install C and C++ +echo "--- Installing package deps" +sudo yum install -y gcc gcc-c++ openssl-devel readline-devel zlib-devel + +# Install ASDF +echo "--- Installing asdf to ${HOME}/.asdf" +git clone https://github.com/asdf-vm/asdf.git "${HOME}/.asdf" +cd "${HOME}/.asdf"; git checkout "$(git describe --abbrev=0 --tags)"; cd - +. "${HOME}/.asdf/asdf.sh" + +# Install Ruby +ruby_version=$(sed -n '/"ruby"/{s/.*version: "//;s/"//;p;}' omnibus_overrides.rb) +echo "--- Installing Ruby $ruby_version" +asdf plugin add ruby +asdf install ruby $ruby_version +asdf global ruby $ruby_version + +# Set Environment Variables +export BUNDLE_GEMFILE=$PWD/Gemfile +export FORCE_FFI_YAJL=ext +export CHEF_LICENSE="accept-silent" + +# Update Gems +echo "--- Installing Gems" +echo 'gem: --no-document' >> ~/.gemrc +sudo iptables -L DOCKER || ( echo "DOCKER iptables chain missing" ; sudo iptables -N DOCKER ) +bundle install --jobs=3 --retry=3 --path=../vendor/bundle + +echo "--- Config information" + +echo "!!!! RUBY VERSION !!!!" +ruby --version +echo "!!!! BUNDLER LOCATION !!!!" +which bundle +echo "!!!! BUNDLER VERSION !!!!" +bundle -v +echo "!!!! DOCKER VERSION !!!!" +docker version +echo "!!!! DOCKER STATUS !!!!" +sudo service docker status + +echo "+++ Running tests" diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index a3c06fe97..59031754e 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -8,10 +8,25 @@ expeditor: limit: 1 steps: - - label: Resource-Platform Tests - command: - - CONCURRENCY=3 DOCKER=1 KITCHEN_YAML=kitchen.dokken.yml RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh + # - label: Resource-Platform Tests + # command: + # - CONCURRENCY=3 DOCKER=1 KITCHEN_YAML=kitchen.dokken.yml RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh + # expeditor: + # executor: + # docker: + # image: ruby:2.7 + + - label: "Kitchen: resources-amazonlinux-2" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-amazonlinux-2 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml expeditor: executor: - docker: - image: ruby:2.7 + linux: + privileged: true + single-use: true From f8c71cf212c5a8c841dbd7258cb4f1e84c097a8a Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 19:43:31 -0400 Subject: [PATCH 113/483] Add docker=1 flag Signed-off-by: Clinton Wolfe --- .expeditor/integration.resources.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index 59031754e..cb5333433 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -8,14 +8,6 @@ expeditor: limit: 1 steps: - # - label: Resource-Platform Tests - # command: - # - CONCURRENCY=3 DOCKER=1 KITCHEN_YAML=kitchen.dokken.yml RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh - # expeditor: - # executor: - # docker: - # image: ruby:2.7 - - label: "Kitchen: resources-amazonlinux-2" commands: - .expeditor/buildkite/bk_linux_exec.sh @@ -25,6 +17,7 @@ steps: - $PWD/.kitchen/logs/kitchen.log env: KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 expeditor: executor: linux: From eb5615dd431a08dc3868bed9535e26803d2863d1 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 20:00:38 -0400 Subject: [PATCH 114/483] Add remaining platforms as separate steps Signed-off-by: Clinton Wolfe --- .expeditor/integration.resources.yml | 157 +++++++++++++++++++++++++++ 1 file changed, 157 insertions(+) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index cb5333433..ff0d12972 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -23,3 +23,160 @@ steps: linux: privileged: true single-use: true + + - label: "Kitchen: resources-centos-7" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-centos-7 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + + - label: "Kitchen: resources-centos-8" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-centos-8 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + + - label: "Kitchen: resources-debian-9" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-debian-9 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + - label: "Kitchen: resources-debian-10" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-debian-10 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + + - label: "Kitchen: resources-fedora-latest" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-fedora-latest + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + + - label: "Kitchen: resources-oraclelinux-7" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-oraclelinux-7 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + - label: "Kitchen: resources-oraclelinux-8" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-oraclelinux-8 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + + - label: "Kitchen: resources-opensuse-leap" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-opensuse-leap + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + + - label: "Kitchen: resources-ubuntu-1804" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-ubuntu-1804 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + - label: "Kitchen: resources-ubuntu-2004" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-ubuntu-2004 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true From 06fcd26beee11ef0c1cf57f2ae6f0555e053fe5c Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 20:18:31 -0400 Subject: [PATCH 115/483] Conditionalize IPv6 support Signed-off-by: Clinton Wolfe --- .../cookbooks/os_prepare/recipes/iptables.rb | 19 +++++++++++-------- .../default/controls/ip6tables_spec.rb | 5 +++++ 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb b/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb index 8a52e5573..2e29232ba 100644 --- a/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb +++ b/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb @@ -14,12 +14,15 @@ if platform_family?("rhel", "debian", "fedora", "amazon", "suse") execute "iptables -A INPUT -j derby-cognos-web" execute "iptables -A derby-cognos-web -p tcp -m tcp --dport 80 "\ '-m comment --comment "derby-cognos-web" -j ACCEPT' - # IPv6 - execute "ip6tables -A INPUT -i eth0 -p tcp -m tcp "\ - "--dport 80 -m state --state NEW -m comment "\ - '--comment "http v6 on 80" -j ACCEPT' - execute "ip6tables -N derby-cognos-web-v6" - execute "ip6tables -A INPUT -j derby-cognos-web-v6" - execute "ip6tables -A derby-cognos-web-v6 -p tcp -m tcp --dport 80 "\ - '-m comment --comment "derby-cognos-web-v6" -j ACCEPT' + + if ENV['IPV6'] + # IPv6 + execute "ip6tables -A INPUT -i eth0 -p tcp -m tcp "\ + "--dport 80 -m state --state NEW -m comment "\ + '--comment "http v6 on 80" -j ACCEPT' + execute "ip6tables -N derby-cognos-web-v6" + execute "ip6tables -A INPUT -j derby-cognos-web-v6" + execute "ip6tables -A derby-cognos-web-v6 -p tcp -m tcp --dport 80 "\ + '-m comment --comment "derby-cognos-web-v6" -j ACCEPT' + end end diff --git a/test/kitchen/policies/default/controls/ip6tables_spec.rb b/test/kitchen/policies/default/controls/ip6tables_spec.rb index a955c4a99..d721acc22 100644 --- a/test/kitchen/policies/default/controls/ip6tables_spec.rb +++ b/test/kitchen/policies/default/controls/ip6tables_spec.rb @@ -1,3 +1,8 @@ +unless ENV['IPV6'] + $stderr.puts "\033[1;33mTODO: Not running #{__FILE__.split("/").last} because we are running without IPv6\033[0m" + return +end + case os[:family] when 'ubuntu', 'fedora', 'debian', 'suse' describe ip6tables do From ca0a56b1ad5f0f317de8b834e31a0d1e335ceb8d Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 4 May 2021 00:52:22 +0000 Subject: [PATCH 116/483] Bump version to 4.36.7 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 10 ++++------ VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35146146b..6b13600c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,10 @@ # Change Log - -## [v4.36.6](https://github.com/inspec/inspec/tree/v4.36.6) (2021-05-03) - -#### Enhancements -- Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) + +## [v4.36.7](https://github.com/inspec/inspec/tree/v4.36.7) (2021-05-04) #### Merged Pull Requests -- Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) +- Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) @@ -17,6 +14,7 @@ - Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) - Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) - Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) diff --git a/VERSION b/VERSION index 82bf43985..43d61f72e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.6 \ No newline at end of file +4.36.7 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index f71480a8d..fe2144e0c 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.6".freeze + VERSION = "4.36.7".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 821e64c2d..8208fec85 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.6".freeze + VERSION = "4.36.7".freeze end From c07513ebe9d8a289595a5c69b5b5ca5845b84eb4 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 4 May 2021 00:55:03 +0000 Subject: [PATCH 117/483] Bump version to 4.36.8 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b13600c4..2989d3089 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.36.7](https://github.com/inspec/inspec/tree/v4.36.7) (2021-05-04) + +## [v4.36.8](https://github.com/inspec/inspec/tree/v4.36.8) (2021-05-04) #### Merged Pull Requests -- Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) @@ -14,6 +14,7 @@ - Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) - Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) - Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) diff --git a/VERSION b/VERSION index 43d61f72e..e96fe12e9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.7 \ No newline at end of file +4.36.8 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index fe2144e0c..23c254e2f 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.7".freeze + VERSION = "4.36.8".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8208fec85..cdd6d5b1a 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.7".freeze + VERSION = "4.36.8".freeze end From 6b4a55aa352fed28322117a5339956d220e7a6a0 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 17:31:54 -0400 Subject: [PATCH 118/483] Remove coverage testing from CI Signed-off-by: Clinton Wolfe --- .expeditor/buildkite/coverage.sh | 70 -------------------------------- .expeditor/config.yml | 8 ---- .expeditor/coverage.pipeline.yml | 19 --------- 3 files changed, 97 deletions(-) delete mode 100755 .expeditor/buildkite/coverage.sh delete mode 100644 .expeditor/coverage.pipeline.yml diff --git a/.expeditor/buildkite/coverage.sh b/.expeditor/buildkite/coverage.sh deleted file mode 100755 index 38e56692c..000000000 --- a/.expeditor/buildkite/coverage.sh +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash - -set -ueo pipefail - -export LANG=C.UTF-8 LANGUAGE=C.UTF-8 -# test-reporter expects reporter identifier under this environment variable -CC_TEST_REPORTER_ID="$COVERAGE_ID" -export CC_TEST_REPORTER_ID -TEST_REPORTER_VERSION="0.6.3" -S3_URL="s3://public-cd-buildkite-cache/$BUILDKITE_PIPELINE_SLUG/$BUILDKITE_LABEL" - -download_test_reporter() { - curl -o test-reporter -L https://codeclimate.com/downloads/test-reporter/test-reporter-"$TEST_REPORTER_VERSION"-linux-amd64 - chmod +x test-reporter - touch new_test-reporter -} - -download_s3_file() { - aws s3 cp "$S3_URL/$1" "$1" -} - -upload_s3_file() { - if [ -f "$1" ]; then - aws s3 cp "$1" "$S3_URL/$1" || echo "Could not push $1 to S3 for caching." - fi -} - -echo "--- downloading coverage tool" -download_s3_file test-reporter || download_test_reporter -download_s3_file test-reporter.sha || echo -e "\nCould not download test-reporter.sha" - - -echo "--- updating rubygems" -gem update --system -N - -echo "--- system details" -uname -a -gem env -bundle --version - -echo "--- setting up test coverage before build" -./test-reporter before-build - -echo "--- bundle install" -bundle install --jobs=7 --retry=3 --without tools maintenance deploy - -echo "+++ bundle exec rake" -bundle exec rake test -EXIT_CODE=$? - -echo "+++ formatting and uploading test coverage" -./test-reporter sum-coverage -./test-reporter after-build -t simplecov --exit-code "$EXIT_CODE" - -echo "--- uploading test-reporter.sha to s3" -if [ -f "new_test-reporter" ]; then - echo "new test-reporter detected. uploading." - shasum -a 256 test-reporter > test-reporter.sha - for i in "test-reporter" "test-reporter.sha"; do - upload_s3_file "$i" - done -fi - -if shasum --check test-reporter.sha --status; then - echo "test-reporter shasum mismatch. uploading." - shasum -a 256 test-reporter > test-reporter.sha - for i in "test-reporter" "test-reporter.sha"; do - upload_s3_file "$i" - done -fi diff --git a/.expeditor/config.yml b/.expeditor/config.yml index a47ad2506..8cd71cb6e 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -31,12 +31,6 @@ pipelines: - SLOW: 1 - NO_AWS: 1 - MT_CPU: 5 - - coverage: - description: Generate test coverage report - env: - - CI_ENABLE_COVERAGE: true - - LANG: "C.UTF-8" - - SLOW: 1 - integration/resources: description: Test core resources with test-kitchen. definition: .expeditor/integration.resources.yml @@ -181,5 +175,3 @@ subscriptions: only_if_team_member: - inspec/owners - inspec/inspec-core-team - - trigger_pipeline:coverage - - trigger_pipeline:artifact/habitat diff --git a/.expeditor/coverage.pipeline.yml b/.expeditor/coverage.pipeline.yml deleted file mode 100644 index 45630e379..000000000 --- a/.expeditor/coverage.pipeline.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -expeditor: - defaults: - buildkite: - timeout_in_minutes: 30 - - -steps: - - - label: coverage - commands: - - .expeditor/buildkite/coverage.sh - expeditor: - executor: - docker: - secrets: - COVERAGE_ID: - path: secret/coveralls/inspec/inspec - field: reporter_id From c61e70b75b0642040b00e26f0b485603b3b01bea Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 3 May 2021 17:32:34 -0400 Subject: [PATCH 119/483] Remove unused coveralls hooks from test helper Signed-off-by: Clinton Wolfe --- test/helper.rb | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/test/helper.rb b/test/helper.rb index 3c5b8c041..a4f2e6cc2 100644 --- a/test/helper.rb +++ b/test/helper.rb @@ -1,22 +1,6 @@ ## # Do not add any code above this line. -## -# Do not add any other code to this code block. Simplecov -# only until the next code block: - -if ENV["CI_ENABLE_COVERAGE"] - require "simplecov/no_defaults" - require "helpers/simplecov_minitest" - - SimpleCov.start do - add_filter "/test/" - add_group "Resources", ["lib/resources", "lib/inspec/resources"] - add_group "Matchers", ["lib/matchers", "lib/inspec/matchers"] - add_group "Backends", "lib/inspec/backend" - end -end - ## # # Do not add any other code from here until the end of this code From f479aa644cf31c8b98d1463cd46fbe2431e2fe8a Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 4 May 2021 01:05:00 +0000 Subject: [PATCH 120/483] Bump version to 4.36.9 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2989d3089..2fade7381 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.36.8](https://github.com/inspec/inspec/tree/v4.36.8) (2021-05-04) + +## [v4.36.9](https://github.com/inspec/inspec/tree/v4.36.9) (2021-05-04) #### Merged Pull Requests -- Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) +- Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) @@ -14,6 +14,7 @@ - Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) - Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) - Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) diff --git a/VERSION b/VERSION index e96fe12e9..7020994e8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.8 \ No newline at end of file +4.36.9 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 23c254e2f..e718b60fb 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.8".freeze + VERSION = "4.36.9".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index cdd6d5b1a..409b3a1f9 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.8".freeze + VERSION = "4.36.9".freeze end From 95656f97da0a0c96a056218fda838f82db00e5fa Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 4 May 2021 09:22:19 +0000 Subject: [PATCH 121/483] Remove TypeData command was causing error when its called in the same session which was resulting into windows_firewall_rule was not working correctly locally when we have more than one describe block for windows_firewall_rule resource Signed-off-by: Vasu1105 --- lib/inspec/resources/windows_firewall_rule.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/windows_firewall_rule.rb b/lib/inspec/resources/windows_firewall_rule.rb index 99507e683..814ef66b9 100644 --- a/lib/inspec/resources/windows_firewall_rule.rb +++ b/lib/inspec/resources/windows_firewall_rule.rb @@ -105,7 +105,7 @@ module Inspec::Resources # @see https://github.com/chef/chef/blob/master/lib/chef/resource/windows_firewall_rule.rb def load_firewall_state(rule_name) <<-EOH - Remove-TypeData System.Array # workaround for PS bug here: https://bit.ly/2SRMQ8M + Get-TypeData -TypeName System.Array | Remove-TypeData # workaround for PS bug here: https://bit.ly/2SRMQ8M $rule = Get-NetFirewallRule -Name "#{rule_name}" $addressFilter = $rule | Get-NetFirewallAddressFilter $portFilter = $rule | Get-NetFirewallPortFilter From 6d140b89b645c6fe25ff7c276a899b416142ad47 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 4 May 2021 19:04:52 +0530 Subject: [PATCH 122/483] Review changes related to inspec compliance to be treated as backward compatible alias Signed-off-by: Nikita Mathur --- README.md | 3 +- dev-docs/compliance.md | 14 +-- docs-chef-io/content/inspec/cli.md | 6 +- .../content/inspec/plugin_kitchen_inspec.md | 6 +- lib/inspec/cli.rb | 6 +- lib/plugins/inspec-compliance/README.md | 91 +++++++++++-------- .../lib/inspec-compliance/api/login.rb | 4 +- .../lib/inspec-compliance/cli.rb | 2 +- .../lib/inspec-compliance/target.rb | 10 +- 9 files changed, 78 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index ceca3d9d6..78d866658 100644 --- a/README.md +++ b/README.md @@ -179,7 +179,8 @@ $ inspec --help Commands: inspec archive PATH # archive a profile to tar.gz (default) ... inspec check PATH # verify all tests at the specified PATH - inspec compliance SUBCOMMAND or automate SUBCOMMAND ... # Chef Compliance commands + inspec automate SUBCOMMAND ... # Chef Automate commands + inspec compliance SUBCOMMAND ... # Chef Automate commands (backwards compatible alias) inspec detect # detect the target OS inspec exec PATH(S) # run all test files at the specified PATH. inspec help [COMMAND] # Describe available commands or one spe... diff --git a/dev-docs/compliance.md b/dev-docs/compliance.md index e26c66ae5..808f0889b 100644 --- a/dev-docs/compliance.md +++ b/dev-docs/compliance.md @@ -2,13 +2,13 @@ ## Purpose -The `compliance` set of subcommands handle user-initiated communication with Chef Automate. The commands are provided so that a user can interact with an Automate installation. +The `automate` set of subcommands handle user-initiated communication with Chef Automate. The commands are provided so that a user can interact with an Automate installation. -`inspec compliance` is somewhat analogous to `knife` in that it can be used to upload, download, and manage profiles for distribution to other clients. +`inspec automate` is somewhat analogous to `knife` in that it can be used to upload, download, and manage profiles for distribution to other clients. -When Automate initiates scans, the `compliance` subcommand is not used. +When Automate initiates scans, the `automate` subcommand is not used. -`inspec automate` is an alias for `inspec compliance` and works the same way +`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way ## Operational Notes @@ -67,10 +67,10 @@ There are several other minor commands not listed here - see `lib/cli.rb` for a ### login -Saves a credentials file locally. Future invocations of `inspec compliance` or `inspec automate` use the credentials file to authenticate. +Saves a credentials file locally. Future invocations of `inspec automate` or `inspec compliance` use the credentials file to authenticate. -`be inspec compliance login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` or -`be inspec automate login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` +`be inspec automate login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` or +`be inspec compliance login --user=admin --token='1234567890asdfghjkl' --insecure https://chef-automate.test` Here are the results of running login, from `.inspec/compliance/config.json`: diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index dc1552c23..ca822c988 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -184,14 +184,14 @@ Below are some examples of using `exec` with different test locations: Chef Automate: ``` -inspec compliance login +inspec automate login inspec exec compliance://username/linux-baseline ``` -`inspec automate` is an alias for `inspec compliance` and works the same way: +`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: ``` -inspec automate login +inspec compliance login ``` Chef Supermarket: diff --git a/docs-chef-io/content/inspec/plugin_kitchen_inspec.md b/docs-chef-io/content/inspec/plugin_kitchen_inspec.md index b0229e7f7..7ee439098 100644 --- a/docs-chef-io/content/inspec/plugin_kitchen_inspec.md +++ b/docs-chef-io/content/inspec/plugin_kitchen_inspec.md @@ -35,15 +35,15 @@ suites: and then run the following command: ```bash -inspec compliance login https://compliance.test --user admin --insecure --token '' +inspec automate login https://compliance.test --user admin --insecure --token '' ``` where `--insecure` is required when using self-signed certificates. -`inspec automate` is an alias for `inspec compliance` and works the same way: +`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: ```bash -inspec automate login https://compliance.test --user admin --insecure --token '' +inspec compliance login https://compliance.test --user admin --insecure --token '' ``` Use a compliance profile from the Chef Supermarket: diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 70c865705..69aabe928 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -218,12 +218,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI Automate: ``` - #{Inspec::Dist::EXEC_NAME} compliance login + #{Inspec::Dist::EXEC_NAME} automate login #{Inspec::Dist::EXEC_NAME} exec compliance://username/linux-baseline ``` - `inspec automate` is an alias for `inspec compliance` and works the same way: + `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: ``` - #{Inspec::Dist::EXEC_NAME} automate login + #{Inspec::Dist::EXEC_NAME} compliance login ``` Supermarket: diff --git a/lib/plugins/inspec-compliance/README.md b/lib/plugins/inspec-compliance/README.md index 6d1d0a596..c1d7a7580 100644 --- a/lib/plugins/inspec-compliance/README.md +++ b/lib/plugins/inspec-compliance/README.md @@ -6,25 +6,26 @@ This extensions offers the following features: - execute profiles directly from Chef Automate/Chef Compliance locally - upload a local profile to Chef Automate/Chef Compliance -`inspec automate` is an alias for `inspec compliance` and works the same way. +`inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way. + To use the CLI, this InSpec add-on adds the following commands: - * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance - * `$ inspec compliance profiles` - list all available Compliance profiles - * `$ inspec exec compliance://profile` - runs a Compliance profile - * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance - * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance - - Similar to these CLI commands are: - * `$ inspec automate login` - authentication of the API token against Chef Automate/Chef Compliance * `$ inspec automate profiles` - list all available Compliance profiles + * `$ inspec exec compliance://profile` - runs a Compliance profile * `$ inspec automate upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance * `$ inspec automate logout` - logout of Chef Automate/Chef Compliance + + Similar to these CLI commands are: + + * `$ inspec compliance login` - authentication of the API token against Chef Automate/Chef Compliance + * `$ inspec compliance profiles` - list all available Compliance profiles + * `$ inspec compliance upload path/to/local/profile` - uploads a local profile to Chef Automate/Chef Compliance + * `$ inspec compliance logout` - logout of Chef Automate/Chef Compliance Compliance profiles can be executed in two ways: -- via compliance exec: `inspec compliance exec profile` or `inspec automate exec profile` +- via compliance exec: `inspec automate exec profile` or `inspec compliance exec profile` - via compliance scheme: `inspec exec compliance://profile` @@ -34,21 +35,6 @@ Compliance profiles can be executed in two ways: ### Command options -``` -$ inspec compliance -Commands: - inspec compliance download PROFILE # downloads a profile from Chef Compliance - inspec compliance exec PROFILE # executes a Chef Compliance profile - inspec compliance help [COMMAND] # Describe subcommands or one specific subcommand - inspec compliance login SERVER # Log in to a Chef Automate/Chef Compliance SERVER - inspec compliance logout # user logout from Chef Compliance - inspec compliance profiles # list all available profiles in Chef Compliance - inspec compliance upload PATH # uploads a local profile to Chef Compliance - inspec compliance version # displays the version of the Chef Compliance server -``` - -or - ``` $ inspec automate Commands: @@ -62,10 +48,31 @@ Commands: inspec automate version # displays the version of the Chef Compliance server ``` +or + +``` +$ inspec compliance +Commands: + inspec compliance download PROFILE # downloads a profile from Chef Compliance + inspec compliance exec PROFILE # executes a Chef Compliance profile + inspec compliance help [COMMAND] # Describe subcommands or one specific subcommand + inspec compliance login SERVER # Log in to a Chef Automate/Chef Compliance SERVER + inspec compliance logout # user logout from Chef Compliance + inspec compliance profiles # list all available profiles in Chef Compliance + inspec compliance upload PATH # uploads a local profile to Chef Compliance + inspec compliance version # displays the version of the Chef Compliance server +``` + ### Login with Chef Automate 2 You will need an API token for authentication. You can retrieve one via the admin section of your A2 web gui. +``` +$ inspec automate login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE' +``` + +or + ``` $ inspec compliance login https://automate2.compliance.test --insecure --user 'admin' --token 'zuop..._KzE' ``` @@ -89,13 +96,13 @@ Example: You will need an access token for authentication. You can retrieve one via [UI](https://docs.chef.io/api_delivery.html) or [CLI](https://docs.chef.io/ctl_delivery.html#delivery-token). ``` -$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE' +$ inspec automate login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE' ``` or ``` -$ inspec automate login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE' +$ inspec compliance login https://automate.compliance.test --insecure --user 'admin' --ent 'brewinc' --token 'zuop..._KzE' ``` ### Login with Chef Compliance @@ -107,19 +114,19 @@ You will need an access token for authentication. You can retrieve one via: You can choose the access token (`--token`) or the refresh token (`--refresh_token`) ``` -$ inspec compliance login https://compliance.test --user admin --insecure --token '...' +$ inspec automate login https://compliance.test --user admin --insecure --token '...' ``` or ``` -$ inspec automate login https://compliance.test --user admin --insecure --token '...' +$ inspec compliance login https://compliance.test --user admin --insecure --token '...' ``` ### List available profiles via Chef Compliance / Automate ``` -$ inspec compliance profiles + $ inspec automate profiles Available profiles: ------------------- * base/apache @@ -143,7 +150,7 @@ Available profiles: or ``` -$ inspec automate profiles +$ inspec compliance profiles Available profiles: ------------------- * base/apache @@ -167,9 +174,9 @@ Available profiles: ### Upload a profile to Chef Compliance / Automate ``` -$ inspec compliance version +$ inspec automate version Chef Compliance version: 1.0.11 -➜ inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec compliance upload examples/profile +➜ inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec automate upload examples/profile I, [2016-05-06T14:27:20.907547 #37592] INFO -- : Checking profile in examples/profile I, [2016-05-06T14:27:20.907668 #37592] INFO -- : Metadata OK. I, [2016-05-06T14:27:20.968584 #37592] INFO -- : Found 4 controls. @@ -183,7 +190,7 @@ Uploading to Chef Compliance Successfully uploaded profile # display all profiles -$ inspec compliance profiles +$ inspec automate profiles Available profiles: ------------------- * admin/profile @@ -208,9 +215,9 @@ Available profiles: or ``` -$ inspec automate version +$ inspec compliance version Chef Compliance version: 1.0.11 -➜ inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec automate upload examples/profile +➜ inspec git:(chris-rock/cc-error-not-loggedin) ✗ b inspec compliance upload examples/profile I, [2016-05-06T14:27:20.907547 #37592] INFO -- : Checking profile in examples/profile I, [2016-05-06T14:27:20.907668 #37592] INFO -- : Metadata OK. I, [2016-05-06T14:27:20.968584 #37592] INFO -- : Found 4 controls. @@ -224,7 +231,7 @@ Uploading to Chef Compliance Successfully uploaded profile # display all profiles -$ inspec automate profiles +$ inspec compliance profiles Available profiles: ------------------- * admin/profile @@ -270,6 +277,12 @@ $ inspec exec compliance://admin/apache-baseline#2.0.1 ``` Download a specific version(2.0.2) of a profile when logged in with Automate: +``` +$ inspec automate download compliance://admin/apache-baseline#2.0.2 +``` + +or + ``` $ inspec compliance download compliance://admin/apache-baseline#2.0.2 ``` @@ -277,14 +290,14 @@ $ inspec compliance download compliance://admin/apache-baseline#2.0.2 ### To Logout from Chef Compliance ``` -$ inspec compliance logout +$ inspec automate logout Successfully logged out ``` or ``` -$ inspec automate logout +$ inspec compliance logout Successfully logged out ``` diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb index d22c0f559..1f1dc585c 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb @@ -9,7 +9,7 @@ module InspecPlugins class CannotDetermineServerType < StandardError; end def login(options) - raise ArgumentError, "Please specify a server using `#{EXEC_NAME} compliance login https://SERVER` or `#{EXEC_NAME} automate login https://SERVER`" unless options["server"] + raise ArgumentError, "Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"] options["server"] = URI("https://#{options["server"]}").to_s if URI(options["server"]).scheme.nil? @@ -179,7 +179,7 @@ module InspecPlugins def self.compliance_verify_thor_options(o) error_msg = [] - error_msg.push("Please specify a server using `#{EXEC_NAME} compliance login https://SERVER` or `#{EXEC_NAME} automate login https://SERVER`") if o["server"].nil? + error_msg.push("Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil? if o["user"].nil? && o["refresh_token"].nil? error_msg.push("Please specify a `--user='USER'` or a `--refresh-token='TOKEN'`") diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb index bdadc12dd..65009a8e7 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb @@ -6,7 +6,7 @@ module InspecPlugins module Compliance class CLI < Inspec.plugin(2, :cli_command) include Inspec::Dist - subcommand_desc "compliance SUBCOMMAND or automate SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands" + subcommand_desc "automate SUBCOMMAND or compliance SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands" # desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER' desc "login", "Log in to a #{COMPLIANCE_PRODUCT_NAME}/#{AUTOMATE_PRODUCT_NAME} SERVER" diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb index d331c2a51..27a38c187 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb @@ -34,13 +34,13 @@ module InspecPlugins if config["token"].nil? && config["refresh_token"].nil? if config["server_type"] == "automate" server = "automate" - msg = "#{EXEC_NAME} compliance or automate login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN" + msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN" elsif config["server_type"] == "automate2" server = "automate2" - msg = "#{EXEC_NAME} compliance or automate login https://your_automate2_server --user USER --token APITOKEN" + msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate2_server --user USER --token APITOKEN" else server = "compliance" - msg = "#{EXEC_NAME} compliance or automate login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' " + msg = "#{EXEC_NAME} [automate|compliance] login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' " end raise Inspec::FetcherFailure, <<~EOF @@ -136,8 +136,8 @@ module InspecPlugins if m.nil? raise "Unable to determine compliance profile name. This can be caused by " \ "an incorrect server in your configuration. Try to login to compliance " \ - "via the `#{EXEC_NAME} compliance login` command or " \ - "via the `#{EXEC_NAME} automate login` command." + "via the `#{EXEC_NAME} automate login` command or " \ + "via the `#{EXEC_NAME} compliance login` command." end "#{m[:owner]}/#{m[:id]}" From 6bcef24cbcd5557c544a74fdfcb768fc87b16ff5 Mon Sep 17 00:00:00 2001 From: jwdean Date: Tue, 4 May 2021 15:03:30 -0500 Subject: [PATCH 123/483] Modified windows_feature to indicate enabled rather than just available There are three conditions a windows feature may be in as represented by DISM: 1. Available in the OS and enabled dism returns 0 and dism output of state = 'Enabled' 2. Available in the OS but disabled dism returns 0 and dism output of state != 'Enabled' 3. Not available dism returns != 0 This change, in effect, modifies the meaning of installed == true to represent that the feature is both available and enabled. installed == false will now indicate the feature is either unavailable or disabled. The prior implementation indicated the feature was available, but did not recognize the it might be disabled. The most logical use for an InSpec evaluation of a Windows Feature seems to be determining if the feature is enabled or disabled rather than simply available. This updated implementation better represents that goal. ---------- Developer's Certificate of Origin 1.1 By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as Indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. Signed-off-by: Jeff Dean --- lib/inspec/resources/windows_feature.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/inspec/resources/windows_feature.rb b/lib/inspec/resources/windows_feature.rb index 20d92a96d..a691e0d5a 100644 --- a/lib/inspec/resources/windows_feature.rb +++ b/lib/inspec/resources/windows_feature.rb @@ -79,10 +79,11 @@ module Inspec::Resources result = cmd.stdout feature_name_regex = /Feature Name : (.*)(\r\n|\n)/ description_regex = /Description : (.*)(\r\n|\n)/ + state_regex = /State : (.*)(\r\n|\n)/ feature_info = { name: result.match(feature_name_regex).captures[0].chomp, description: result.match(description_regex).captures[0].chomp, - installed: true, + installed: result.match(state_regex).captures[0].chomp == 'Enabled', } end From f7ad4e640778190b4ebeda368e1cfaa06ef85163 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 4 May 2021 22:12:08 -0400 Subject: [PATCH 124/483] Document auxiliary reporter options on the reporter docs page Signed-off-by: Clinton Wolfe --- docs-chef-io/content/inspec/reporters.md | 33 +++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/reporters.md b/docs-chef-io/content/inspec/reporters.md index 8b105d57a..a37765623 100644 --- a/docs-chef-io/content/inspec/reporters.md +++ b/docs-chef-io/content/inspec/reporters.md @@ -90,6 +90,37 @@ Output cli to screen and write json to a file. } } ``` +## Reporter Options + +The following are CLI options that may be used to modify reporter behavior. Many of these options allow you to limit the size of the report, because some reporters (such as the json-automate reporter) have a limit on the total size of the report that can be processed. + +### --diff, --no-diff + +Include a `diff` comparision of textual differences in failed test output (default: true). + +Use `--no-diff` to limit the size of the report output when tests contain large amounts of text output. + +### --filter-empty-profiles + +Remove empty profiles (those containing zero controls, such as resource packs) from the output of the reporter. + +### --reporter-backtrace-inclusion, --no-reporter-backtrace-inclusion + +Include a code backtrace in report data (default: true). + +The `--no-reporter-backtrace-inclusion` option may be used to limit report size when large code stacktraces are present in the output. + +### --reporter-include-source + +(CLI reporter only) Include full source code of controls in the report. + +### --reporter-message-truncation=N + +Number of characters to truncate failure messages in report data (default: no truncation). + +This may be used to limit the size of reports when failure messages are exceptionally large. + +### ## Supported Reporters @@ -101,7 +132,7 @@ This is the basic text base report. It includes details about which tests passed ### json -This reporter includes all information about the profiles and test results in standard JSON format. You may optionally pass through arbitrary structured JSON data by setting a JSON configuration with the `--config` parameter. +This reporter includes all information about the profiles and test results in standard JSON format. You may optionally pass through arbitrary structured JSON data by setting a JSON configuration with the `--config` parameter. For example: From 39680e792625ac75b49b1dc3cdd43d29ea5dea92 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 5 May 2021 17:57:29 +0530 Subject: [PATCH 125/483] Chef automate product name changes in messages Signed-off-by: Nikita Mathur --- .../lib/inspec-compliance/api.rb | 2 +- .../lib/inspec-compliance/cli.rb | 31 +++++++++---------- .../lib/inspec-compliance/target.rb | 2 +- 3 files changed, 16 insertions(+), 19 deletions(-) diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb index 1572e2d94..013642373 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb @@ -357,7 +357,7 @@ module InspecPlugins Inspec::Log.debug( "Received 200 from #{url}#{compliance_endpoint} - " \ - "assuming target is a #{COMPLIANCE_PRODUCT_NAME} server" + "assuming target is a #{AUTOMATE_PRODUCT_NAME} server" ) true end diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb index 65009a8e7..25a4eee60 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb @@ -6,12 +6,12 @@ module InspecPlugins module Compliance class CLI < Inspec.plugin(2, :cli_command) include Inspec::Dist - subcommand_desc "automate SUBCOMMAND or compliance SUBCOMMAND", "#{COMPLIANCE_PRODUCT_NAME} commands" + subcommand_desc "automate SUBCOMMAND or compliance SUBCOMMAND", "#{AUTOMATE_PRODUCT_NAME} commands" # desc "login https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --token='TOKEN'", 'Log in to a Chef Compliance/Chef Automate SERVER' - desc "login", "Log in to a #{COMPLIANCE_PRODUCT_NAME}/#{AUTOMATE_PRODUCT_NAME} SERVER" + desc "login", "Log in to a #{AUTOMATE_PRODUCT_NAME} SERVER" long_desc <<-LONGDESC - `login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME} or a #{COMPLIANCE_PRODUCT_NAME} Server + `login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME} Server You need to a token for communication. More information about token retrieval is available at: @@ -23,11 +23,11 @@ module InspecPlugins option :user, type: :string, required: false, desc: "Username" option :password, type: :string, required: false, - desc: "Password (#{COMPLIANCE_PRODUCT_NAME} Only)" + desc: "Password (#{AUTOMATE_PRODUCT_NAME} Only)" option :token, type: :string, required: false, desc: "Access token" option :refresh_token, type: :string, required: false, - desc: "#{COMPLIANCE_PRODUCT_NAME} refresh token (#{COMPLIANCE_PRODUCT_NAME} Only)" + desc: "#{AUTOMATE_PRODUCT_NAME} refresh token (#{AUTOMATE_PRODUCT_NAME} Only)" option :dctoken, type: :string, required: false, desc: "Data Collector token (#{AUTOMATE_PRODUCT_NAME} Only)" option :ent, type: :string, required: false, @@ -39,7 +39,7 @@ module InspecPlugins puts "Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'" end - desc "profiles", "list all available profiles in #{COMPLIANCE_PRODUCT_NAME}" + desc "profiles", "list all available profiles in #{AUTOMATE_PRODUCT_NAME}" option :owner, type: :string, required: false, desc: "owner whose profiles to list" def profiles @@ -68,7 +68,7 @@ module InspecPlugins exit 1 end - desc "exec PROFILE", "executes a #{COMPLIANCE_PRODUCT_NAME} profile" + desc "exec PROFILE", "executes a #{AUTOMATE_PRODUCT_NAME} profile" exec_options def exec(*tests) compliance_config = InspecPlugins::Compliance::Configuration.new @@ -90,7 +90,7 @@ module InspecPlugins exit 1 end - desc "download PROFILE", "downloads a profile from #{COMPLIANCE_PRODUCT_NAME}" + desc "download PROFILE", "downloads a profile from #{AUTOMATE_PRODUCT_NAME}" option :name, type: :string, desc: "Name of the archive filename (file type will be added)" def download(profile_name) @@ -115,12 +115,12 @@ module InspecPlugins file_name = fetcher.fetch(o.name || id) puts "Profile stored to #{file_name}" else - puts "Profile #{profile_name} is not available in #{COMPLIANCE_PRODUCT_NAME}." + puts "Profile #{profile_name} is not available in #{AUTOMATE_PRODUCT_NAME}." exit 1 end end - desc "upload PATH", "uploads a local profile to #{COMPLIANCE_PRODUCT_NAME}" + desc "upload PATH", "uploads a local profile to #{AUTOMATE_PRODUCT_NAME}" option :overwrite, type: :boolean, default: false, desc: "Overwrite existing profile on Server." option :owner, type: :string, required: false, @@ -201,11 +201,8 @@ module InspecPlugins puts "Start upload to #{config["owner"]}/#{profile_name}" pname = ERB::Util.url_encode(profile_name) - if InspecPlugins::Compliance::API.is_automate_server?(config) || InspecPlugins::Compliance::API.is_automate2_server?(config) - puts "Uploading to #{AUTOMATE_PRODUCT_NAME}" - else - puts "Uploading to #{COMPLIANCE_PRODUCT_NAME}" - end + puts "Uploading to #{AUTOMATE_PRODUCT_NAME}" + success, msg = InspecPlugins::Compliance::API.upload(config, config["owner"], pname, archive_path) # delete temp file if it was temporary generated @@ -220,7 +217,7 @@ module InspecPlugins end end - desc "version", "displays the version of the #{COMPLIANCE_PRODUCT_NAME} server" + desc "version", "displays the version of the #{AUTOMATE_PRODUCT_NAME} server" def version config = InspecPlugins::Compliance::Configuration.new info = InspecPlugins::Compliance::API.version(config) @@ -236,7 +233,7 @@ module InspecPlugins exit 1 end - desc "logout", "user logout from #{COMPLIANCE_PRODUCT_NAME}" + desc "logout", "user logout from #{AUTOMATE_PRODUCT_NAME}" def logout config = InspecPlugins::Compliance::Configuration.new unless config.supported?(:oidc) || config["token"].nil? || config["server_type"] == "automate" diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb index 27a38c187..0c2be3ba4 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb @@ -112,7 +112,7 @@ module InspecPlugins end def to_s - "#{COMPLIANCE_PRODUCT_NAME} Profile Loader" + "#{AUTOMATE_PRODUCT_NAME} Profile Loader" end private From 8b59d942aa57398a50ca4fd305814118532391c7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 5 May 2021 16:11:07 +0000 Subject: [PATCH 126/483] Bump version to 4.36.10 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2fade7381..f03f057bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.36.9](https://github.com/inspec/inspec/tree/v4.36.9) (2021-05-04) + +## [v4.36.10](https://github.com/inspec/inspec/tree/v4.36.10) (2021-05-05) -#### Merged Pull Requests -- Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) +#### Bug Fixes +- Fix : windows_firewall_rule fails to validate more than 1 rule depending on how it's executed [#5502](https://github.com/inspec/inspec/pull/5502) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.36.4 release +#### Bug Fixes +- Fix : windows_firewall_rule fails to validate more than 1 rule depending on how it's executed [#5502](https://github.com/inspec/inspec/pull/5502) ([Vasu1105](https://github.com/Vasu1105)) + #### Enhancements - Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index 7020994e8..41cf1627c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.9 \ No newline at end of file +4.36.10 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index e718b60fb..b45b92462 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.9".freeze + VERSION = "4.36.10".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 409b3a1f9..542118561 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.9".freeze + VERSION = "4.36.10".freeze end From 04e5f456ebcc5ff4a798ef47fb0513d92fe0d1ae Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 5 May 2021 16:14:07 +0000 Subject: [PATCH 127/483] Bump version to 4.36.11 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f03f057bc..90263b09e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.36.10](https://github.com/inspec/inspec/tree/v4.36.10) (2021-05-05) + +## [v4.36.11](https://github.com/inspec/inspec/tree/v4.36.11) (2021-05-05) -#### Bug Fixes -- Fix : windows_firewall_rule fails to validate more than 1 rule depending on how it's executed [#5502](https://github.com/inspec/inspec/pull/5502) ([Vasu1105](https://github.com/Vasu1105)) +#### Merged Pull Requests +- Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe)) @@ -17,6 +17,7 @@ - Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) - Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) - Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index 41cf1627c..91c217f79 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.10 \ No newline at end of file +4.36.11 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index b45b92462..fa13b8de9 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.10".freeze + VERSION = "4.36.11".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 542118561..61d72dee3 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.10".freeze + VERSION = "4.36.11".freeze end From 76926c6c27ff59722177b145b3839942ae6bf9bc Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 5 May 2021 16:16:59 +0000 Subject: [PATCH 128/483] Bump version to 4.37.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 90263b09e..0e59671e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.36.11](https://github.com/inspec/inspec/tree/v4.36.11) (2021-05-05) + +## [v4.37.0](https://github.com/inspec/inspec/tree/v4.37.0) (2021-05-05) #### Merged Pull Requests -- Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08)) @@ -17,6 +17,7 @@ - Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08)) - Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) - Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index 91c217f79..6164ba4cc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.36.11 \ No newline at end of file +4.37.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index fa13b8de9..1acd98163 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.36.11".freeze + VERSION = "4.37.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 61d72dee3..29fe54fd1 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.36.11".freeze + VERSION = "4.37.0".freeze end From a60083b8ba81f2e02272bc8426a86f3aa1c9fa6c Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 5 May 2021 20:31:11 +0000 Subject: [PATCH 129/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 47 ++++++++++++++++++++++------------------------- Dockerfile | 2 +- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e59671e8..dea85d40d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,34 +1,32 @@ # Change Log - -## [v4.37.0](https://github.com/inspec/inspec/tree/v4.37.0) (2021-05-05) - -#### Merged Pull Requests -- Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08)) + - -### Changes since 4.36.4 release - -#### Bug Fixes -- Fix : windows_firewall_rule fails to validate more than 1 rule depending on how it's executed [#5502](https://github.com/inspec/inspec/pull/5502) ([Vasu1105](https://github.com/Vasu1105)) - -#### Enhancements -- Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) - -#### Merged Pull Requests -- Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08)) -- Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) -- Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) -- Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) -- Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) -- Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) -- Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) + +## [v4.37.0](https://github.com/inspec/inspec/tree/v4.37.0) (2021-05-05) + +#### Enhancements +- Reinstate resource testing on supported platforms using Test-Kitchen [#5204](https://github.com/inspec/inspec/pull/5204) ([clintoncwolfe](https://github.com/clintoncwolfe)) + +#### Bug Fixes +- Fix : windows_firewall_rule fails to validate more than 1 rule depending on how it's executed [#5502](https://github.com/inspec/inspec/pull/5502) ([Vasu1105](https://github.com/Vasu1105)) + +#### Merged Pull Requests +- Update openssl to 1.1.1k on macos [#5493](https://github.com/inspec/inspec/pull/5493) ([tas50](https://github.com/tas50)) +- Update Ruby in omnibus packages to 2.7.3 [#5492](https://github.com/inspec/inspec/pull/5492) ([tas50](https://github.com/tas50)) +- Make sure we use chef-telemetry 1.0.8+ [#5491](https://github.com/inspec/inspec/pull/5491) ([tas50](https://github.com/tas50)) +- Upgrade to GitHub-native Dependabot [#5488](https://github.com/inspec/inspec/pull/5488) ([dependabot-preview[bot]](https://github.com/dependabot-preview[bot])) +- Fixes for the integration-resources pipeline [#5501](https://github.com/inspec/inspec/pull/5501) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Fix bad link [#5498](https://github.com/inspec/inspec/pull/5498) ([IanMadd](https://github.com/IanMadd)) +- Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) +- Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08)) + + ## [v4.36.4](https://github.com/inspec/inspec/tree/v4.36.4) (2021-04-29) #### New Features @@ -47,7 +45,6 @@ - updating Gemfile to support environment variables [#5485](https://github.com/inspec/inspec/pull/5485) ([jayashrig158](https://github.com/jayashrig158)) - Group & Groups doc updated - about using local and etc groups [#5483](https://github.com/inspec/inspec/pull/5483) ([Nik08](https://github.com/Nik08)) - Added new property `members_array` for group & groups resources. [#5479](https://github.com/inspec/inspec/pull/5479) ([Nik08](https://github.com/Nik08)) - ## [v4.33.1](https://github.com/inspec/inspec/tree/v4.33.1) (2021-04-21) diff --git a/Dockerfile b/Dockerfile index 3ecacd584..865cefb9e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.36.4 +ARG VERSION=4.37.0 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From d1b84bda7482eb6368f7762d289b7eeca977bb49 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Wed, 5 May 2021 16:06:38 -0700 Subject: [PATCH 130/483] Update Hugo and correct how build previews are generated Signed-off-by: Ian Maddaus --- docs-chef-io/Makefile | 2 +- docs-chef-io/README.md | 2 +- docs-chef-io/netlify.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs-chef-io/Makefile b/docs-chef-io/Makefile index 6eaf21810..f48b497f8 100644 --- a/docs-chef-io/Makefile +++ b/docs-chef-io/Makefile @@ -14,7 +14,7 @@ serve: chef_web_docs chef_web_docs: if [ -d "chef-web-docs/" ]; then \ - pushd chef-web-docs && git reset HEAD --hard; git pull origin master && popd; \ + pushd chef-web-docs && git reset HEAD --hard; git clean -fd; git pull --ff-only origin master; rm -rf public && popd; \ else \ git clone https://github.com/chef/chef-web-docs.git; \ fi diff --git a/docs-chef-io/README.md b/docs-chef-io/README.md index a64a485b5..26451ed35 100644 --- a/docs-chef-io/README.md +++ b/docs-chef-io/README.md @@ -52,7 +52,7 @@ before the next promotion. ## Local Development Environment We use [Hugo](https://gohugo.io/), [Go](https://golang.org/), and[NPM](https://www.npmjs.com/) -to build the Chef Documentation website. You will need Hugo 0.78.1 or higher +to build the Chef Documentation website. You will need Hugo 0.83.1 or higher installed and running to build and view our documentation properly. To install Hugo, NPM, and Go on Windows and macOS: diff --git a/docs-chef-io/netlify.toml b/docs-chef-io/netlify.toml index 721c380c4..a640c4353 100644 --- a/docs-chef-io/netlify.toml +++ b/docs-chef-io/netlify.toml @@ -1,7 +1,7 @@ [build] [build.environment] - HUGO_VERSION = "0.78.1" + HUGO_VERSION = "0.83.1" HUGO_ENABLEGITINFO = "true" GO_VERSION = "1.15" NODE_ENV = "development" From 3b0ba2857b551049cb13cb79e87fe48510887a4f Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Thu, 6 May 2021 16:36:50 -0700 Subject: [PATCH 131/483] Convert headings to definition lists Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/reporters.md | 28 +++++++++++------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/docs-chef-io/content/inspec/reporters.md b/docs-chef-io/content/inspec/reporters.md index a37765623..7bcb563cd 100644 --- a/docs-chef-io/content/inspec/reporters.md +++ b/docs-chef-io/content/inspec/reporters.md @@ -94,33 +94,31 @@ Output cli to screen and write json to a file. The following are CLI options that may be used to modify reporter behavior. Many of these options allow you to limit the size of the report, because some reporters (such as the json-automate reporter) have a limit on the total size of the report that can be processed. -### --diff, --no-diff +`--diff`, `--no-diff` -Include a `diff` comparision of textual differences in failed test output (default: true). +: Include a `diff` comparison of textual differences in failed test output (default: `true`). -Use `--no-diff` to limit the size of the report output when tests contain large amounts of text output. +: Use `--no-diff` to limit the size of the report output when tests contain large amounts of text output. -### --filter-empty-profiles +`--filter-empty-profiles` -Remove empty profiles (those containing zero controls, such as resource packs) from the output of the reporter. +: Remove empty profiles (those containing zero controls, such as resource packs) from the output of the reporter. -### --reporter-backtrace-inclusion, --no-reporter-backtrace-inclusion +`--reporter-backtrace-inclusion`, `--no-reporter-backtrace-inclusion` -Include a code backtrace in report data (default: true). +: Include a code backtrace in report data (default: `true`). -The `--no-reporter-backtrace-inclusion` option may be used to limit report size when large code stacktraces are present in the output. +: The `--no-reporter-backtrace-inclusion` option may be used to limit report size when large code stack traces are present in the output. -### --reporter-include-source +`--reporter-include-source` -(CLI reporter only) Include full source code of controls in the report. +: (CLI reporter only) Include full source code of controls in the report. -### --reporter-message-truncation=N +`--reporter-message-truncation=N` -Number of characters to truncate failure messages in report data (default: no truncation). +: Number of characters to truncate failure messages in report data (default: no truncation). -This may be used to limit the size of reports when failure messages are exceptionally large. - -### +: This may be used to limit the size of reports when failure messages are exceptionally large. ## Supported Reporters From fe2ec54d317e8cae81390060bf80890135acd588 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 7 May 2021 16:42:18 +0530 Subject: [PATCH 132/483] Build fix for error that occured after automate alias release Signed-off-by: Nikita Mathur --- test/functional/inspec_test.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/functional/inspec_test.rb b/test/functional/inspec_test.rb index c7201e9db..d286695ca 100644 --- a/test/functional/inspec_test.rb +++ b/test/functional/inspec_test.rb @@ -55,6 +55,7 @@ describe "command tests" do artifact check compliance + automate detect env exec @@ -70,7 +71,7 @@ describe "command tests" do } outputs.each do |output| commands.each do |subcommand| - _(output).must_include("inspec " + subcommand) + _(output).must_include(subcommand) end end end From 91c7568231e8d870681caf864f070dfab404ea57 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 9 May 2021 22:12:53 -0400 Subject: [PATCH 133/483] Add basic docs for toml resource Signed-off-by: Clinton Wolfe --- docs-chef-io/content/inspec/resources/toml.md | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/toml.md diff --git a/docs-chef-io/content/inspec/resources/toml.md b/docs-chef-io/content/inspec/resources/toml.md new file mode 100644 index 000000000..7c646b770 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/toml.md @@ -0,0 +1,74 @@ ++++ +title = "toml resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "toml" + identifier = "inspec/resources/os/toml.md toml resource" + parent = "inspec/resources/toml" ++++ + +Use the `toml` Chef InSpec audit resource to test settings in a .toml file. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +### Version + +This resource first became available in v1.0.0 of InSpec. + +## Syntax + +An `toml` resource block declares the configuration settings to be tested: + + describe toml('path') do + its('setting_name') { should eq 'value' } + end + +where + +- `'setting_name'` is a setting key defined in the toml file +- `('path')` is the path to the toml file +- `{ should eq 'value' }` is the value that is expected + +Assume the following TOML file: + + port = 8080 + fruits = ["apple", "banana", "cantaloupe"] + + [section] + key1 = "value1" + + +For example: + + describe toml('path/to/toml_file.toml') do + its('port') { should eq 8080 } + end + +Array values may be accessed by using brackets: + + describe toml('path/to/toml_file.toml') do + its(['fruits', 0]) { should eq 'apple' } + end + +Settings inside of sections, such as the following can be retrieved by using brackets as well: + + describe toml('path/to/toml_file.toml') do + its(['section', 'key1']) { should cmp 'value1' } + end + + +## Properties + +This resource supports any of the settings listed in an toml file as properties. + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). From f44a9096870813197f371e1038a62a9ee2f70b5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 May 2021 08:29:36 +0000 Subject: [PATCH 134/483] Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 Updates the requirements on [chefstyle](https://github.com/chef/chefstyle) to permit the latest version. - [Release notes](https://github.com/chef/chefstyle/releases) - [Changelog](https://github.com/chef/chefstyle/blob/master/CHANGELOG.md) - [Commits](https://github.com/chef/chefstyle/compare/v1.7.1...v2.0.3) Signed-off-by: dependabot[bot] --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 0b007d6fa..6bf1174d9 100644 --- a/Gemfile +++ b/Gemfile @@ -28,7 +28,7 @@ group :omnibus do end group :test do - gem "chefstyle", "~> 1.7.1" + gem "chefstyle", "~> 2.0.3" gem "concurrent-ruby", "~> 1.0" gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows gem "json_schemer", ">= 0.2.1", "< 0.2.19" From 02e8e9cc9cd16816583e415a5202f1aa20e8032d Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 9 May 2021 23:59:04 -0400 Subject: [PATCH 135/483] Ran chefstyle -a Signed-off-by: Clinton Wolfe --- lib/inspec/fetcher/local.rb | 2 +- lib/inspec/resources/mssql_session.rb | 2 +- lib/inspec/resources/mysql_session.rb | 2 +- lib/inspec/resources/pip.rb | 2 +- lib/inspec/resources/registry_key.rb | 2 +- lib/inspec/resources/users.rb | 2 +- lib/inspec/runner.rb | 2 +- lib/inspec/utils/erlang_parser.rb | 4 +- lib/inspec/utils/filter.rb | 14 +++---- lib/inspec/utils/nginx_parser.rb | 6 +-- lib/resources/aws/aws_cloudtrail_trail.rb | 12 +++--- lib/resources/aws/aws_iam_access_keys.rb | 38 ++++++++--------- lib/resources/aws/aws_iam_password_policy.rb | 24 +++++------ lib/resources/aws/aws_kms_key.rb | 44 ++++++++++---------- lib/resources/aws/aws_rds_instance.rb | 14 +++---- lib/resources/aws/aws_s3_bucket.rb | 35 ++++++++-------- lib/resources/aws/aws_s3_bucket_object.rb | 20 ++++----- lib/resources/aws/aws_sns_subscription.rb | 26 ++++++------ test/functional/inspec_exec_json_test.rb | 20 ++++----- test/functional/inspec_exec_jsonmin_test.rb | 20 ++++----- test/functional/inspec_json_profile_test.rb | 20 ++++----- test/functional/inspec_shell_test.rb | 6 +-- test/functional/inspec_vendor_test.rb | 2 +- test/unit/fetchers/fetchers_test.rb | 2 +- test/unit/utils/erlang_parser_test.rb | 2 +- test/unit/utils/find_files_test.rb | 2 +- 26 files changed, 162 insertions(+), 163 deletions(-) diff --git a/lib/inspec/fetcher/local.rb b/lib/inspec/fetcher/local.rb index febf05c1c..61fe4f5cb 100644 --- a/lib/inspec/fetcher/local.rb +++ b/lib/inspec/fetcher/local.rb @@ -31,7 +31,7 @@ module Inspec::Fetcher target = target.gsub(%r{^file://}, "") else # support for windows paths - target = target.tr('\\', "/") + target = target.tr("\\", "/") end target if File.exist?(File.expand_path(target)) diff --git a/lib/inspec/resources/mssql_session.rb b/lib/inspec/resources/mssql_session.rb index 15b8b9276..14abf4e86 100644 --- a/lib/inspec/resources/mssql_session.rb +++ b/lib/inspec/resources/mssql_session.rb @@ -58,7 +58,7 @@ module Inspec::Resources end def query(q) # rubocop:disable Metrics/PerceivedComplexity - escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '""').gsub(/\$/, '\\$') + escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '""').gsub(/\$/, '\\$') # surpress 'x rows affected' in SQLCMD with 'set nocount on;' cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','" cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil? diff --git a/lib/inspec/resources/mysql_session.rb b/lib/inspec/resources/mysql_session.rb index cdc284595..8f24b6510 100644 --- a/lib/inspec/resources/mysql_session.rb +++ b/lib/inspec/resources/mysql_session.rb @@ -75,7 +75,7 @@ module Inspec::Resources def create_mysql_cmd(q, db = "") # TODO: simple escape, must be handled by a library # that does this securely - escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$') + escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '\\"').gsub(/\$/, '\\$') # construct the query command = "mysql" diff --git a/lib/inspec/resources/pip.rb b/lib/inspec/resources/pip.rb index 11da3bbc7..03501efba 100644 --- a/lib/inspec/resources/pip.rb +++ b/lib/inspec/resources/pip.rb @@ -117,7 +117,7 @@ module Inspec::Resources if defined?(windows_paths["Python"]) && pipcmd.nil? return nil if windows_paths["Pip"].nil? - pipdir = windows_paths["Python"].split('\\') + pipdir = windows_paths["Python"].split("\\") # remove python.exe pipdir.pop pipcmd = pipdir.push("Scripts").push("pip.exe").join("/") diff --git a/lib/inspec/resources/registry_key.rb b/lib/inspec/resources/registry_key.rb index c9104adbe..803009598 100644 --- a/lib/inspec/resources/registry_key.rb +++ b/lib/inspec/resources/registry_key.rb @@ -281,7 +281,7 @@ module Inspec::Resources key = @options[:key] return "" unless key - key.start_with?('\\') ? key : "\\#{key}" + key.start_with?("\\") ? key : "\\#{key}" end end diff --git a/lib/inspec/resources/users.rb b/lib/inspec/resources/users.rb index 538c1fe2f..e7ed67e82 100644 --- a/lib/inspec/resources/users.rb +++ b/lib/inspec/resources/users.rb @@ -611,7 +611,7 @@ module Inspec::Resources # @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx class WindowsUser < UserInfo def parse_windows_account(username) - account = username.split('\\') + account = username.split("\\") name = account.pop domain = account.pop unless account.empty? [name, domain] diff --git a/lib/inspec/runner.rb b/lib/inspec/runner.rb index 14dda0290..7ba10bcc0 100644 --- a/lib/inspec/runner.rb +++ b/lib/inspec/runner.rb @@ -243,7 +243,7 @@ module Inspec # to provide access to local profiles that add resources. @depends.each do |dep| # support for windows paths - dep = dep.tr('\\', "/") + dep = dep.tr("\\", "/") Inspec::Profile.for_path(dep, { profile_context: ctx }).load_libraries end diff --git a/lib/inspec/utils/erlang_parser.rb b/lib/inspec/utils/erlang_parser.rb index 2762b0ce3..34132bba4 100644 --- a/lib/inspec/utils/erlang_parser.rb +++ b/lib/inspec/utils/erlang_parser.rb @@ -52,13 +52,13 @@ class ErlangParser < Parslet::Parser rule(:stringS) do str("'") >> ( - str('\\') >> any | str("'").absent? >> any + str("\\") >> any | str("'").absent? >> any ).repeat.as(:string) >> str("'") >> filler? end rule(:stringD) do str('"') >> ( - str('\\') >> any | str('"').absent? >> any + str("\\") >> any | str('"').absent? >> any ).repeat.as(:string) >> str('"') >> filler? end diff --git a/lib/inspec/utils/filter.rb b/lib/inspec/utils/filter.rb index ff4517e4e..e08550425 100644 --- a/lib/inspec/utils/filter.rb +++ b/lib/inspec/utils/filter.rb @@ -375,13 +375,13 @@ module FilterTable methods_to_install_on_resource_class = @filter_methods + @custom_properties.keys methods_to_install_on_resource_class.each do |method_name| resource_class.send(:define_method, method_name) do |*args, &block| - begin - # self here is the resource instance - filter_table_instance = table_class.new(self, send(raw_data_fetcher_method_name), " with") - filter_table_instance.send(method_name, *args, &block) - rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e - FilterTable::ExceptionCatcher.new(resource_class, e) - end + + # self here is the resource instance + filter_table_instance = table_class.new(self, send(raw_data_fetcher_method_name), " with") + filter_table_instance.send(method_name, *args, &block) + rescue Inspec::Exceptions::ResourceFailed, Inspec::Exceptions::ResourceSkipped => e + FilterTable::ExceptionCatcher.new(resource_class, e) + end end end diff --git a/lib/inspec/utils/nginx_parser.rb b/lib/inspec/utils/nginx_parser.rb index f032a2d41..59c6b8080 100644 --- a/lib/inspec/utils/nginx_parser.rb +++ b/lib/inspec/utils/nginx_parser.rb @@ -31,19 +31,19 @@ class NginxParser < Parslet::Parser rule(:standard_value) do ((match(/[#;{'"]/).absent? >> any) >> ( - str('\\') >> any | match('[#;{]|\s').absent? >> any + str("\\") >> any | match('[#;{]|\s').absent? >> any ).repeat).as(:value) >> space.repeat end rule(:single_quoted_value) do str("'") >> ( - str('\\') >> any | str("'").absent? >> any + str("\\") >> any | str("'").absent? >> any ).repeat.as(:value) >> str("'") >> space.repeat end rule(:double_quoted_value) do str('"') >> ( - str('\\') >> any | str('"').absent? >> any + str("\\") >> any | str('"').absent? >> any ).repeat.as(:value) >> str('"') >> space.repeat end diff --git a/lib/resources/aws/aws_cloudtrail_trail.rb b/lib/resources/aws/aws_cloudtrail_trail.rb index e48e3af2b..e337d8059 100644 --- a/lib/resources/aws/aws_cloudtrail_trail.rb +++ b/lib/resources/aws/aws_cloudtrail_trail.rb @@ -36,12 +36,12 @@ class AwsCloudTrailTrail < Inspec.resource(1) def delivered_logs_days_ago query = { name: @trail_name } catch_aws_errors do - begin - resp = BackendFactory.create(inspec_runner).get_trail_status(query).to_h - ((Time.now - resp[:latest_cloud_watch_logs_delivery_time]) / (24 * 60 * 60)).to_i unless resp[:latest_cloud_watch_logs_delivery_time].nil? - rescue Aws::CloudTrail::Errors::TrailNotFoundException - nil - end + + resp = BackendFactory.create(inspec_runner).get_trail_status(query).to_h + ((Time.now - resp[:latest_cloud_watch_logs_delivery_time]) / (24 * 60 * 60)).to_i unless resp[:latest_cloud_watch_logs_delivery_time].nil? + rescue Aws::CloudTrail::Errors::TrailNotFoundException + nil + end end diff --git a/lib/resources/aws/aws_iam_access_keys.rb b/lib/resources/aws/aws_iam_access_keys.rb index ee34f80bf..73743d0d5 100644 --- a/lib/resources/aws/aws_iam_access_keys.rb +++ b/lib/resources/aws/aws_iam_access_keys.rb @@ -101,27 +101,27 @@ class AwsIamAccessKeys < Inspec.resource(1) access_key_data = [] user_details.each_key do |username| - begin - user_keys = iam_client.list_access_keys(user_name: username) - .access_key_metadata - user_keys = user_keys.map do |metadata| - { - access_key_id: metadata.access_key_id, - username: username, - status: metadata.status, - create_date: metadata.create_date, # DateTime.parse(metadata.create_date), - } - end - # Copy in from user data - # Synthetics - user_keys.each do |key_info| - add_synthetic_fields(key_info, user_details[username]) - end - access_key_data.concat(user_keys) - rescue Aws::IAM::Errors::NoSuchEntity # rubocop:disable Lint/HandleExceptions - # Swallow - a miss on search results should return an empty table + user_keys = iam_client.list_access_keys(user_name: username) + .access_key_metadata + user_keys = user_keys.map do |metadata| + { + access_key_id: metadata.access_key_id, + username: username, + status: metadata.status, + create_date: metadata.create_date, # DateTime.parse(metadata.create_date), + } end + + # Copy in from user data + # Synthetics + user_keys.each do |key_info| + add_synthetic_fields(key_info, user_details[username]) + end + access_key_data.concat(user_keys) + rescue Aws::IAM::Errors::NoSuchEntity # rubocop:disable Lint/HandleExceptions + # Swallow - a miss on search results should return an empty table + end access_key_data end diff --git a/lib/resources/aws/aws_iam_password_policy.rb b/lib/resources/aws/aws_iam_password_policy.rb index 6e0999152..55a912996 100644 --- a/lib/resources/aws/aws_iam_password_policy.rb +++ b/lib/resources/aws/aws_iam_password_policy.rb @@ -20,19 +20,19 @@ class AwsIamPasswordPolicy < Inspec.resource(1) # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin def initialize(conn = nil) catch_aws_errors do - begin - if conn - # We're in a mocked unit test. - @policy = conn.iam_resource.account_password_policy - else - # Don't use the resource approach. It's a CRUD operation - # - if the policy does not exist, you get back a blank object to populate and save. - # Using the Client will throw an exception if no policy exists. - @policy = inspec_runner.backend.aws_client(Aws::IAM::Client).get_account_password_policy.password_policy - end - rescue Aws::IAM::Errors::NoSuchEntity - @policy = nil + + if conn + # We're in a mocked unit test. + @policy = conn.iam_resource.account_password_policy + else + # Don't use the resource approach. It's a CRUD operation + # - if the policy does not exist, you get back a blank object to populate and save. + # Using the Client will throw an exception if no policy exists. + @policy = inspec_runner.backend.aws_client(Aws::IAM::Client).get_account_password_policy.password_policy end + rescue Aws::IAM::Errors::NoSuchEntity + @policy = nil + end end diff --git a/lib/resources/aws/aws_kms_key.rb b/lib/resources/aws/aws_kms_key.rb index 09b5d08ec..eabc0a1c6 100644 --- a/lib/resources/aws/aws_kms_key.rb +++ b/lib/resources/aws/aws_kms_key.rb @@ -56,30 +56,30 @@ class AwsKmsKey < Inspec.resource(1) query = { key_id: @key_id } catch_aws_errors do - begin - resp = backend.describe_key(query) - @exists = true - @key = resp.key_metadata.to_h - @key_id = @key[:key_id] - @arn = @key[:arn] - @creation_date = @key[:creation_date] - @enabled = @key[:enabled] - @description = @key[:description] - @key_usage = @key[:key_usage] - @key_state = @key[:key_state] - @deletion_date = @key[:deletion_date] - @valid_to = @key[:valid_to] - @external = @key[:origin] == "EXTERNAL" - @has_key_expiration = @key[:expiration_model] == "KEY_MATERIAL_EXPIRES" - @managed_by_aws = @key[:key_manager] == "AWS" + resp = backend.describe_key(query) + + @exists = true + @key = resp.key_metadata.to_h + @key_id = @key[:key_id] + @arn = @key[:arn] + @creation_date = @key[:creation_date] + @enabled = @key[:enabled] + @description = @key[:description] + @key_usage = @key[:key_usage] + @key_state = @key[:key_state] + @deletion_date = @key[:deletion_date] + @valid_to = @key[:valid_to] + @external = @key[:origin] == "EXTERNAL" + @has_key_expiration = @key[:expiration_model] == "KEY_MATERIAL_EXPIRES" + @managed_by_aws = @key[:key_manager] == "AWS" + + resp = backend.get_key_rotation_status(query) + @has_rotation_enabled = resp.key_rotation_enabled unless resp.empty? + rescue Aws::KMS::Errors::NotFoundException + @exists = false + return - resp = backend.get_key_rotation_status(query) - @has_rotation_enabled = resp.key_rotation_enabled unless resp.empty? - rescue Aws::KMS::Errors::NotFoundException - @exists = false - return - end end end diff --git a/lib/resources/aws/aws_rds_instance.rb b/lib/resources/aws/aws_rds_instance.rb index 2e0a9ec31..be167e1d2 100644 --- a/lib/resources/aws/aws_rds_instance.rb +++ b/lib/resources/aws/aws_rds_instance.rb @@ -43,13 +43,13 @@ class AwsRdsInstance < Inspec.resource(1) backend = BackendFactory.create(inspec_runner) dsg_response = nil catch_aws_errors do - begin - dsg_response = backend.describe_db_instances(db_instance_identifier: db_instance_identifier) - @exists = true - rescue Aws::RDS::Errors::DBInstanceNotFound - @exists = false - return - end + + dsg_response = backend.describe_db_instances(db_instance_identifier: db_instance_identifier) + @exists = true + rescue Aws::RDS::Errors::DBInstanceNotFound + @exists = false + return + end if dsg_response.db_instances.empty? diff --git a/lib/resources/aws/aws_s3_bucket.rb b/lib/resources/aws/aws_s3_bucket.rb index 89dea9aa8..4e8fce251 100644 --- a/lib/resources/aws/aws_s3_bucket.rb +++ b/lib/resources/aws/aws_s3_bucket.rb @@ -85,30 +85,29 @@ class AwsS3Bucket < Inspec.resource(1) def fetch_bucket_policy backend = BackendFactory.create(inspec_runner) catch_aws_errors do - begin - # AWS SDK returns a StringIO, we have to read() - raw_policy = backend.get_bucket_policy(bucket: bucket_name).policy - return JSON.parse(raw_policy.read)["Statement"].map do |statement| - lowercase_hash = {} - statement.each_key { |k| lowercase_hash[k.downcase] = statement[k] } - @bucket_policy = OpenStruct.new(lowercase_hash) - end - rescue Aws::S3::Errors::NoSuchBucketPolicy - @bucket_policy = [] + + # AWS SDK returns a StringIO, we have to read() + raw_policy = backend.get_bucket_policy(bucket: bucket_name).policy + return JSON.parse(raw_policy.read)["Statement"].map do |statement| + lowercase_hash = {} + statement.each_key { |k| lowercase_hash[k.downcase] = statement[k] } + @bucket_policy = OpenStruct.new(lowercase_hash) end + rescue Aws::S3::Errors::NoSuchBucketPolicy + @bucket_policy = [] + end end def fetch_bucket_encryption_configuration @has_default_encryption_enabled ||= catch_aws_errors do - begin - !BackendFactory.create(inspec_runner) - .get_bucket_encryption(bucket: bucket_name) - .server_side_encryption_configuration - .nil? - rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError - false - end + !BackendFactory.create(inspec_runner) + .get_bucket_encryption(bucket: bucket_name) + .server_side_encryption_configuration + .nil? + rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError + false + end end diff --git a/lib/resources/aws/aws_s3_bucket_object.rb b/lib/resources/aws/aws_s3_bucket_object.rb index 2f47f77d1..ef28195bf 100644 --- a/lib/resources/aws/aws_s3_bucket_object.rb +++ b/lib/resources/aws/aws_s3_bucket_object.rb @@ -55,16 +55,16 @@ class AwsS3BucketObject < Inspec.resource(1) def fetch_from_api backend = BackendFactory.create(inspec_runner) catch_aws_errors do - begin - # Just use get_object to detect if the bucket exists - backend.get_object(bucket: bucket_name, key: key) - rescue Aws::S3::Errors::NoSuchBucket - @exists = false - return - rescue Aws::S3::Errors::NoSuchKey - @exists = false - return - end + + # Just use get_object to detect if the bucket exists + backend.get_object(bucket: bucket_name, key: key) + rescue Aws::S3::Errors::NoSuchBucket + @exists = false + return + rescue Aws::S3::Errors::NoSuchKey + @exists = false + return + end @exists = true end diff --git a/lib/resources/aws/aws_sns_subscription.rb b/lib/resources/aws/aws_sns_subscription.rb index d3f0772e9..34b29f0bc 100644 --- a/lib/resources/aws/aws_sns_subscription.rb +++ b/lib/resources/aws/aws_sns_subscription.rb @@ -53,19 +53,19 @@ class AwsSnsSubscription < Inspec.resource(1) def fetch_from_api backend = BackendFactory.create(inspec_runner) catch_aws_errors do - begin - aws_response = backend.get_subscription_attributes(subscription_arn: @subscription_arn).attributes - @exists = true - @owner = aws_response["Owner"] - @raw_message_delivery = aws_response["RawMessageDelivery"].eql?("true") - @topic_arn = aws_response["TopicArn"] - @endpoint = aws_response["Endpoint"] - @protocol = aws_response["Protocol"] - @confirmation_was_authenticated = aws_response["ConfirmationWasAuthenticated"].eql?("true") - rescue Aws::SNS::Errors::NotFound - @exists = false - return - end + + aws_response = backend.get_subscription_attributes(subscription_arn: @subscription_arn).attributes + @exists = true + @owner = aws_response["Owner"] + @raw_message_delivery = aws_response["RawMessageDelivery"].eql?("true") + @topic_arn = aws_response["TopicArn"] + @endpoint = aws_response["Endpoint"] + @protocol = aws_response["Protocol"] + @confirmation_was_authenticated = aws_response["ConfirmationWasAuthenticated"].eql?("true") + rescue Aws::SNS::Errors::NotFound + @exists = false + return + end end diff --git a/test/functional/inspec_exec_json_test.rb b/test/functional/inspec_exec_json_test.rb index f13beeaf8..1541e9d36 100644 --- a/test/functional/inspec_exec_json_test.rb +++ b/test/functional/inspec_exec_json_test.rb @@ -61,16 +61,16 @@ describe "inspec exec with json formatter" do it "properly validates all (valid) unit tests against the schema" do schema = JSONSchemer.schema(JSON.parse(inspec("schema exec-json").stdout)) all_profile_folders.first(1).each do |folder| - begin - out = inspec("exec " + folder + " --reporter json --no-create-lockfile") - # Ensure it parses properly - out = JSON.parse(out.stdout) - failures = schema.validate(out).to_a - _(failures).must_equal [] - rescue JSON::ParserError - # We don't actually care about these; cannot validate if parsing fails! - nil - end + + out = inspec("exec " + folder + " --reporter json --no-create-lockfile") + # Ensure it parses properly + out = JSON.parse(out.stdout) + failures = schema.validate(out).to_a + _(failures).must_equal [] + rescue JSON::ParserError + # We don't actually care about these; cannot validate if parsing fails! + nil + end end diff --git a/test/functional/inspec_exec_jsonmin_test.rb b/test/functional/inspec_exec_jsonmin_test.rb index f5ec96377..58c6d6670 100644 --- a/test/functional/inspec_exec_jsonmin_test.rb +++ b/test/functional/inspec_exec_jsonmin_test.rb @@ -37,16 +37,16 @@ describe "inspec exec" do it "properly validates all (valid) unit tests against the schema" do schema = JSONSchemer.schema(JSON.parse(inspec("schema exec-jsonmin").stdout)) all_profile_folders.first(1).each do |folder| - begin - out = inspec("exec " + folder + " --reporter json-min --no-create-lockfile") - # Ensure it parses properly; discard the result - out = JSON.parse(out.stdout) - failures = schema.validate(out).to_a - _(failures).must_equal [] - rescue JSON::ParserError - # We don't actually care about these; cannot validate if parsing fails! - nil - end + + out = inspec("exec " + folder + " --reporter json-min --no-create-lockfile") + # Ensure it parses properly; discard the result + out = JSON.parse(out.stdout) + failures = schema.validate(out).to_a + _(failures).must_equal [] + rescue JSON::ParserError + # We don't actually care about these; cannot validate if parsing fails! + nil + end end diff --git a/test/functional/inspec_json_profile_test.rb b/test/functional/inspec_json_profile_test.rb index 6ce66b893..6e5cbbe70 100644 --- a/test/functional/inspec_json_profile_test.rb +++ b/test/functional/inspec_json_profile_test.rb @@ -196,16 +196,16 @@ describe "inspec json" do it "properly validates all (valid) unit tests against the schema" do schema = JSONSchemer.schema(JSON.parse(inspec("schema profile-json").stdout)) all_profile_folders.first(1).each do |folder| - begin - out = inspec("json " + folder) - # Ensure it parses properly; discard the result - out = JSON.parse(out.stdout) - failures = schema.validate(out).to_a - _(failures).must_equal [] - rescue JSON::ParserError - # We don't actually care about these; cannot validate if parsing fails! - nil - end + + out = inspec("json " + folder) + # Ensure it parses properly; discard the result + out = JSON.parse(out.stdout) + failures = schema.validate(out).to_a + _(failures).must_equal [] + rescue JSON::ParserError + # We don't actually care about these; cannot validate if parsing fails! + nil + end end end diff --git a/test/functional/inspec_shell_test.rb b/test/functional/inspec_shell_test.rb index 39678deec..324796d55 100644 --- a/test/functional/inspec_shell_test.rb +++ b/test/functional/inspec_shell_test.rb @@ -9,7 +9,7 @@ describe "inspec shell tests" do describe "cmd" do def assert_shell_c(code, exit_status, json = false, stderr = "") json_suffix = " --reporter 'json'" if json - command = "shell -c '#{code.tr("'", '\\\'')}'#{json_suffix}" + command = "shell -c '#{code.tr("'", "\\'")}'#{json_suffix}" # On darwin this value is: # shell -c 'describe file(\"/Users/nickschwaderer/Documents/inspec/inspec/test/functional/inspec_shell_test.rb\") do it { should exist } end' --reporter 'json'" # appears to break in windows. @@ -25,7 +25,7 @@ describe "inspec shell tests" do def assert_shell_c_with_inputs(code, input_cmd, input, exit_status, json = false, stderr = "") json_suffix = " --reporter 'json'" if json - command = "shell -c '#{code.tr("'", '\\\'')}'#{input_cmd} #{input}#{json_suffix}" + command = "shell -c '#{code.tr("'", "\\'")}'#{input_cmd} #{input}#{json_suffix}" # On darwin this value is: # shell -c 'describe file(\"/Users/nickschwaderer/Documents/inspec/inspec/test/functional/inspec_shell_test.rb\") do it { should exist } end' --reporter 'json'" # appears to break in windows. @@ -226,7 +226,7 @@ describe "inspec shell tests" do end def do_shell(code, exit_status = 0, stderr = "") - cmd = "echo '#{code.tr("'", '\\\'')}' | #{exec_inspec} shell" + cmd = "echo '#{code.tr("'", "\\'")}' | #{exec_inspec} shell" self.out = CMD.run_command(cmd) assert_exit_code exit_status, out diff --git a/test/functional/inspec_vendor_test.rb b/test/functional/inspec_vendor_test.rb index 9a30953e8..fb9c6cb57 100644 --- a/test/functional/inspec_vendor_test.rb +++ b/test/functional/inspec_vendor_test.rb @@ -40,7 +40,7 @@ describe "example inheritance profile" do return unless is_windows? prepare_examples("inheritance") do |dir| - dir_with_backslash = File.join(dir, '..\\', File.basename(dir)) + dir_with_backslash = File.join(dir, "..\\", File.basename(dir)) out = inspec("vendor " + dir_with_backslash + " --overwrite") _(File.exist?(File.join(dir, "vendor"))).must_equal true diff --git a/test/unit/fetchers/fetchers_test.rb b/test/unit/fetchers/fetchers_test.rb index ed95af364..8e22cb532 100644 --- a/test/unit/fetchers/fetchers_test.rb +++ b/test/unit/fetchers/fetchers_test.rb @@ -37,7 +37,7 @@ describe "Inspec::Fetcher" do it "is able to handle Windows paths" do # simulate a local windows path file = __FILE__ - file.tr!("/", '\\') + file.tr!("/", "\\") res = Inspec::Fetcher::Registry.resolve(file) _(res).must_be_kind_of Inspec::Fetcher::Local _(res.target).must_equal __FILE__ diff --git a/test/unit/utils/erlang_parser_test.rb b/test/unit/utils/erlang_parser_test.rb index 6d0243d65..310d860a6 100644 --- a/test/unit/utils/erlang_parser_test.rb +++ b/test/unit/utils/erlang_parser_test.rb @@ -39,7 +39,7 @@ describe ErlangParser do end it "parses a root array with a single quoted string" do - _(parsestr('[\'st\\\'r\'].')).must_equal '{:array=>[{:string=>"st\\\\\'r"@2}]}' + _(parsestr("['st\\'r'].")).must_equal '{:array=>[{:string=>"st\\\\\'r"@2}]}' end it "parses a root array with an empty binary" do diff --git a/test/unit/utils/find_files_test.rb b/test/unit/utils/find_files_test.rb index 88157ca38..687f514fc 100644 --- a/test/unit/utils/find_files_test.rb +++ b/test/unit/utils/find_files_test.rb @@ -47,7 +47,7 @@ describe FindFiles do it "builds the correct command when an escaped single quote is used" do inspec.expects(:command).with('sh -c "find /a/\\\'b/"').returns(result) - helper.find_files('/a/\\\'b/') + helper.find_files("/a/\\'b/") end it "builds the correct command when an escaped double quote is used" do From 136dfab76046ce9477e54520d22ee7108a77e418 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 26 Apr 2021 14:54:20 +0530 Subject: [PATCH 136/483] Update control eval docs Signed-off-by: Vasu1105 --- dev-docs/control-eval.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-docs/control-eval.md b/dev-docs/control-eval.md index 12c3aad41..95132de2d 100644 --- a/dev-docs/control-eval.md +++ b/dev-docs/control-eval.md @@ -28,7 +28,7 @@ Additionally, a control_eval_context is created. It is an instance of an anonym ### DSL methods are executed at this time -So, if you have a control file with `title` in it, that will call the title method that was defined at `lib/inspec/control_eval_context.rb:60`. Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes). +So, if you have a control file with `title` in it, that will call the title method that was defined [here](https://github.com/inspec/inspec/blob/master/lib/inspec/control_eval_context.rb#L46). Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes). ### Each control and their block are wrapped in an anonymous class From ca4cc26319a7928f9a6fea322914239bbbab4ec0 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 6 May 2021 16:54:17 +0530 Subject: [PATCH 137/483] Automate login to validate token before storing configurations Signed-off-by: Nikita Mathur --- .../lib/inspec-compliance/api.rb | 17 ++++++++ .../lib/inspec-compliance/api/login.rb | 27 ++++++++++--- .../lib/inspec-compliance/cli.rb | 5 +-- .../test/unit/api/login_test.rb | 39 ++++++++++++++++++- 4 files changed, 77 insertions(+), 11 deletions(-) diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb index 013642373..b2833305a 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb @@ -170,6 +170,23 @@ module InspecPlugins [success, msg, access_token] end + # Use API access token to validate login using version API + def self.authenticate_login_using_version_api(url, api_token, insecure) + uri = URI.parse("#{url}/version") + req = Net::HTTP::Get.new(uri.path) + req["api-token"] = api_token + response = InspecPlugins::Compliance::HTTP.send_request(uri, req, insecure) + + if response.code == "200" + msg = "Successfully Logged In" + success = true + else + success = false + msg = "Failed to authenticate to #{url} \n\Response code: #{response.code}\nBody: #{response.body}" + end + [success, msg] + end + # Use username and password to get an API access token def self.get_token_via_password(url, username, password, insecure) uri = URI.parse("#{url}/login") diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb index 1f1dc585c..3b743c200 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb @@ -33,7 +33,8 @@ module InspecPlugins options["url"] = options["server"] + "/api/v0" token = options["dctoken"] || options["token"] - store_access_token(options, token) + success, msg = API::Login.authenticate_login(options) + success ? store_access_token(options, token) : msg end def self.store_access_token(options, token) @@ -52,7 +53,7 @@ module InspecPlugins config["version"] = "0" config.store - config + API::Login.configuration_stored_message(config) end def self.verify_thor_options(o) @@ -74,7 +75,8 @@ module InspecPlugins options["url"] = options["server"] + "/compliance" token = options["dctoken"] || options["token"] - store_access_token(options, token) + success, msg = API::Login.authenticate_login(options) + success ? store_access_token(options, token) : msg end def self.store_access_token(options, token) @@ -99,7 +101,7 @@ module InspecPlugins config["version"] = InspecPlugins::Compliance::API.version(config) config.store - config + API::Login.configuration_stored_message(config) end # Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken` @@ -126,7 +128,8 @@ module InspecPlugins options["url"] = options["server"] + "/api" if options["user"] && options["token"] - compliance_store_access_token(options, options["token"]) + success, msg = API::Login.authenticate_login(options) + success ? compliance_store_access_token(options, options["token"]) : msg elsif options["user"] && options["password"] compliance_login_user_pass(options) elsif options["refresh_token"] @@ -171,7 +174,7 @@ module InspecPlugins config["version"] = InspecPlugins::Compliance::API.version(config) config.store - config + API::Login.configuration_stored_message(config) end # Compliance login requires `--user` or `--refresh_token` @@ -192,6 +195,18 @@ module InspecPlugins raise ArgumentError, error_msg.join("\n") unless error_msg.empty? end end + + def self.authenticate_login(options) + InspecPlugins::Compliance::API.authenticate_login_using_version_api( + options["url"], + options["token"], + options["insecure"] + ) + end + + def self.configuration_stored_message(config) + "Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'" + end end end end diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb index 25a4eee60..958c5f782 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb @@ -34,9 +34,8 @@ module InspecPlugins desc: "Enterprise for #{AUTOMATE_PRODUCT_NAME} reporting (#{AUTOMATE_PRODUCT_NAME} Only)" def login(server) options["server"] = server - InspecPlugins::Compliance::API.login(options) - config = InspecPlugins::Compliance::Configuration.new - puts "Stored configuration for Chef #{config["server_type"].capitalize}: #{config["server"]}' with user: '#{config["user"]}'" + login_response = InspecPlugins::Compliance::API.login(options) + puts login_response end desc "profiles", "list all available profiles in #{AUTOMATE_PRODUCT_NAME}" diff --git a/lib/plugins/inspec-compliance/test/unit/api/login_test.rb b/lib/plugins/inspec-compliance/test/unit/api/login_test.rb index 3bdfe1df6..d9cdf070a 100644 --- a/lib/plugins/inspec-compliance/test/unit/api/login_test.rb +++ b/lib/plugins/inspec-compliance/test/unit/api/login_test.rb @@ -73,11 +73,10 @@ describe InspecPlugins::Compliance::API do end it "stores an access token" do - stub_request(:get, automate_options["server"] + "/compliance/version") + stub_request(:get, automate_options["server"] + "/api/v0/version") .to_return(status: 200, body: "", headers: {}) options = automate_options InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config) - InspecPlugins::Compliance::API.login(options) _(fake_config["automate"]["ent"]).must_equal("automate") _(fake_config["automate"]["token_type"]).must_equal("dctoken") @@ -86,6 +85,18 @@ describe InspecPlugins::Compliance::API do _(fake_config["server_type"]).must_equal("automate2") _(fake_config["token"]).must_equal("token") end + + it "puts error message when api-token while login is invalid" do + stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json + stub_request(:get, automate_options["server"] + "/api/v0/version") + .to_return(status: 401, body: stub_body, headers: {}) + options = automate_options + res = InspecPlugins::Compliance::API.login(options) + _(res).must_equal( + "Failed to authenticate to https://automate.example.com/api/v0 \n"\ + "Response code: 401\nBody: {\"error\":\"request not authenticated\",\"code\":16,\"message\":\"request not authenticated\",\"details\":[]}" + ) + end end describe "when target is a Chef Automate server" do @@ -132,6 +143,18 @@ describe InspecPlugins::Compliance::API do _(fake_config["server_type"]).must_equal("automate") _(fake_config["token"]).must_equal("token") end + + it "puts error message when api-token while login is invalid" do + stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json + stub_request(:get, automate_options["server"] + "/compliance/version") + .to_return(status: 401, body: stub_body, headers: {}) + options = automate_options + res = InspecPlugins::Compliance::API.login(options) + _(res).must_equal( + "Failed to authenticate to https://automate.example.com/compliance \n"\ + "Response code: 401\nBody: {\"error\":\"request not authenticated\",\"code\":16,\"message\":\"request not authenticated\",\"details\":[]}" + ) + end end describe "when target is a Chef Compliance server" do @@ -170,6 +193,18 @@ describe InspecPlugins::Compliance::API do _(fake_config["server_type"]).must_equal("compliance") _(fake_config["token"]).must_equal("token") end + + it "puts error message when api-token while login is invalid" do + stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json + stub_request(:get, automate_options["server"] + "/api/version") + .to_return(status: 401, body: stub_body, headers: {}) + options = automate_options + res = InspecPlugins::Compliance::API.login(options) + _(res).must_equal( + "Failed to authenticate to https://automate.example.com/api \n"\ + "Response code: 401\nBody: {\"error\":\"request not authenticated\",\"code\":16,\"message\":\"request not authenticated\",\"details\":[]}" + ) + end end describe "when target is neither a Chef Compliance nor Chef Automate server" do From a23dd75ae752ca02751875e884931a8ea5e303fc Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 6 May 2021 18:08:33 +0530 Subject: [PATCH 138/483] Better test name for automate login invalid token Signed-off-by: Nikita Mathur --- lib/plugins/inspec-compliance/test/unit/api/login_test.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/plugins/inspec-compliance/test/unit/api/login_test.rb b/lib/plugins/inspec-compliance/test/unit/api/login_test.rb index d9cdf070a..564bb1eb0 100644 --- a/lib/plugins/inspec-compliance/test/unit/api/login_test.rb +++ b/lib/plugins/inspec-compliance/test/unit/api/login_test.rb @@ -86,7 +86,7 @@ describe InspecPlugins::Compliance::API do _(fake_config["token"]).must_equal("token") end - it "puts error message when api-token while login is invalid" do + it "puts error message when api-token is invalid" do stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json stub_request(:get, automate_options["server"] + "/api/v0/version") .to_return(status: 401, body: stub_body, headers: {}) @@ -144,7 +144,7 @@ describe InspecPlugins::Compliance::API do _(fake_config["token"]).must_equal("token") end - it "puts error message when api-token while login is invalid" do + it "puts error message when api-token is invalid" do stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json stub_request(:get, automate_options["server"] + "/compliance/version") .to_return(status: 401, body: stub_body, headers: {}) @@ -194,7 +194,7 @@ describe InspecPlugins::Compliance::API do _(fake_config["token"]).must_equal("token") end - it "puts error message when api-token while login is invalid" do + it "puts error message when api-token is invalid" do stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json stub_request(:get, automate_options["server"] + "/api/version") .to_return(status: 401, body: stub_body, headers: {}) From 174a3583554fb34906247051273b1ecc13735484 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 6 May 2021 19:32:03 +0530 Subject: [PATCH 139/483] Body content of http resourece - enforced utf-8 Signed-off-by: Nikita Mathur --- lib/inspec/resources/http.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/http.rb b/lib/inspec/resources/http.rb index 5c7f2e5a8..210f4d192 100644 --- a/lib/inspec/resources/http.rb +++ b/lib/inspec/resources/http.rb @@ -56,7 +56,7 @@ module Inspec::Resources end def body - @worker.body + @worker.body&.force_encoding(Encoding::UTF_8) end def http_method From cccac97be6ba66c64bb5e278baa52351e1c48a62 Mon Sep 17 00:00:00 2001 From: gscho Date: Mon, 10 May 2021 09:16:38 -0400 Subject: [PATCH 140/483] Update example to use params properly Signed-off-by: gscho --- docs-chef-io/content/inspec/resources/bond.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/bond.md b/docs-chef-io/content/inspec/resources/bond.md index f012e0312..7d5a0f6ff 100644 --- a/docs-chef-io/content/inspec/resources/bond.md +++ b/docs-chef-io/content/inspec/resources/bond.md @@ -75,11 +75,10 @@ The `params` matcher tests arbitrary parameters for the bonded network interface describe bond('bond0') do its('mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' } - its('Transmit Hash Policy') { should eq 'layer3+4 (1)' } - its('MII Status') { should eq 'up' } - its('MII Polling Interval (ms)') { should eq '100' } - its('Up Delay (ms)') { should eq '0' } - its('Down Delay (ms)') { should eq '0' } + its('params') { should have_key 'Transmit Hash Policy' } + its('params') { should include 'Transmit Hash Policy' => 'layer3+4 (1)' } + its('params') { should have_key 'MII Status' } + its('params') { should include 'MII Status' => 'up' } end ## Matchers From 0fe9c02da94c6bc7b998c42b1a7452540ae459de Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:25:33 +0000 Subject: [PATCH 141/483] Bump version to 4.37.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dea85d40d..13ee0b623 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.37.1](https://github.com/inspec/inspec/tree/v4.37.1) (2021-05-10) + +#### Merged Pull Requests +- Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) - + +### Changes since 4.37.0 release + +#### Merged Pull Requests +- Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) diff --git a/VERSION b/VERSION index 6164ba4cc..02d265370 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.0 \ No newline at end of file +4.37.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 1acd98163..d12343c23 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.0".freeze + VERSION = "4.37.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 29fe54fd1..8bb404559 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.0".freeze + VERSION = "4.37.1".freeze end From be47bcbc205d57ad4297be81c98e9d3beb49a557 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:36:48 +0000 Subject: [PATCH 142/483] Bump version to 4.37.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13ee0b623..fbce897eb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.1](https://github.com/inspec/inspec/tree/v4.37.1) (2021-05-10) + +## [v4.37.2](https://github.com/inspec/inspec/tree/v4.37.2) (2021-05-10) #### Merged Pull Requests -- Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) +- HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) ### Changes since 4.37.0 release #### Merged Pull Requests +- HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) - Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) diff --git a/VERSION b/VERSION index 02d265370..c4b640e7f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.1 \ No newline at end of file +4.37.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index d12343c23..0006a7a45 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.1".freeze + VERSION = "4.37.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8bb404559..1fc2e4684 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.1".freeze + VERSION = "4.37.2".freeze end From fa56c4587b392a6fc626b3f198274553cb4ef29b Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:41:32 +0000 Subject: [PATCH 143/483] Bump version to 4.37.3 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fbce897eb..c3cda9ee2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.2](https://github.com/inspec/inspec/tree/v4.37.2) (2021-05-10) + +## [v4.37.3](https://github.com/inspec/inspec/tree/v4.37.3) (2021-05-10) #### Merged Pull Requests -- HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) +- Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) ### Changes since 4.37.0 release #### Merged Pull Requests +- Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) - HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) - Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) diff --git a/VERSION b/VERSION index c4b640e7f..301a382c4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.2 \ No newline at end of file +4.37.3 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 0006a7a45..606ff92fd 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.2".freeze + VERSION = "4.37.3".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 1fc2e4684..a72c54fff 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.2".freeze + VERSION = "4.37.3".freeze end From c6b9f2438aeeaea039d3f4dfade219e11755daf6 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:44:12 +0000 Subject: [PATCH 144/483] Bump version to 4.37.4 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c3cda9ee2..83403d775 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.3](https://github.com/inspec/inspec/tree/v4.37.3) (2021-05-10) + +## [v4.37.4](https://github.com/inspec/inspec/tree/v4.37.4) (2021-05-10) #### Merged Pull Requests -- Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) +- Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.0 release #### Merged Pull Requests +- Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) - HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) - Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) diff --git a/VERSION b/VERSION index 301a382c4..b22b1b42a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.3 \ No newline at end of file +4.37.4 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 606ff92fd..3d9a6b374 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.3".freeze + VERSION = "4.37.4".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index a72c54fff..b9bcc7b26 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.3".freeze + VERSION = "4.37.4".freeze end From bd687439a3745b27ebe09af0665660c2a9637b5e Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:47:58 +0000 Subject: [PATCH 145/483] Bump version to 4.37.5 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83403d775..846afff46 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.4](https://github.com/inspec/inspec/tree/v4.37.4) (2021-05-10) + +## [v4.37.5](https://github.com/inspec/inspec/tree/v4.37.5) (2021-05-10) #### Merged Pull Requests -- Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) ### Changes since 4.37.0 release #### Merged Pull Requests +- Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) - Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) - HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index b22b1b42a..6c5407b49 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.4 \ No newline at end of file +4.37.5 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 3d9a6b374..6691fb134 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.4".freeze + VERSION = "4.37.5".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index b9bcc7b26..d05ebb18d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.4".freeze + VERSION = "4.37.5".freeze end From 86e14edb7f10e7badcab1fda3c79edf6232d48cb Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:50:28 +0000 Subject: [PATCH 146/483] Bump version to 4.37.6 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 846afff46..f8ef9a606 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.5](https://github.com/inspec/inspec/tree/v4.37.5) (2021-05-10) + +## [v4.37.6](https://github.com/inspec/inspec/tree/v4.37.6) (2021-05-10) #### Merged Pull Requests -- Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) +- Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) ### Changes since 4.37.0 release #### Merged Pull Requests +- Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) - Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) - Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 6c5407b49..eb9a2fa14 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.5 \ No newline at end of file +4.37.6 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 6691fb134..e1a63bf61 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.5".freeze + VERSION = "4.37.6".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index d05ebb18d..75da3c80b 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.5".freeze + VERSION = "4.37.6".freeze end From b90ed7b7a3da16b3df8e556946aeb011b4f8c752 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:53:43 +0000 Subject: [PATCH 147/483] Bump version to 4.37.7 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8ef9a606..b940b53ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.6](https://github.com/inspec/inspec/tree/v4.37.6) (2021-05-10) + +## [v4.37.7](https://github.com/inspec/inspec/tree/v4.37.7) (2021-05-10) #### Merged Pull Requests -- Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) +- Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean)) ### Changes since 4.37.0 release #### Merged Pull Requests +- Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean)) - Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) - Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) - Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index eb9a2fa14..d158bd2a7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.6 \ No newline at end of file +4.37.7 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index e1a63bf61..0b20e27a1 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.6".freeze + VERSION = "4.37.7".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 75da3c80b..a51c5f5d4 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.6".freeze + VERSION = "4.37.7".freeze end From 54763c61d702001fa9349db98adf7495d8b7b30d Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 10 May 2021 20:56:05 +0000 Subject: [PATCH 148/483] Bump version to 4.37.8 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b940b53ea..12c3a3e2e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.7](https://github.com/inspec/inspec/tree/v4.37.7) (2021-05-10) + +## [v4.37.8](https://github.com/inspec/inspec/tree/v4.37.8) (2021-05-10) #### Merged Pull Requests -- Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean)) +- Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.0 release #### Merged Pull Requests +- Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean)) - Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) - Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) diff --git a/VERSION b/VERSION index d158bd2a7..611a30c09 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.7 \ No newline at end of file +4.37.8 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 0b20e27a1..cc5d98d6f 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.7".freeze + VERSION = "4.37.8".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index a51c5f5d4..5236eb187 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.7".freeze + VERSION = "4.37.8".freeze end From 45356ca08826fd73d6ce47179edaf6ef1059da96 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Mon, 10 May 2021 14:45:09 -0700 Subject: [PATCH 149/483] Docs editing Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/resources/toml.md | 65 +++++++++++-------- 1 file changed, 38 insertions(+), 27 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/toml.md b/docs-chef-io/content/inspec/resources/toml.md index 7c646b770..b8c68f3db 100644 --- a/docs-chef-io/content/inspec/resources/toml.md +++ b/docs-chef-io/content/inspec/resources/toml.md @@ -8,10 +8,10 @@ platform = "os" [menu.inspec] title = "toml" identifier = "inspec/resources/os/toml.md toml resource" - parent = "inspec/resources/toml" + parent = "inspec/resources/os" +++ -Use the `toml` Chef InSpec audit resource to test settings in a .toml file. +Use the `toml` Chef InSpec audit resource to test settings in a TOML file. ## Availability @@ -27,47 +27,58 @@ This resource first became available in v1.0.0 of InSpec. An `toml` resource block declares the configuration settings to be tested: - describe toml('path') do - its('setting_name') { should eq 'value' } - end +```ruby +describe toml('path') do + its('setting_name') { should eq 'value' } +end +``` -where +where: -- `'setting_name'` is a setting key defined in the toml file -- `('path')` is the path to the toml file -- `{ should eq 'value' }` is the value that is expected +- `'setting_name'` is a setting key defined in the TOML file. +- `('path')` is the path to the TOML file. +- `{ should eq 'value' }` is the value that is expected. -Assume the following TOML file: +## Examples - port = 8080 - fruits = ["apple", "banana", "cantaloupe"] +In the examples below, the `example.toml` file contains the following data: - [section] - key1 = "value1" +```toml +port = 8080 +fruits = ["apple", "banana", "cantaloupe"] +[section] +key1 = "value1" +``` -For example: +**Verify the port number:** - describe toml('path/to/toml_file.toml') do - its('port') { should eq 8080 } - end +```ruby +describe toml('path/to/example.toml') do + its('port') { should eq 8080 } +end +``` -Array values may be accessed by using brackets: +**Verify the value of an array using brackets:** - describe toml('path/to/toml_file.toml') do - its(['fruits', 0]) { should eq 'apple' } - end +```ruby +describe toml('path/to/example.toml') do + its(['fruits', 0]) { should eq 'apple' } +end +``` -Settings inside of sections, such as the following can be retrieved by using brackets as well: +**Verify the value of a key in a table using brackets:** - describe toml('path/to/toml_file.toml') do - its(['section', 'key1']) { should cmp 'value1' } - end +```ruby +describe toml('path/to/example.toml') do + its(['section', 'key1']) { should cmp 'value1' } +end +``` ## Properties -This resource supports any of the settings listed in an toml file as properties. +This resource supports any of the settings listed in a TOML file as properties. ## Matchers From 79ea90c1377a76a0adf21fddc429572272c1826c Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 10 May 2021 15:21:36 +0530 Subject: [PATCH 150/483] Update control-eval readme docs Signed-off-by: Vasu1105 --- dev-docs/control-eval.md | 56 ++++++++++++++++++++++++++++------------ 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/dev-docs/control-eval.md b/dev-docs/control-eval.md index 95132de2d..341a65c29 100644 --- a/dev-docs/control-eval.md +++ b/dev-docs/control-eval.md @@ -6,23 +6,45 @@ ## Tips -* In the early days of Chef InSpec / ServerSpec, controls were called "rules". Throughout various places in the code, the word "rule" is used to mean "control". Make the mental subsitution. +* In the early days of Chef InSpec / ServerSpec, controls were called "rules". Throughout various places in the code, the word "rule" is used to mean "control". Make the mental substitution. * Chef InSpec supports reading profiles from tarballs, local files, git repos, etc. So, don't count on local file reading; instead it uses a special source reader to obtain the contents of the files. -## The basics of the stack - - #5 Inspec::Profile.collect_tests(include_list#Array) at lib/inspec/profile.rb:167 - #4 Hash.each at lib/inspec/profile.rb:167 - #3 block in Inspec::Profile.block in collect_tests(include_list#Array) at lib/inspec/profile.rb:170 - #2 Inspec::ProfileContext.load_control_file(*args#Array) at lib/inspec/profile_context.rb:141 - #1 Inspec::ProfileContext.control_eval_context at lib/inspec/profile_context.rb:58 - #0 #.create(profile_context#Inspec::ProfileContext, resources_dsl#Module) at lib/inspec/control_eval_context.rb:41 - ## A profile context is created -Like many things in Chef InSpec core, a profile context is an anonymous class. (verify) +Profile context gets instantiated as soon as the Profile gets created. -Additionally, a control_eval_context is created. It is an instance of an anonymous class; it has a class<->relationship with its profile context. See `lib/inspec/control_eval_context.rb`. + 0 Inspec::ProfileContext.initialize(profile_id#String, backend#Inspec::Backend, conf#Hash) at inspec/lib/inspec/profile_context.rb:20 + ͱ-- #1 Class.new(*args) at inspec/lib/inspec/profile_context.rb:13 + #2 #.for_profile(profile#Inspec::Profile, backend#Inspec::Backend) at inspec/lib/inspec/profile_context.rb:13 + #3 Inspec::Profile.initialize(source_reader#SourceReaders::InspecReader, options#Hash) at inspec/lib/inspec/profile.rb:149 + ͱ-- #4 Class.new(*args) at inspec/lib/inspec/profile.rb:61 + #5 #.for_path(path#String, opts#Hash) at inspec/lib/inspec/profile.rb:61 + #6 #.for_fetcher(fetcher#Inspec::CachedFetcher, config#Hash) at inspec/lib/inspec/profile.rb:68 + #7 #.for_target(target#String, opts#Hash) at inspec/lib/inspec/profile.rb:74 + #8 Inspec::Runner.add_target(target#String, _opts#Array) at inspec/lib/inspec/runner.rb:198 + #9 block in Inspec::InspecCLI.block in exec(*targets#Array) at inspec/lib/inspec/cli.rb:283 + ͱ-- #10 Array.each at inspec/lib/inspec/cli.rb:283 + #11 Inspec::InspecCLI.exec(*targets#Array) at inspec/lib/inspec/cli.rb:283 + + +When run method of the runner gets called, it loads control [file](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L151) which instantiates the control_eval_context object [here](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L61) and creates dsl, and the adds profile_context as dsl class methods [here](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L243) + + #0 Inspec::ProfileContext::DomainSpecificLunacy::ClassMethods.add_methods(profile_context#Inspec::ProfileContext) at /inspec/lib/inspec/profile_context.rb:242 + #1 block in #.block in create_dsl(profile_context#Inspec::ProfileContext) at /inspec/lib/inspec/profile_context.rb:220 + ͱ-- #2 Module.initialize at inspec/lib/inspec/profile_context.rb:218 + ͱ-- #3 Class.new(*args) at inspec/lib/inspec/profile_context.rb:218 + #4 #.create_dsl(profile_context#Inspec::ProfileContext) at inspec/lib/inspec/profile_context.rb:218 + #5 Inspec::ProfileContext.to_resources_dsl at inspec/lib/inspec/profile_context.rb:56 + #6 Inspec::ProfileContext.control_eval_context at inspec/lib/inspec/profile_context.rb:63 + #7 Inspec::ProfileContext.load_control_file(*args#Array) at inspec/lib/inspec/profile_context.rb:154 + #8 block in Inspec::Profile.block in collect_tests(include_list#Array) at inspec/lib/inspec/profile.rb:222 + ͱ-- #9 Hash.each at inspec/lib/inspec/profile.rb:216 + #10 Inspec::Profile.collect_tests(include_list#Array) at inspec/lib/inspec/profile.rb:216 + #11 block in Inspec::Runner.block in load at inspec/lib/inspec/runner.rb:119 + ͱ-- #12 Array.each at inspec/lib/inspec/runner.rb:101 + #13 Inspec::Runner.load at inspec/lib/inspec/runner.rb:101 + #14 Inspec::Runner.run(with#NilClass) at inspec/lib/inspec/runner.rb:135 + #15 Inspec::InspecCLI.exec(*targets#Array) at inspec/lib/inspec/cli.rb:286 ## Each file's contents are instance eval'd against the control_eval_context @@ -30,9 +52,9 @@ Additionally, a control_eval_context is created. It is an instance of an anonym So, if you have a control file with `title` in it, that will call the title method that was defined [here](https://github.com/inspec/inspec/blob/master/lib/inspec/control_eval_context.rb#L46). Importantly, this also includes the `control` DSL keyword, and also the `describe` keyword (used for bare describes). -### Each control and their block are wrapped in an anonymous class +### Each control get registered as rule. -The anonymous class generator is located at `lib/inspec/control_eval_context.rb:24`. At this point, the terminology switches from `control` to `rule`. Each context class inherits from Inspec::Rule, which provides the constructor. +Each control gets registerd and the terminology switches from `control` to `rule` [here](https://github.com/inspec/inspec/blob/master/lib/inspec/control_eval_context.rb#L57) The control context class also gets extended with the resource DSL, so anything in the source code for the control can use the resource DSL. This includes all resource names, but importantly, the `describe` DSL keyword. @@ -40,7 +62,7 @@ Finally, Inspec::Rule provides the control DSL - impact, title, desc, ref, and t ### The block is instance_eval'd against the control context class -See `lib/inspec/rule.rb:50`. We're now in two levels of instance eval'ing - the file is gradually being eval'd against the profile context anonymous class, and the current control's block is being instance eval'd against a control context anonymous class. +See `https://github.com/inspec/inspec/blob/master/lib/inspec/rule.rb#L46`. We're now in two levels of instance eval'ing - the file is gradually being eval'd against the profile context and the current control's block is being instance eval'd against a control context. At this stage, control-level metadata (impact, title, refs, tags, desc) are evaluated and set as instance vars on the control. @@ -54,9 +76,9 @@ And, the describe and describe.one blocks are executed. Using the method register_control (dynamically defined on the control eval context), we check for various skip conditions. If none of them apply, the control is then registered with the profile context using register_rule. -ProfileContext.register_rule's main job is to determine the full ID of the control (within the context of the profile) and either add it to the controls list, or (if another control with the same ID exists), merge it. (This is where overriding happens). +[ProfileContext.register_rule's](https://github.com/inspec/inspec/blob/master/lib/inspec/profile_context.rb#L183) main job is to determine the full ID of the control (within the context of the profile) and either add it to the controls list, or (if another control with the same ID exists), merge it. (This is where overriding happens). Note: can skip a control with: Inspec::Rule.set_skip_rule(control, msg) -## What else? \ No newline at end of file +## What else? From 43c9caa7e9431d43f6ef6eb3ad0204e82a274558 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 12 May 2021 21:38:40 +0000 Subject: [PATCH 151/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 33 +++++++++++++++------------------ Dockerfile | 2 +- 2 files changed, 16 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12c3a3e2e..e5bdd2824 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,27 +1,25 @@ # Change Log - -## [v4.37.8](https://github.com/inspec/inspec/tree/v4.37.8) (2021-05-10) - -#### Merged Pull Requests -- Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe)) + - -### Changes since 4.37.0 release - -#### Merged Pull Requests -- Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean)) -- Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) -- Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) -- Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) -- HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) -- Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) + +## [v4.37.8](https://github.com/inspec/inspec/tree/v4.37.8) (2021-05-12) + +#### Merged Pull Requests +- Update `bond0` example to use params properly [#5518](https://github.com/inspec/inspec/pull/5518) ([gscho](https://github.com/gscho)) +- HTTP resource response body coerced into UTF-8 [#5510](https://github.com/inspec/inspec/pull/5510) ([Nik08](https://github.com/Nik08)) +- Fixed `automate login` fake feedback on failure [#5509](https://github.com/inspec/inspec/pull/5509) ([Nik08](https://github.com/Nik08)) +- Document auxiliary reporter options on the reporter docs page [#5504](https://github.com/inspec/inspec/pull/5504) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 [#5508](https://github.com/inspec/inspec/pull/5508) ([dependabot[bot]](https://github.com/dependabot[bot])) +- Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) +- Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean)) +- Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe)) + + ## [v4.37.0](https://github.com/inspec/inspec/tree/v4.37.0) (2021-05-05) #### Enhancements @@ -40,7 +38,6 @@ - Fix undefined method `+' for nil:NilClass\n\nProfile: - when using profile dependencies and require_controls [#5487](https://github.com/inspec/inspec/pull/5487) ([Vasu1105](https://github.com/Vasu1105)) - Remove coverage testing [#5500](https://github.com/inspec/inspec/pull/5500) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Added alias command `automate` for `inspec compliance` [#5490](https://github.com/inspec/inspec/pull/5490) ([Nik08](https://github.com/Nik08)) - ## [v4.36.4](https://github.com/inspec/inspec/tree/v4.36.4) (2021-04-29) diff --git a/Dockerfile b/Dockerfile index 865cefb9e..fdb246335 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.37.0 +ARG VERSION=4.37.8 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 19c624cf382bf4dfc6ffd00ebd9d388660c97a38 Mon Sep 17 00:00:00 2001 From: Kannan Ramakrishnan Date: Sat, 15 May 2021 12:18:39 +0530 Subject: [PATCH 152/483] Support zfs_pool and zfs_dataset resources on Linux. Handled #5075. Signed-off-by: @kannanr --- .../content/inspec/resources/zfs_dataset.md | 2 +- .../content/inspec/resources/zfs_pool.md | 2 +- lib/inspec/resources/zfs_dataset.rb | 11 ++--- lib/inspec/resources/zfs_pool.rb | 11 ++--- test/fixtures/cmd/zfs-which | 1 + test/fixtures/cmd/zpool-which | 1 + test/helpers/mock_loader.rb | 22 +++++++++ test/unit/resources/zfs_dataset_test.rb | 45 +++++++++++++++++-- test/unit/resources/zfs_pool_test.rb | 43 ++++++++++++++++-- 9 files changed, 118 insertions(+), 20 deletions(-) create mode 100644 test/fixtures/cmd/zfs-which create mode 100644 test/fixtures/cmd/zpool-which diff --git a/docs-chef-io/content/inspec/resources/zfs_dataset.md b/docs-chef-io/content/inspec/resources/zfs_dataset.md index 5e78b2d55..df981654d 100644 --- a/docs-chef-io/content/inspec/resources/zfs_dataset.md +++ b/docs-chef-io/content/inspec/resources/zfs_dataset.md @@ -11,7 +11,7 @@ platform = "linux" parent = "inspec/resources/os" +++ -Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD systems. +Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD & Linux (Centos, RHEL, Ubuntu, CloudLinux, Debian) systems. ## Availability diff --git a/docs-chef-io/content/inspec/resources/zfs_pool.md b/docs-chef-io/content/inspec/resources/zfs_pool.md index cc8cfcef5..f2bf03c6c 100644 --- a/docs-chef-io/content/inspec/resources/zfs_pool.md +++ b/docs-chef-io/content/inspec/resources/zfs_pool.md @@ -11,7 +11,7 @@ platform = "linux" parent = "inspec/resources/os" +++ -Use the `zfs_pool` Chef InSpec audit resource to test the ZFS pools on FreeBSD systems. +Use the `zfs_pool` Chef InSpec audit resource to test the ZFS pools on FreeBSD & Linux (Centos, RHEL, Ubuntu, CloudLinux, Debian) systems. ## Availability diff --git a/lib/inspec/resources/zfs_dataset.rb b/lib/inspec/resources/zfs_dataset.rb index 5d14f40a4..bb760b2ef 100644 --- a/lib/inspec/resources/zfs_dataset.rb +++ b/lib/inspec/resources/zfs_dataset.rb @@ -16,16 +16,17 @@ module Inspec::Resources EXAMPLE def initialize(zfs_dataset) - return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd? - + return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless (inspec.os.bsd? or inspec.os.linux?) @zfs_dataset = zfs_dataset - + find_zfs = inspec.command("which zfs") + @zfs_cmd = find_zfs.stdout.strip + return skip_resource "zfs is not installed" if find_zfs.exit_status != 0 @params = gather end # method called by 'it { should exist }' def exists? - inspec.command("/sbin/zfs get -Hp all #{@zfs_dataset}").exit_status == 0 + inspec.command("#{@zfs_cli} get -Hp all #{@zfs_dataset}").exit_status == 0 end def mounted? @@ -39,7 +40,7 @@ module Inspec::Resources end def gather - cmd = inspec.command("/sbin/zfs get -Hp all #{@zfs_dataset}") + cmd = inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}") return nil if cmd.exit_status.to_i != 0 # parse data diff --git a/lib/inspec/resources/zfs_pool.rb b/lib/inspec/resources/zfs_pool.rb index 39f764a5b..04afdcefa 100644 --- a/lib/inspec/resources/zfs_pool.rb +++ b/lib/inspec/resources/zfs_pool.rb @@ -15,16 +15,17 @@ module Inspec::Resources EXAMPLE def initialize(zfs_pool) - return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd? - + return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless (inspec.os.bsd? or inspec.os.linux?) @zfs_pool = zfs_pool - + find_zpool = inspec.command("which zpool") + @zpool_cmd = find_zpool.stdout.strip + return skip_resource "zfs is not installed" if find_zpool.exit_status != 0 @params = gather end # method called by 'it { should exist }' def exists? - inspec.command("/sbin/zpool get -Hp all #{@zfs_pool}").exit_status == 0 + inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}").exit_status == 0 end def to_s @@ -32,7 +33,7 @@ module Inspec::Resources end def gather - cmd = inspec.command("/sbin/zpool get -Hp all #{@zfs_pool}") + cmd = inspec.command("#{@zpool_cmd} get -Hp all #{@zfs_pool}") return nil if cmd.exit_status.to_i != 0 # parse data diff --git a/test/fixtures/cmd/zfs-which b/test/fixtures/cmd/zfs-which new file mode 100644 index 000000000..a69efa5af --- /dev/null +++ b/test/fixtures/cmd/zfs-which @@ -0,0 +1 @@ +/sbin/zfs \ No newline at end of file diff --git a/test/fixtures/cmd/zpool-which b/test/fixtures/cmd/zpool-which new file mode 100644 index 000000000..150bdbdcb --- /dev/null +++ b/test/fixtures/cmd/zpool-which @@ -0,0 +1 @@ +/sbin/zpool \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 45b96817b..24bcee23c 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -427,6 +427,10 @@ class MockLoader "/sbin/zfs get -Hp all tank/tmp" => cmd.call("zfs-get-all-tank-tmp"), # zfs output for pool tank "/sbin/zpool get -Hp all tank" => cmd.call("zpool-get-all-tank"), + # which zfs + "which zfs" => cmd.call("zfs-which"), + # which zpool + "which zpool" => cmd.call("zpool-which"), # docker "4f8e24022ea8b7d3b117041ec32e55d9bf08f11f4065c700e7c1dc606c84fd17" => cmd.call("docker-ps-a"), "b40ed61c006b54f155b28a85dc944dc0352b30222087b47c6279568ec0e59d05" => cmd.call("df-PT"), @@ -590,6 +594,24 @@ class MockLoader "netstat -tulpen" => cmd.call("netstat-tulpen") ) end + + # zfs dynamic commands + if @platform && ["centos", "debian", "ubuntu", "amazon"].include?(@platform[:name]) + mock_cmds.merge!( + # zfs output for dataset tank/tmp + %{`which zfs` get -Hp all tank/tmp} => cmd.call("zfs-get-all-tank-tmp"), + # zfs output for pool tank + %{`which zpool` get -Hp all tank} => cmd.call("zpool-get-all-tank"), + ) + end + + if @platform && !["centos", "cloudlinux", "coreos", "debian", "freebsd", "ubuntu", "amazon"].include?(@platform[:name]) + mock_cmds.delete("/sbin/zfs get -Hp all tank/tmp") + mock_cmds.delete("/sbin/zpool get -Hp all tank") + mock_cmds.delete("which zfs") + mock_cmds.delete("which zpool") + end + mock.commands = mock_cmds @backend diff --git a/test/unit/resources/zfs_dataset_test.rb b/test/unit/resources/zfs_dataset_test.rb index e972e0e45..08af453b7 100644 --- a/test/unit/resources/zfs_dataset_test.rb +++ b/test/unit/resources/zfs_dataset_test.rb @@ -7,9 +7,46 @@ describe Inspec::Resources::ZfsDataset do let(:tank_tmp_resource) { loader.send("load_resource", "zfs_dataset", "tank/tmp") } it "parses the ZFS dataset data properly" do - _(tank_tmp_resource.send(:mountpoint)).must_equal("/tmp") - _(tank_tmp_resource.send(:type)).must_equal("filesystem") - _(tank_tmp_resource.send(:exec)).must_equal("off") - _(tank_tmp_resource.send(:setuid)).must_equal("off") + if _(tank_tmp_resource) + _(tank_tmp_resource.send(:mountpoint)).must_equal("/tmp") + _(tank_tmp_resource.send(:type)).must_equal("filesystem") + _(tank_tmp_resource.send(:exec)).must_equal("off") + _(tank_tmp_resource.send(:setuid)).must_equal("off") + end end end + + +describe Inspec::Resources::ZfsDataset do + let(:loader) { MockLoader.new(:centos7) } + let(:tank_tmp_resource) { loader.send("load_resource", "zfs_dataset", "tank/tmp") } + + it "parses the ZFS dataset data properly" do + if _(tank_tmp_resource) + _(tank_tmp_resource.send(:mountpoint)).must_equal("/tmp") + _(tank_tmp_resource.send(:type)).must_equal("filesystem") + _(tank_tmp_resource.send(:exec)).must_equal("off") + _(tank_tmp_resource.send(:setuid)).must_equal("off") + end + end +end + +describe Inspec::Resources::ZfsDataset do + let(:loader) { MockLoader.new(:macos10_16) } + let(:tank_resource) { loader.send("load_resource", "zfs_dataset", "tank") } + + it "parses the ZFS pool data properly" do + if _(tank_resource) + _(tank_resource.resource_exception_message).must_equal("zfs is not installed") + end + end +end + + +describe Inspec::Resources::ZfsDataset do + it "parses the ZFS dataset properly" do + resource = MockLoader.new(:macos10_16).load_resource("zfs_dataset", "tank") + _(resource.resource_exception_message).must_equal "zfs is not installed" + end +end + diff --git a/test/unit/resources/zfs_pool_test.rb b/test/unit/resources/zfs_pool_test.rb index 1797133f8..aaf3cfa8d 100644 --- a/test/unit/resources/zfs_pool_test.rb +++ b/test/unit/resources/zfs_pool_test.rb @@ -7,9 +7,44 @@ describe Inspec::Resources::ZfsPool do let(:tank_resource) { loader.send("load_resource", "zfs_pool", "tank") } it "parses the ZFS pool data properly" do - _(tank_resource.send(:health)).must_equal("ONLINE") - _(tank_resource.send(:guid)).must_equal("4711279777582057513") - _(tank_resource.send(:failmode)).must_equal("continue") - _(tank_resource.send(:'feature@lz4_compress')).must_equal("active") + if _(tank_resource) + _(tank_resource.send(:health)).must_equal("ONLINE") + _(tank_resource.send(:guid)).must_equal("4711279777582057513") + _(tank_resource.send(:failmode)).must_equal("continue") + _(tank_resource.send(:'feature@lz4_compress')).must_equal("active") + end + end +end + +describe Inspec::Resources::ZfsPool do + let(:loader) { MockLoader.new(:centos7) } + let(:tank_resource) { loader.send("load_resource", "zfs_pool", "tank") } + + it "parses the ZFS pool data properly" do + if _(tank_resource) + _(tank_resource.send(:health)).must_equal("ONLINE") + _(tank_resource.send(:guid)).must_equal("4711279777582057513") + _(tank_resource.send(:failmode)).must_equal("continue") + _(tank_resource.send(:'feature@lz4_compress')).must_equal("active") + end + end +end + +describe Inspec::Resources::ZfsPool do + let(:loader) { MockLoader.new(:macos10_16) } + let(:tank_resource) { loader.send("load_resource", "zfs_pool", "tank") } + + it "parses the ZFS pool data properly" do + if _(tank_resource) + _(tank_resource.resource_exception_message).must_equal("zfs is not installed") + end + end +end + + +describe Inspec::Resources::ZfsPool do + it "parses the ZFS pool data properly" do + resource = MockLoader.new(:macos10_16).load_resource("zfs_pool", "tank") + _(resource.resource_exception_message).must_equal "zfs is not installed" end end From 0d83a44f44f9d7bb19e1c96fc7e5c2bb725fb0c0 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Sat, 15 May 2021 16:56:53 +0530 Subject: [PATCH 153/483] Fix the lint and failing test for windows_feature resource Signed-off-by: Vasu1105 --- lib/inspec/resources/windows_feature.rb | 2 +- test/fixtures/cmd/dism-iis-webserver | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/inspec/resources/windows_feature.rb b/lib/inspec/resources/windows_feature.rb index a691e0d5a..dfe7f4555 100644 --- a/lib/inspec/resources/windows_feature.rb +++ b/lib/inspec/resources/windows_feature.rb @@ -83,7 +83,7 @@ module Inspec::Resources feature_info = { name: result.match(feature_name_regex).captures[0].chomp, description: result.match(description_regex).captures[0].chomp, - installed: result.match(state_regex).captures[0].chomp == 'Enabled', + installed: result.match(state_regex).captures[0].chomp == "Enabled", } end diff --git a/test/fixtures/cmd/dism-iis-webserver b/test/fixtures/cmd/dism-iis-webserver index e1d6a26de..27a7cda08 100644 --- a/test/fixtures/cmd/dism-iis-webserver +++ b/test/fixtures/cmd/dism-iis-webserver @@ -9,7 +9,7 @@ Feature Name : IIS-WebServer Display Name : World Wide Web Services Description : Installs the IIS 10.0 World Wide Web Services. Provides support for HTML web sites and optional support for ASP.NET, Classic ASP, and web server extensions. Restart Required : Possible -State : Disabled +State : Enabled Custom Properties: From d1831a318cee4f7bf599acdbd99f7502a921d62b Mon Sep 17 00:00:00 2001 From: Kannan Ramakrishnan Date: Sat, 15 May 2021 17:48:19 +0530 Subject: [PATCH 154/483] Lint errors handled. Signed-off-by: @kannanr --- lib/inspec/resources/windows_feature.rb | 2 +- lib/inspec/resources/zfs_dataset.rb | 5 ++++- lib/inspec/resources/zfs_pool.rb | 5 ++++- test/helpers/mock_loader.rb | 6 +++--- test/unit/resources/zfs_dataset_test.rb | 2 -- test/unit/resources/zfs_pool_test.rb | 1 - 6 files changed, 12 insertions(+), 9 deletions(-) diff --git a/lib/inspec/resources/windows_feature.rb b/lib/inspec/resources/windows_feature.rb index a691e0d5a..dfe7f4555 100644 --- a/lib/inspec/resources/windows_feature.rb +++ b/lib/inspec/resources/windows_feature.rb @@ -83,7 +83,7 @@ module Inspec::Resources feature_info = { name: result.match(feature_name_regex).captures[0].chomp, description: result.match(description_regex).captures[0].chomp, - installed: result.match(state_regex).captures[0].chomp == 'Enabled', + installed: result.match(state_regex).captures[0].chomp == "Enabled", } end diff --git a/lib/inspec/resources/zfs_dataset.rb b/lib/inspec/resources/zfs_dataset.rb index bb760b2ef..1c755042f 100644 --- a/lib/inspec/resources/zfs_dataset.rb +++ b/lib/inspec/resources/zfs_dataset.rb @@ -16,11 +16,14 @@ module Inspec::Resources EXAMPLE def initialize(zfs_dataset) - return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless (inspec.os.bsd? or inspec.os.linux?) + return skip_resource "The `zfs_dataset` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux? + @zfs_dataset = zfs_dataset find_zfs = inspec.command("which zfs") @zfs_cmd = find_zfs.stdout.strip + return skip_resource "zfs is not installed" if find_zfs.exit_status != 0 + @params = gather end diff --git a/lib/inspec/resources/zfs_pool.rb b/lib/inspec/resources/zfs_pool.rb index 04afdcefa..1c974d44b 100644 --- a/lib/inspec/resources/zfs_pool.rb +++ b/lib/inspec/resources/zfs_pool.rb @@ -15,11 +15,14 @@ module Inspec::Resources EXAMPLE def initialize(zfs_pool) - return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless (inspec.os.bsd? or inspec.os.linux?) + return skip_resource "The `zfs_pool` resource is not supported on your OS yet." unless inspec.os.bsd? || inspec.os.linux? + @zfs_pool = zfs_pool find_zpool = inspec.command("which zpool") @zpool_cmd = find_zpool.stdout.strip + return skip_resource "zfs is not installed" if find_zpool.exit_status != 0 + @params = gather end diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 24bcee23c..e49d62e69 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -596,16 +596,16 @@ class MockLoader end # zfs dynamic commands - if @platform && ["centos", "debian", "ubuntu", "amazon"].include?(@platform[:name]) + if @platform && %w{centos debian ubuntu amazon}.include?(@platform[:name]) mock_cmds.merge!( # zfs output for dataset tank/tmp %{`which zfs` get -Hp all tank/tmp} => cmd.call("zfs-get-all-tank-tmp"), # zfs output for pool tank - %{`which zpool` get -Hp all tank} => cmd.call("zpool-get-all-tank"), + %{`which zpool` get -Hp all tank} => cmd.call("zpool-get-all-tank") ) end - if @platform && !["centos", "cloudlinux", "coreos", "debian", "freebsd", "ubuntu", "amazon"].include?(@platform[:name]) + if @platform && ! %w{centos cloudlinux coreos debian freebsd ubuntu amazon}.include?(@platform[:name]) mock_cmds.delete("/sbin/zfs get -Hp all tank/tmp") mock_cmds.delete("/sbin/zpool get -Hp all tank") mock_cmds.delete("which zfs") diff --git a/test/unit/resources/zfs_dataset_test.rb b/test/unit/resources/zfs_dataset_test.rb index 08af453b7..757a3e06a 100644 --- a/test/unit/resources/zfs_dataset_test.rb +++ b/test/unit/resources/zfs_dataset_test.rb @@ -16,7 +16,6 @@ describe Inspec::Resources::ZfsDataset do end end - describe Inspec::Resources::ZfsDataset do let(:loader) { MockLoader.new(:centos7) } let(:tank_tmp_resource) { loader.send("load_resource", "zfs_dataset", "tank/tmp") } @@ -42,7 +41,6 @@ describe Inspec::Resources::ZfsDataset do end end - describe Inspec::Resources::ZfsDataset do it "parses the ZFS dataset properly" do resource = MockLoader.new(:macos10_16).load_resource("zfs_dataset", "tank") diff --git a/test/unit/resources/zfs_pool_test.rb b/test/unit/resources/zfs_pool_test.rb index aaf3cfa8d..9aaa638e7 100644 --- a/test/unit/resources/zfs_pool_test.rb +++ b/test/unit/resources/zfs_pool_test.rb @@ -41,7 +41,6 @@ describe Inspec::Resources::ZfsPool do end end - describe Inspec::Resources::ZfsPool do it "parses the ZFS pool data properly" do resource = MockLoader.new(:macos10_16).load_resource("zfs_pool", "tank") From feb12fef7777b8a95656771d935d2d1604628b15 Mon Sep 17 00:00:00 2001 From: Kannan Ramakrishnan Date: Sat, 15 May 2021 18:53:39 +0530 Subject: [PATCH 155/483] Fixed a typo in variable name. Signed-off-by: @kannanr --- lib/inspec/resources/zfs_dataset.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/zfs_dataset.rb b/lib/inspec/resources/zfs_dataset.rb index 1c755042f..bca09ddc5 100644 --- a/lib/inspec/resources/zfs_dataset.rb +++ b/lib/inspec/resources/zfs_dataset.rb @@ -29,7 +29,7 @@ module Inspec::Resources # method called by 'it { should exist }' def exists? - inspec.command("#{@zfs_cli} get -Hp all #{@zfs_dataset}").exit_status == 0 + inspec.command("#{@zfs_cmd} get -Hp all #{@zfs_dataset}").exit_status == 0 end def mounted? From 0745c3e183ef8d468ad9fe190d1ef2f24e2f32b2 Mon Sep 17 00:00:00 2001 From: Kannan Ramakrishnan Date: Sun, 16 May 2021 02:43:51 +0530 Subject: [PATCH 156/483] Documentation wording changed. Added OS list link. Signed-off-by: @kannanr --- docs-chef-io/content/inspec/resources/zfs_dataset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/zfs_dataset.md b/docs-chef-io/content/inspec/resources/zfs_dataset.md index df981654d..d09284705 100644 --- a/docs-chef-io/content/inspec/resources/zfs_dataset.md +++ b/docs-chef-io/content/inspec/resources/zfs_dataset.md @@ -11,7 +11,7 @@ platform = "linux" parent = "inspec/resources/os" +++ -Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD & Linux (Centos, RHEL, Ubuntu, CloudLinux, Debian) systems. +Use the `zfs_dataset` Chef InSpec audit resource to test the ZFS datasets on FreeBSD & Linux (Check [OS Family Details](https://docs.chef.io/inspec/resources/os/#osfamily-helpers) for more details). ## Availability From 17ebbe2033f36e2d7ee866564877240da8aafedc Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Sun, 16 May 2021 20:56:05 +0000 Subject: [PATCH 157/483] Bump version to 4.37.9 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5bdd2824..b7b342c05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.37.9](https://github.com/inspec/inspec/tree/v4.37.9) (2021-05-16) + +#### Merged Pull Requests +- Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) - + +### Changes since 4.37.8 release + +#### Merged Pull Requests +- Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 611a30c09..cf817e2ed 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.8 \ No newline at end of file +4.37.9 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index cc5d98d6f..3b3da58ed 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.8".freeze + VERSION = "4.37.9".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 5236eb187..bc8c036ac 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.8".freeze + VERSION = "4.37.9".freeze end From d0369f5271c834b20d1cf5f96f51b3845cee04f1 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Sun, 16 May 2021 20:58:53 +0000 Subject: [PATCH 158/483] Bump version to 4.37.10 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b7b342c05..f462334a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.9](https://github.com/inspec/inspec/tree/v4.37.9) (2021-05-16) + +## [v4.37.10](https://github.com/inspec/inspec/tree/v4.37.10) (2021-05-16) #### Merged Pull Requests -- Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) +- Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) ### Changes since 4.37.8 release #### Merged Pull Requests +- Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) - Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index cf817e2ed..1f3a88cde 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.9 \ No newline at end of file +4.37.10 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 3b3da58ed..4d901d3b5 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.9".freeze + VERSION = "4.37.10".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index bc8c036ac..9a0215e83 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.9".freeze + VERSION = "4.37.10".freeze end From 44c4bf9a8628e09eb4462e432a60c92611b55010 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Sun, 16 May 2021 21:15:09 +0000 Subject: [PATCH 159/483] Bump version to 4.37.11 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f462334a9..8929e10f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.10](https://github.com/inspec/inspec/tree/v4.37.10) (2021-05-16) + +## [v4.37.11](https://github.com/inspec/inspec/tree/v4.37.11) (2021-05-16) #### Merged Pull Requests -- Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) +- Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.8 release #### Merged Pull Requests +- Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) - Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 1f3a88cde..d9d7d3dc7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.10 \ No newline at end of file +4.37.11 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 4d901d3b5..49b6dbed7 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.10".freeze + VERSION = "4.37.11".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 9a0215e83..057a34f15 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.10".freeze + VERSION = "4.37.11".freeze end From 1e96f31a0c76291050d5aa6b038a472ac92cca5b Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Sun, 16 May 2021 21:18:11 +0000 Subject: [PATCH 160/483] Bump version to 4.37.12 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8929e10f6..f1fa38556 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.11](https://github.com/inspec/inspec/tree/v4.37.11) (2021-05-16) + +## [v4.37.12](https://github.com/inspec/inspec/tree/v4.37.12) (2021-05-16) #### Merged Pull Requests -- Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.8 release #### Merged Pull Requests +- Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) - Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index d9d7d3dc7..487b9d36d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.11 \ No newline at end of file +4.37.12 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 49b6dbed7..b078a0636 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.11".freeze + VERSION = "4.37.12".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 057a34f15..57bd3ecbf 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.11".freeze + VERSION = "4.37.12".freeze end From 822d0fadd1bf6967627cfd5e0ee03b5dc6a90ed5 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 16 May 2021 17:37:10 -0400 Subject: [PATCH 161/483] Add info about inspec-core Signed-off-by: Clinton Wolfe --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 270e07b40..db4e6b3db 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,9 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec ### Install it via rubygems.org -When installing from source, gem dependencies may require ruby build tools to be installed. +When installing from source, gem dependencies may require ruby build tools to be installed. (A compiler-free variant is available with reduced functionality; use `inspec-core-bin` and `inspec-core`.) + +To install build tools, use your package manager. For CentOS/RedHat/Fedora: From 5d080a9d2877ec15d426269d733c0d3c57fe3079 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 16 May 2021 17:37:39 -0400 Subject: [PATCH 162/483] Remove outdated SSHD example Signed-off-by: Clinton Wolfe --- README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/README.md b/README.md index db4e6b3db..be5259b2f 100644 --- a/README.md +++ b/README.md @@ -211,14 +211,6 @@ describe port(443) do end ``` -* Use approved strong ciphers - This test ensures that only enterprise-compliant ciphers are used for SSH servers. - -```ruby -describe sshd_config do -   its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') } -end -``` - * Test your `kitchen.yml` file to verify that only Vagrant is configured as the driver. The %w() formatting will pass rubocop linting and allow you to access nested mappings. From 4360927437a686658c5698c0c06843cac2098623 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 16 May 2021 17:42:50 -0400 Subject: [PATCH 163/483] Add Christoph and Dom to Kudos section Signed-off-by: Clinton Wolfe --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index be5259b2f..8839be818 100644 --- a/README.md +++ b/README.md @@ -360,6 +360,8 @@ You may also [browse the Supermarket for shared Compliance Profiles](https://sup ## Kudos +Chef InSpec was originally created by Christoph Hartmann (@chris-rock) and Dominik Richter (@arlimus). + Chef InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project. Kudos to [mizzy](https://github.com/mizzy) and [all contributors](https://github.com/mizzy/serverspec/graphs/contributors)! The AWS resources were inspired by [inspec-aws](https://github.com/arothian/inspec-aws) from [arothian](https://github.com/arothian). From 6ca433085527a3aa287a2f3719eac6ae58d95fbc Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 16 May 2021 17:45:42 -0400 Subject: [PATCH 164/483] Update copyright Signed-off-by: Clinton Wolfe --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 8839be818..fe345a3d6 100644 --- a/README.md +++ b/README.md @@ -444,13 +444,14 @@ KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test -c 3 ## License -| | | -| -------------- | ----------------------------------------- | -| **Author:** | Dominik Richter () | -| **Author:** | Christoph Hartmann () | -| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. | -| **Copyright:** | Copyright (c) 2017-2018 Chef Software Inc.| -| **License:** | Apache License, Version 2.0 | +| | | +| -------------- | ---------------------------------------------- | +| **Author:** | Dominik Richter () | +| **Author:** | Christoph Hartmann () | +| **Copyright:** | Copyright (c) 2015 Vulcano Security GmbH. | +| **Copyright:** | Copyright (c) 2017-2020 Chef Software Inc. | +| **Copyright:** | Copyright (c) 2020-2021 Progress Software Corp.| +| **License:** | Apache License, Version 2.0 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From aa8afc8c82f8afe34d41efce51467a175ea3da61 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 16 May 2021 17:53:59 -0400 Subject: [PATCH 165/483] Add liense infor about Chef EULA Signed-off-by: Clinton Wolfe --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index fe345a3d6..8a0343370 100644 --- a/README.md +++ b/README.md @@ -452,6 +452,10 @@ KITCHEN_YAML=kitchen.dokken.yml bundle exec kitchen test -c 3 | **Copyright:** | Copyright (c) 2017-2020 Chef Software Inc. | | **Copyright:** | Copyright (c) 2020-2021 Progress Software Corp.| | **License:** | Apache License, Version 2.0 | +| **License:** | Chef End User License Agreement | + +Chef InSpec is distributed under the Apache License, Version 2.0. +Permission to use the software is governed by the [Chef EULA](https://docs.chef.io/chef_license_accept.html). Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 25f0099ca07c096d3d7c9b2f3fbdc1d1eb0b2589 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Sun, 16 May 2021 18:05:31 -0400 Subject: [PATCH 166/483] Add explicit RHEL8 builders Signed-off-by: Clinton Wolfe --- .expeditor/release.omnibus.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.expeditor/release.omnibus.yml b/.expeditor/release.omnibus.yml index 2a4bf1fab..6a654b0c1 100644 --- a/.expeditor/release.omnibus.yml +++ b/.expeditor/release.omnibus.yml @@ -16,12 +16,14 @@ builder-to-testers-map: - el-6-x86_64 el-7-aarch64: - el-7-aarch64 - - el-8-aarch64 - amazon-2-aarch64 el-7-x86_64: - el-7-x86_64 - - el-8-x86_64 - amazon-2-x86_64 + el-8-aarch64: + - el-8-aarch64 + el-8-x86_64: + - el-8-x86_64 mac_os_x-10.14-x86_64: - mac_os_x-10.14-x86_64 - mac_os_x-10.15-x86_64 From 08f2fcf4bbf8c2489e6c1a351da73dc5a9b33421 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 13 May 2021 21:18:41 +0530 Subject: [PATCH 167/483] Fix for port resource performance: adding more specific search while using ss command Signed-off-by: Vasu1105 --- lib/inspec/resources/port.rb | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/lib/inspec/resources/port.rb b/lib/inspec/resources/port.rb index 30711fb88..d6b460a57 100644 --- a/lib/inspec/resources/port.rb +++ b/lib/inspec/resources/port.rb @@ -54,7 +54,7 @@ module Inspec::Resources def port_manager_for_os os = inspec.os if os.linux? - LinuxPorts.new(inspec) + LinuxPorts.new(inspec, @port) elsif os.aix? # AIX: see http://www.ibm.com/developerworks/aix/library/au-lsof.html#resources # and https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp @@ -102,8 +102,9 @@ module Inspec::Resources # }] class PortsInfo attr_reader :inspec - def initialize(inspec) + def initialize(inspec, port = nil) @inspec = inspec + @port = port end end @@ -394,7 +395,12 @@ module Inspec::Resources def ports_via_ss return nil unless inspec.command("ss").exist? - cmd = inspec.command("ss -tulpen") + if @port.nil? + cmd = inspec.command("ss -tulpen") + else + cmd = inspec.command("ss -tulpen '( dport = #{@port} or sport = #{@port} )'") + end + return nil unless cmd.exit_status.to_i == 0 ports = [] @@ -560,7 +566,6 @@ module Inspec::Resources # fe80::a00:27ff:fe32:ed09%enp0s3:9200 parsed_net_address = parsed[:local_addr].match(/(\S+):(\*|\d+)$/) return nil if parsed_net_address.nil? - host = parsed_net_address[1] port = parsed_net_address[2] return nil if host.nil? && port.nil? From 9786a467f13775f90368f7d410cb0e5929061c97 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 14 May 2021 16:28:13 +0530 Subject: [PATCH 168/483] Fix lint errors Signed-off-by: Vasu1105 --- lib/inspec/resources/port.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/inspec/resources/port.rb b/lib/inspec/resources/port.rb index d6b460a57..c5da9b300 100644 --- a/lib/inspec/resources/port.rb +++ b/lib/inspec/resources/port.rb @@ -566,6 +566,7 @@ module Inspec::Resources # fe80::a00:27ff:fe32:ed09%enp0s3:9200 parsed_net_address = parsed[:local_addr].match(/(\S+):(\*|\d+)$/) return nil if parsed_net_address.nil? + host = parsed_net_address[1] port = parsed_net_address[2] return nil if host.nil? && port.nil? From 7990b31f5f9b8e7f8e14419cb754320fe943f91d Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 14 May 2021 17:57:10 +0530 Subject: [PATCH 169/483] Updated test to mock the newly added command Signed-off-by: Vasu1105 --- test/helpers/mock_loader.rb | 4 ++++ test/unit/resources/port_test.rb | 18 +++++++++--------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index e49d62e69..22e487c8b 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -591,6 +591,10 @@ class MockLoader %{sh -c 'type "ss"'} => empty.call, %{sh -c 'type "netstat"'} => empty.call, "ss -tulpen" => cmd.call("ss-tulpen"), + "ss -tulpen '( dport = 22 or sport = 22 )'" => cmd.call("ss-tulpen"), + "ss -tulpen '( dport = 68 or sport = 68 )'" => cmd.call("ss-tulpen"), + "ss -tulpen '( dport = 9200 or sport = 9200 )'" => cmd.call("ss-tulpen"), + "ss -tulpen '( dport = 80 or sport = 80 )'" => cmd.call("ss-tulpen"), "netstat -tulpen" => cmd.call("netstat-tulpen") ) end diff --git a/test/unit/resources/port_test.rb b/test/unit/resources/port_test.rb index f60c9ffaf..63de99dfb 100644 --- a/test/unit/resources/port_test.rb +++ b/test/unit/resources/port_test.rb @@ -4,7 +4,7 @@ require "inspec/resources/port" describe "Inspec::Resources::Port" do it "verify port on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1404).load_resource("port", 22) + resource = MockLoader.new(:ubuntu1604).load_resource("port", 22) _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ tcp tcp6 } _(resource.pids).must_equal [1222] @@ -13,7 +13,7 @@ describe "Inspec::Resources::Port" do end it "lists all ports" do - resource = MockLoader.new(:ubuntu1404).load_resource("port") + resource = MockLoader.new(:ubuntu1604).load_resource("port") _(resource.entries.length).must_equal 9 _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ udp tcp tcp6 } @@ -23,7 +23,7 @@ describe "Inspec::Resources::Port" do end it "filter ports by conditions" do - resource = MockLoader.new(:ubuntu1404).load_resource("port").where { protocol =~ /udp/i } + resource = MockLoader.new(:ubuntu1604).load_resource("port").where { protocol =~ /udp/i } _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -33,7 +33,7 @@ describe "Inspec::Resources::Port" do end it "verify UDP port on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1404).load_resource("port", 68) + resource = MockLoader.new(:ubuntu1604).load_resource("port", 68) _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -43,7 +43,7 @@ describe "Inspec::Resources::Port" do end it "accepts the port as a string" do - resource = MockLoader.new(:ubuntu1404).load_resource("port", "68") + resource = MockLoader.new(:ubuntu1604).load_resource("port", "68") _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -53,7 +53,7 @@ describe "Inspec::Resources::Port" do end it "properly handles multiple processes using one fd" do - resource = MockLoader.new(:ubuntu1404).load_resource("port", "80") + resource = MockLoader.new(:ubuntu1604).load_resource("port", "80") _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["tcp"] @@ -63,7 +63,7 @@ describe "Inspec::Resources::Port" do end it "properly handles a IPv4 address in a v6 listing" do - resource = MockLoader.new(:ubuntu1404).load_resource("port", 9200) + resource = MockLoader.new(:ubuntu1604).load_resource("port", 9200) _(resource.protocols).must_equal %w{ tcp tcp6 } _(resource.addresses).must_equal ["10.0.2.15", "fe80::a00:27ff:fe32:ed09"] end @@ -185,7 +185,7 @@ describe "Inspec::Resources::Port" do end it "verify port and interface on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1404).load_resource("port", "0.0.0.0", 22) + resource = MockLoader.new(:ubuntu1604).load_resource("port", "0.0.0.0", 22) _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ tcp } _(resource.pids).must_equal [1222] @@ -194,7 +194,7 @@ describe "Inspec::Resources::Port" do end it "verify not listening port on interface on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1404).load_resource("port", "127.0.0.1", 22) + resource = MockLoader.new(:ubuntu1604).load_resource("port", "127.0.0.1", 22) _(resource.listening?).must_equal false _(resource.addresses).must_equal [] end From da75f0ce33bd1a878ea659a11956b712a91bc826 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 17 May 2021 11:28:39 +0530 Subject: [PATCH 170/483] Removed old ubuntu version from mock_loader file as it's not getting used and added new version of Ubuntu in mock_loader file. Signed-off-by: Vasu1105 --- test/fixtures/cmd/ss-tulpen-port | 10 ++++++++++ test/helpers/mock_loader.rb | 2 +- test/unit/resources/port_test.rb | 18 +++++++++--------- 3 files changed, 20 insertions(+), 10 deletions(-) create mode 100644 test/fixtures/cmd/ss-tulpen-port diff --git a/test/fixtures/cmd/ss-tulpen-port b/test/fixtures/cmd/ss-tulpen-port new file mode 100644 index 000000000..28d6c7603 --- /dev/null +++ b/test/fixtures/cmd/ss-tulpen-port @@ -0,0 +1,10 @@ +Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port +udp UNCONN 0 0 *:68 *:* users:(("dhclient",pid=1146,fd=6)) ino:15168 sk:1 <-> +tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1222,fd=3)) ino:15973 sk:2 <-> +tcp LISTEN 0 128 ::ffff:10.0.2.15:9200 :::* users:(("java",pid=1722,fd=125)) uid:112 ino:19543 sk:8 v6only:0 <-> +tcp LISTEN 0 128 fe80::a00:27ff:fe32:ed09%enp0s3:9200 :::* users:(("java",pid=1722,fd=124)) uid:112 ino:19542 sk:9 v6only:1 <-> +tcp LISTEN 0 128 ::ffff:10.0.2.15:9300 :::* users:(("java",pid=1722,fd=117)) uid:112 ino:19502 sk:a v6only:0 <-> +tcp LISTEN 0 128 fe80::a00:27ff:fe32:ed09%enp0s3:9300 :::* users:(("java",pid=1722,fd=115)) uid:112 ino:19494 sk:b v6only:1 <-> +tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=1222,fd=4)) ino:15982 sk:3 v6only:1 <-> +tcp LISTEN 0 128 *:80 *:* users:(("nginx",pid=583,fd=8),("nginx",pid=582,fd=8),("nginx",pid=580,fd=8),("nginx",pid=579,fd=8)) ino:14427 sk:ffff8800baf12080 <-> +tcp 0 128 *:25 *:* users:(("sendmail",3965,4)) ino:11604 sk:ffff88013a3b5800 diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 22e487c8b..7652abd40 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -18,10 +18,10 @@ class MockLoader freebsd12: { name: "freebsd", family: "bsd", release: "12", arch: "amd64" }, macos10_10: { name: "mac_os_x", family: "darwin", release: "10.10.4", arch: nil }, macos10_16: { name: "darwin", family: "darwin", release: "10.16", arch: nil }, - ubuntu1204: { name: "ubuntu", family: "debian", release: "12.04", arch: "x86_64" }, ubuntu1404: { name: "ubuntu", family: "debian", release: "14.04", arch: "x86_64" }, ubuntu1504: { name: "ubuntu", family: "debian", release: "15.04", arch: "x86_64" }, ubuntu1604: { name: "ubuntu", family: "debian", release: "16.04", arch: "x86_64" }, + ubuntu1804: { name: "ubuntu", family: "debian", release: "18.04", arch: "x86_64" }, mint17: { name: "linuxmint", family: "debian", release: "17.3", arch: "x86_64" }, mint18: { name: "linuxmint", family: "debian", release: "18", arch: "x86_64" }, windows: { name: "windows", family: "windows", release: "6.2.9200", arch: "x86_64" }, diff --git a/test/unit/resources/port_test.rb b/test/unit/resources/port_test.rb index 63de99dfb..72d4431a7 100644 --- a/test/unit/resources/port_test.rb +++ b/test/unit/resources/port_test.rb @@ -4,7 +4,7 @@ require "inspec/resources/port" describe "Inspec::Resources::Port" do it "verify port on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1604).load_resource("port", 22) + resource = MockLoader.new(:ubuntu1804).load_resource("port", 22) _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ tcp tcp6 } _(resource.pids).must_equal [1222] @@ -13,7 +13,7 @@ describe "Inspec::Resources::Port" do end it "lists all ports" do - resource = MockLoader.new(:ubuntu1604).load_resource("port") + resource = MockLoader.new(:ubuntu1804).load_resource("port") _(resource.entries.length).must_equal 9 _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ udp tcp tcp6 } @@ -23,7 +23,7 @@ describe "Inspec::Resources::Port" do end it "filter ports by conditions" do - resource = MockLoader.new(:ubuntu1604).load_resource("port").where { protocol =~ /udp/i } + resource = MockLoader.new(:ubuntu1804).load_resource("port").where { protocol =~ /udp/i } _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -33,7 +33,7 @@ describe "Inspec::Resources::Port" do end it "verify UDP port on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1604).load_resource("port", 68) + resource = MockLoader.new(:ubuntu1804).load_resource("port", 68) _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -43,7 +43,7 @@ describe "Inspec::Resources::Port" do end it "accepts the port as a string" do - resource = MockLoader.new(:ubuntu1604).load_resource("port", "68") + resource = MockLoader.new(:ubuntu1804).load_resource("port", "68") _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -53,7 +53,7 @@ describe "Inspec::Resources::Port" do end it "properly handles multiple processes using one fd" do - resource = MockLoader.new(:ubuntu1604).load_resource("port", "80") + resource = MockLoader.new(:ubuntu1804).load_resource("port", "80") _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["tcp"] @@ -63,7 +63,7 @@ describe "Inspec::Resources::Port" do end it "properly handles a IPv4 address in a v6 listing" do - resource = MockLoader.new(:ubuntu1604).load_resource("port", 9200) + resource = MockLoader.new(:ubuntu1804).load_resource("port", 9200) _(resource.protocols).must_equal %w{ tcp tcp6 } _(resource.addresses).must_equal ["10.0.2.15", "fe80::a00:27ff:fe32:ed09"] end @@ -185,7 +185,7 @@ describe "Inspec::Resources::Port" do end it "verify port and interface on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1604).load_resource("port", "0.0.0.0", 22) + resource = MockLoader.new(:ubuntu1804).load_resource("port", "0.0.0.0", 22) _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ tcp } _(resource.pids).must_equal [1222] @@ -194,7 +194,7 @@ describe "Inspec::Resources::Port" do end it "verify not listening port on interface on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1604).load_resource("port", "127.0.0.1", 22) + resource = MockLoader.new(:ubuntu1804).load_resource("port", "127.0.0.1", 22) _(resource.listening?).must_equal false _(resource.addresses).must_equal [] end From 1ea3697197412d6c5a78bf03478e4d595ff8f36f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 17 May 2021 11:32:06 +0530 Subject: [PATCH 171/483] Removed fixture file which was not needed Signed-off-by: Vasu1105 --- test/fixtures/cmd/ss-tulpen-port | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 test/fixtures/cmd/ss-tulpen-port diff --git a/test/fixtures/cmd/ss-tulpen-port b/test/fixtures/cmd/ss-tulpen-port deleted file mode 100644 index 28d6c7603..000000000 --- a/test/fixtures/cmd/ss-tulpen-port +++ /dev/null @@ -1,10 +0,0 @@ -Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port -udp UNCONN 0 0 *:68 *:* users:(("dhclient",pid=1146,fd=6)) ino:15168 sk:1 <-> -tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1222,fd=3)) ino:15973 sk:2 <-> -tcp LISTEN 0 128 ::ffff:10.0.2.15:9200 :::* users:(("java",pid=1722,fd=125)) uid:112 ino:19543 sk:8 v6only:0 <-> -tcp LISTEN 0 128 fe80::a00:27ff:fe32:ed09%enp0s3:9200 :::* users:(("java",pid=1722,fd=124)) uid:112 ino:19542 sk:9 v6only:1 <-> -tcp LISTEN 0 128 ::ffff:10.0.2.15:9300 :::* users:(("java",pid=1722,fd=117)) uid:112 ino:19502 sk:a v6only:0 <-> -tcp LISTEN 0 128 fe80::a00:27ff:fe32:ed09%enp0s3:9300 :::* users:(("java",pid=1722,fd=115)) uid:112 ino:19494 sk:b v6only:1 <-> -tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=1222,fd=4)) ino:15982 sk:3 v6only:1 <-> -tcp LISTEN 0 128 *:80 *:* users:(("nginx",pid=583,fd=8),("nginx",pid=582,fd=8),("nginx",pid=580,fd=8),("nginx",pid=579,fd=8)) ino:14427 sk:ffff8800baf12080 <-> -tcp 0 128 *:25 *:* users:(("sendmail",3965,4)) ino:11604 sk:ffff88013a3b5800 From 80be8e06255f275ba9bddbed9d903db2986641b9 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 10 May 2021 16:19:15 +0530 Subject: [PATCH 172/483] Added common errors page for inspec with only one error to get started Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/common_errors.md | 27 ++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 docs-chef-io/content/inspec/common_errors.md diff --git a/docs-chef-io/content/inspec/common_errors.md b/docs-chef-io/content/inspec/common_errors.md new file mode 100644 index 000000000..3ceb63fb7 --- /dev/null +++ b/docs-chef-io/content/inspec/common_errors.md @@ -0,0 +1,27 @@ ++++ +title = "Chef InSpec Common Errors" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Common Errors" + identifier = "inspec/reference/common_errors.md Chef InSpec Common Errors" + parent = "inspec/reference" + weight = 110 ++++ + +This section documents some of the Common Errors encountered while using Chef Inspec. + +* `Undefined local variable or method error for 'aws_eks_clusters' resource` + + Syntax of using AWS resource in InSpec profile to test eks clusters: + + ```bash + describe aws_eks_clusters.where( failed: true ) do + it { should_not exist } + end + ``` + + For successful execution, it is necessary to define an InSpec Profile with a dependency on **inspec-aws** resource pack. It can be done using instructions in [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) + \ No newline at end of file From 9b5c6a45b927228ff49491a5553375087da20cc2 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 10 May 2021 17:18:26 +0530 Subject: [PATCH 173/483] Updated correct weight of common errors doc Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/common_errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/common_errors.md b/docs-chef-io/content/inspec/common_errors.md index 3ceb63fb7..6df6a0b58 100644 --- a/docs-chef-io/content/inspec/common_errors.md +++ b/docs-chef-io/content/inspec/common_errors.md @@ -8,7 +8,7 @@ gh_repo = "inspec" title = "Common Errors" identifier = "inspec/reference/common_errors.md Chef InSpec Common Errors" parent = "inspec/reference" - weight = 110 + weight = 150 +++ This section documents some of the Common Errors encountered while using Chef Inspec. From 24376113f57c8a46cb8884f129e51cc61e49b2cf Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 11 May 2021 13:21:55 +0530 Subject: [PATCH 174/483] Doc review changes on common errors doc page Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/common_errors.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/common_errors.md b/docs-chef-io/content/inspec/common_errors.md index 6df6a0b58..e54a84a17 100644 --- a/docs-chef-io/content/inspec/common_errors.md +++ b/docs-chef-io/content/inspec/common_errors.md @@ -15,13 +15,14 @@ This section documents some of the Common Errors encountered while using Chef In * `Undefined local variable or method error for 'aws_eks_clusters' resource` - Syntax of using AWS resource in InSpec profile to test eks clusters: + Syntax of using an AWS resource in InSpec profile is as follows: ```bash describe aws_eks_clusters.where( failed: true ) do it { should_not exist } end ``` + This example is testing aws eks clusters. - For successful execution, it is necessary to define an InSpec Profile with a dependency on **inspec-aws** resource pack. It can be done using instructions in [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) + For successful execution of a profile using **any of the AWS resources**, it is necessary to define an InSpec Profile with a dependency on **inspec-aws** resource pack. It can be done using instructions in [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) \ No newline at end of file From e4ab99e97a85b033b5497c79ad0e0e2e03a108f7 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 13 May 2021 15:24:14 +0530 Subject: [PATCH 175/483] undefined error added in a generic manner for all the cloud resources Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/common_errors.md | 31 ++++++++++++++++---- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/docs-chef-io/content/inspec/common_errors.md b/docs-chef-io/content/inspec/common_errors.md index e54a84a17..4e4ac7574 100644 --- a/docs-chef-io/content/inspec/common_errors.md +++ b/docs-chef-io/content/inspec/common_errors.md @@ -13,16 +13,35 @@ gh_repo = "inspec" This section documents some of the Common Errors encountered while using Chef Inspec. -* `Undefined local variable or method error for 'aws_eks_clusters' resource` +* `Undefined local variable or method error` while using cloud resources in InSpec profile. - Syntax of using an AWS resource in InSpec profile is as follows: + For the successful execution of an InSpec profile using **any of the cloud resources**, it is necessary to define the profile with a dependency on them. + + Some of the examples of using cloud resources in an InSpec profile are: ```bash - describe aws_eks_clusters.where( failed: true ) do - it { should_not exist } + describe aws_generic_resource(group_name: 'MyResourceGroup', name: 'MyResource') do + its('property') { should eq 'value' } end ``` - This example is testing aws eks clusters. - For successful execution of a profile using **any of the AWS resources**, it is necessary to define an InSpec Profile with a dependency on **inspec-aws** resource pack. It can be done using instructions in [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) + To define dependency on **inspec-aws** resource pack use the instructions listed in [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) + + + ```bash + describe azure_generic_resource(group_name: 'MyResourceGroup', name: 'MyResource') do + its('property') { should eq 'value' } + end + ``` + + To define dependency on **inspec-azure** resource pack use the instructions listed in [inspec-azure README](https://github.com/inspec/inspec-azure#use-the-resources) + + + ```bash + describe gcp_generic_resource(group_name: 'MyResourceGroup', name: 'MyResource') do + its('property') { should eq 'value' } + end + ``` + + To define dependency on **inspec-gcp** resource pack use the instructions listed in [inspec-gcp README](https://github.com/inspec/inspec-gcp#use-the-resources) \ No newline at end of file From e9258cf1be9c133f29153f449f4e00df9b3985c9 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Thu, 13 May 2021 12:00:00 -0700 Subject: [PATCH 176/483] Move to troubleshooting and edits Signed-off-by: Ian Maddaus --- .../content/inspec/troubleshooting.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 docs-chef-io/content/inspec/troubleshooting.md diff --git a/docs-chef-io/content/inspec/troubleshooting.md b/docs-chef-io/content/inspec/troubleshooting.md new file mode 100644 index 000000000..dd2ec3e53 --- /dev/null +++ b/docs-chef-io/content/inspec/troubleshooting.md @@ -0,0 +1,24 @@ ++++ +title = "Chef InSpec Troubleshooting" +draft = false +gh_repo = "inspec" + +[menu] + [menu.inspec] + title = "Troubleshooting" + identifier = "inspec/Troubleshooting" + parent = "inspec" + weight = 55 ++++ + +## Undefined Local Variable or Method Error for Cloud Resource + +This error is a result of invoking a resource from one of the cloud resource packs without initializing an InSpec profile with that resource pack (AWS, Azure, or GCP) as a dependency. + +InSpec profiles that use **any cloud resource** must have the resource pack defined as a dependency. + +See the relevant resource pack readme for instructions: + +- [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) +- [inspec-azure README](https://github.com/inspec/inspec-azure#use-the-resources) +- [inspec-gcp README](https://github.com/inspec/inspec-gcp#use-the-resources) From 122293b2136b956a805f5966d8db898809037e30 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 17 May 2021 12:44:02 +0530 Subject: [PATCH 177/483] Removed common errors page since trouble shooting page was introduced by docs team Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/common_errors.md | 47 -------------------- 1 file changed, 47 deletions(-) delete mode 100644 docs-chef-io/content/inspec/common_errors.md diff --git a/docs-chef-io/content/inspec/common_errors.md b/docs-chef-io/content/inspec/common_errors.md deleted file mode 100644 index 4e4ac7574..000000000 --- a/docs-chef-io/content/inspec/common_errors.md +++ /dev/null @@ -1,47 +0,0 @@ -+++ -title = "Chef InSpec Common Errors" -draft = false -gh_repo = "inspec" - -[menu] - [menu.inspec] - title = "Common Errors" - identifier = "inspec/reference/common_errors.md Chef InSpec Common Errors" - parent = "inspec/reference" - weight = 150 -+++ - -This section documents some of the Common Errors encountered while using Chef Inspec. - -* `Undefined local variable or method error` while using cloud resources in InSpec profile. - - For the successful execution of an InSpec profile using **any of the cloud resources**, it is necessary to define the profile with a dependency on them. - - Some of the examples of using cloud resources in an InSpec profile are: - - ```bash - describe aws_generic_resource(group_name: 'MyResourceGroup', name: 'MyResource') do - its('property') { should eq 'value' } - end - ``` - - To define dependency on **inspec-aws** resource pack use the instructions listed in [inspec-aws README](https://github.com/inspec/inspec-aws#use-the-resources) - - - ```bash - describe azure_generic_resource(group_name: 'MyResourceGroup', name: 'MyResource') do - its('property') { should eq 'value' } - end - ``` - - To define dependency on **inspec-azure** resource pack use the instructions listed in [inspec-azure README](https://github.com/inspec/inspec-azure#use-the-resources) - - - ```bash - describe gcp_generic_resource(group_name: 'MyResourceGroup', name: 'MyResource') do - its('property') { should eq 'value' } - end - ``` - - To define dependency on **inspec-gcp** resource pack use the instructions listed in [inspec-gcp README](https://github.com/inspec/inspec-gcp#use-the-resources) - \ No newline at end of file From 483853ab819270f96e6578c5c035a07db8ae919f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 17 May 2021 13:48:16 +0530 Subject: [PATCH 178/483] To return only nil when file does not exist Signed-off-by: Nikita Mathur --- lib/inspec/resources/file.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/inspec/resources/file.rb b/lib/inspec/resources/file.rb index bc6409725..fb4776abb 100644 --- a/lib/inspec/resources/file.rb +++ b/lib/inspec/resources/file.rb @@ -136,10 +136,10 @@ module Inspec::Resources alias sticky? sticky def more_permissive_than?(max_mode = nil) - raise Inspec::Exceptions::ResourceFailed, "The file" + file.path + "doesn't seem to exist" unless exist? - raise ArgumentError, "You must proivde a value for the `maximum allowable permission` for the file." if max_mode.nil? - raise ArgumentError, "You must proivde the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String) - raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-ditgit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode) + return nil unless exist? + raise ArgumentError, "You must provide a value for the `maximum allowable permission` for the file." if max_mode.nil? + raise ArgumentError, "You must provide the `maximum permission target` as a `String`, you provided: " + max_mode.class.to_s unless max_mode.is_a?(String) + raise ArgumentError, "The value of the `maximum permission target` should be a valid file mode in 4-digit octal format: for example, `0644` or `0777`" unless /(0)?([0-7])([0-7])([0-7])/.match?(max_mode) # Using the files mode and a few bit-wise calculations we can ensure a # file is no more permisive than desired. @@ -160,7 +160,6 @@ module Inspec::Resources max_mode = max_mode.to_i(8) inv_mode = 0777 ^ max_mode - inv_mode & file.mode != 0 end From 8403780995df25ef00b2c6ea3111d6fa7775e075 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 17 May 2021 14:02:26 +0530 Subject: [PATCH 179/483] test case added for file resource when it does not exist Signed-off-by: Nikita Mathur --- test/unit/resources/file_test.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/unit/resources/file_test.rb b/test/unit/resources/file_test.rb index 1a04378a9..ec7c8ee93 100644 --- a/test/unit/resources/file_test.rb +++ b/test/unit/resources/file_test.rb @@ -104,4 +104,9 @@ describe Inspec::Resources::FileResource do _(proc { resource.send(:more_permissive_than?, "0888") }).must_raise(ArgumentError) end + + it "when file does not exist" do + resource = MockLoader.new(:ubuntu1404).load_resource("file", "file_does_not_exist") + assert_nil(resource.send(:more_permissive_than?, nil)) + end end From 3fd2c57a5a6205ed3b92454d5395c2d6f169edcf Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 17 May 2021 14:30:47 +0530 Subject: [PATCH 180/483] Added new automate doc link for login tokens Signed-off-by: Nikita Mathur --- lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb index 958c5f782..d1e3552a2 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb @@ -13,10 +13,9 @@ module InspecPlugins long_desc <<-LONGDESC `login` allows you to use InSpec with #{AUTOMATE_PRODUCT_NAME} Server - You need to a token for communication. More information about token retrieval + You need to have a token for communication. More information about token retrieval is available at: - https://docs.chef.io/api_automate.html#authentication-methods - https://docs.chef.io/api_compliance.html#obtaining-an-api-token + https://docs.chef.io/automate/api/#tag/tokens LONGDESC option :insecure, aliases: :k, type: :boolean, desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers' From 38fd0ef56bf1bc859965cc6d6b760b7c628dc947 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 17 May 2021 16:02:01 +0530 Subject: [PATCH 181/483] inspec detect --no-color to not give colorful output Signed-off-by: Nikita Mathur --- lib/inspec/cli.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 69aabe928..6bad4917d 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -305,7 +305,12 @@ class Inspec::InspecCLI < Inspec::BaseCLI puts res.to_json else ui.headline("Platform Details") - ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36) + + if ui.color? + ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36) + else + ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0) + end end rescue ArgumentError, RuntimeError, Train::UserError => e $stderr.puts e.message From f9659bfaf0726c3e8af534024bdf4ba81bcb4531 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 18 May 2021 16:09:41 +0530 Subject: [PATCH 182/483] Test cases and color code changes for no-color option in detect cmd Signed-off-by: Nikita Mathur --- lib/inspec/cli.rb | 7 ++----- test/functional/ui_test.rb | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 6bad4917d..b6abba9ec 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -306,11 +306,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI else ui.headline("Platform Details") - if ui.color? - ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36) - else - ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0) - end + detect_cmd_ui_color = ui.color? ? 36 : 0 + ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: detect_cmd_ui_color) end rescue ArgumentError, RuntimeError, Train::UserError => e $stderr.puts e.message diff --git a/test/functional/ui_test.rb b/test/functional/ui_test.rb index c5c2fb325..2c7663cf9 100644 --- a/test/functional/ui_test.rb +++ b/test/functional/ui_test.rb @@ -100,6 +100,15 @@ describe "InSpec UI behavior" do assert_exit_code 0, run_result end end + + describe "detect command" do + let(:result) { inspec("detect") } + + it "has a colorful output" do + _(result.stdout).must_include("\e[1m\e[36m") + assert_exit_code 0, result + end + end end describe "with --no-color option" do @@ -130,6 +139,15 @@ describe "InSpec UI behavior" do assert_exit_code 0, run_result end end + + describe "detect command" do + let(:result) { inspec("detect --no-color") } + + it "has no color in the output" do + _(result.stdout).must_include("\e[1m\e[0m") + assert_exit_code 0, result + end + end end describe "exit codes" do From 470aff4b77eaf9caa1658ca24fca7f3c7370025e Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 18 May 2021 19:27:51 +0000 Subject: [PATCH 183/483] Bump version to 4.37.13 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1fa38556..b4f06671d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.12](https://github.com/inspec/inspec/tree/v4.37.12) (2021-05-16) + +## [v4.37.13](https://github.com/inspec/inspec/tree/v4.37.13) (2021-05-18) #### Merged Pull Requests -- Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.8 release #### Merged Pull Requests +- Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) diff --git a/VERSION b/VERSION index 487b9d36d..59bc6ab38 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.12 \ No newline at end of file +4.37.13 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index b078a0636..ca60aa9d9 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.12".freeze + VERSION = "4.37.13".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 57bd3ecbf..079e6f278 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.12".freeze + VERSION = "4.37.13".freeze end From a75bf41a04e753ad881e42190ec0c662bf5cc311 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 18 May 2021 19:30:57 +0000 Subject: [PATCH 184/483] Bump version to 4.37.14 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4f06671d..1f21cae0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.13](https://github.com/inspec/inspec/tree/v4.37.13) (2021-05-18) + +## [v4.37.14](https://github.com/inspec/inspec/tree/v4.37.14) (2021-05-18) #### Merged Pull Requests -- Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) ### Changes since 4.37.8 release #### Merged Pull Requests +- Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) - Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index 59bc6ab38..ae765681e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.13 \ No newline at end of file +4.37.14 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index ca60aa9d9..d5c6121d5 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.13".freeze + VERSION = "4.37.14".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 079e6f278..76c890c74 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.13".freeze + VERSION = "4.37.14".freeze end From fb14f9d6674b47920991a192f4c99b7e4c8565c8 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 18 May 2021 19:38:50 +0000 Subject: [PATCH 185/483] Bump version to 4.37.15 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f21cae0c..dcdc5e433 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.37.14](https://github.com/inspec/inspec/tree/v4.37.14) (2021-05-18) + +## [v4.37.15](https://github.com/inspec/inspec/tree/v4.37.15) (2021-05-18) -#### Merged Pull Requests -- Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) +#### Enhancements +- Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.37.8 release +#### Enhancements +- Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105)) + #### Merged Pull Requests - Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) - Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index ae765681e..4b29806b4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.14 \ No newline at end of file +4.37.15 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index d5c6121d5..6e4986e0b 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.14".freeze + VERSION = "4.37.15".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 76c890c74..40befccb4 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.14".freeze + VERSION = "4.37.15".freeze end From 9922dc05049ab1072c0ffb907ab09f70ad1683d1 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 18 May 2021 19:44:35 +0000 Subject: [PATCH 186/483] Bump version to 4.37.16 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dcdc5e433..12137212c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.37.15](https://github.com/inspec/inspec/tree/v4.37.15) (2021-05-18) + +## [v4.37.16](https://github.com/inspec/inspec/tree/v4.37.16) (2021-05-18) -#### Enhancements -- Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105)) +#### Merged Pull Requests +- Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105)) @@ -14,6 +14,7 @@ - Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105)) #### Merged Pull Requests +- Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105)) - Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) - Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index 4b29806b4..23974a310 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.15 \ No newline at end of file +4.37.16 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 6e4986e0b..0adb629cd 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.15".freeze + VERSION = "4.37.16".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 40befccb4..c395ce602 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.15".freeze + VERSION = "4.37.16".freeze end From 209948d3fdf2969dbf638a2d892f8691195731e7 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 19 May 2021 14:39:09 +0530 Subject: [PATCH 187/483] no color change where no ansi code is used at all Signed-off-by: Nikita Mathur --- lib/inspec/base_cli.rb | 4 ++-- lib/inspec/cli.rb | 4 +--- test/functional/ui_test.rb | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/lib/inspec/base_cli.rb b/lib/inspec/base_cli.rb index 763a9f857..337c6930f 100644 --- a/lib/inspec/base_cli.rb +++ b/lib/inspec/base_cli.rb @@ -181,7 +181,7 @@ module Inspec puts " Patents: chef.io/patents\n\n" end - def self.format_platform_info(params: {}, indent: 0, color: 39) + def self.format_platform_info(params: {}, indent: 0, color: 39, enable_color: true) str = "" params.each do |item, info| data = info @@ -192,7 +192,7 @@ module Inspec # Do not output fields of data is missing ('unknown' is fine) next if data.nil? - data = "\e[1m\e[#{color}m#{data}\e[0m" + data = "\e[1m\e[#{color}m#{data}\e[0m" if enable_color str << format("#{" " * indent}%-10s %s\n", item.to_s.capitalize + ":", data) end str diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index b6abba9ec..5f4a97e8c 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -305,9 +305,7 @@ class Inspec::InspecCLI < Inspec::BaseCLI puts res.to_json else ui.headline("Platform Details") - - detect_cmd_ui_color = ui.color? ? 36 : 0 - ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: detect_cmd_ui_color) + ui.plain Inspec::BaseCLI.format_platform_info(params: res, indent: 0, color: 36, enable_color: ui.color?) end rescue ArgumentError, RuntimeError, Train::UserError => e $stderr.puts e.message diff --git a/test/functional/ui_test.rb b/test/functional/ui_test.rb index 2c7663cf9..737862374 100644 --- a/test/functional/ui_test.rb +++ b/test/functional/ui_test.rb @@ -105,7 +105,7 @@ describe "InSpec UI behavior" do let(:result) { inspec("detect") } it "has a colorful output" do - _(result.stdout).must_include("\e[1m\e[36m") + _(result.stdout).must_include("\e[") assert_exit_code 0, result end end @@ -144,7 +144,7 @@ describe "InSpec UI behavior" do let(:result) { inspec("detect --no-color") } it "has no color in the output" do - _(result.stdout).must_include("\e[1m\e[0m") + _(result.stdout).wont_include("\e[") assert_exit_code 0, result end end From 66a372d71539b9132789aeb92b62690087ed34f2 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 19 May 2021 12:19:45 +0000 Subject: [PATCH 188/483] Bump version to 4.37.17 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 12137212c..2e55bf7f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.37.16](https://github.com/inspec/inspec/tree/v4.37.16) (2021-05-18) + +## [v4.37.17](https://github.com/inspec/inspec/tree/v4.37.17) (2021-05-19) #### Merged Pull Requests -- Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105)) +- Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08)) @@ -14,6 +14,7 @@ - Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105)) #### Merged Pull Requests +- Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08)) - Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105)) - Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) - Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index 23974a310..82a029b1f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.16 \ No newline at end of file +4.37.17 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 0adb629cd..f39280431 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.16".freeze + VERSION = "4.37.17".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index c395ce602..d886fd98b 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.16".freeze + VERSION = "4.37.17".freeze end From 3e06280f01a3911690b62e550f9b884bf0c41063 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 19 May 2021 18:00:41 +0530 Subject: [PATCH 189/483] Replaced api doc from compliance help command with the relevant doc link Signed-off-by: Nikita Mathur --- lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb index d1e3552a2..35045da30 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb @@ -15,7 +15,7 @@ module InspecPlugins You need to have a token for communication. More information about token retrieval is available at: - https://docs.chef.io/automate/api/#tag/tokens + https://docs.chef.io/automate/api_tokens LONGDESC option :insecure, aliases: :k, type: :boolean, desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers' From d79cec41a9d1437933328df50051d78649c55141 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 19 May 2021 20:55:19 -0400 Subject: [PATCH 190/483] Drop EOL Ubuntu 16.04, build on 18.04 Signed-off-by: Clinton Wolfe --- .expeditor/release.omnibus.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.expeditor/release.omnibus.yml b/.expeditor/release.omnibus.yml index 6a654b0c1..ec5486a72 100644 --- a/.expeditor/release.omnibus.yml +++ b/.expeditor/release.omnibus.yml @@ -38,8 +38,7 @@ builder-to-testers-map: ubuntu-18.04-aarch64: - ubuntu-18.04-aarch64 - ubuntu-20.04-aarch64 - ubuntu-16.04-x86_64: - - ubuntu-16.04-x86_64 + ubuntu-18.04-x86_64: - ubuntu-18.04-x86_64 - ubuntu-20.04-x86_64 windows-2012r2-x86_64: From 23e1bd2de09e21865cf7484cb8e25bed86391fd1 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 19 May 2021 20:59:08 -0400 Subject: [PATCH 191/483] Add Ubunutu to list of FIPS platforms Signed-off-by: Clinton Wolfe --- .expeditor/release.omnibus.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.expeditor/release.omnibus.yml b/.expeditor/release.omnibus.yml index 6a654b0c1..47f233b09 100644 --- a/.expeditor/release.omnibus.yml +++ b/.expeditor/release.omnibus.yml @@ -6,6 +6,7 @@ test-path-windows: omnibus/omnibus-test.ps1 fips-platforms: - el-*-x86_64 - windows-* + - ubuntu-*-x86_64 builder-to-testers-map: debian-9-x86_64: - debian-9-x86_64 From dcb99872ff7380b6f159da522c6f5b928a1880b2 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 20 May 2021 17:12:21 +0530 Subject: [PATCH 192/483] Removed support for compliance and a1 server from inspec compliance Signed-off-by: Nikita Mathur --- .../lib/inspec-compliance/api.rb | 202 +---------- .../lib/inspec-compliance/api/login.rb | 143 +------- .../lib/inspec-compliance/target.rb | 28 +- .../test/unit/api/login_test.rb | 127 ------- .../inspec-compliance/test/unit/api_test.rb | 313 ++++-------------- .../test/unit/target_test.rb | 51 +-- 6 files changed, 95 insertions(+), 769 deletions(-) diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb index b2833305a..8b067bd3b 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb @@ -24,19 +24,7 @@ module InspecPlugins # the username of the account is used that is logged in def self.profiles(config, profile_filter = nil) # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength owner = config["owner"] || config["user"] - - # Chef Compliance - if is_compliance_server?(config) - url = "#{config["server"]}/user/compliance" - # Chef Automate2 - elsif is_automate2_server?(config) - url = "#{config["server"]}/compliance/profiles/search" - # Chef Automate - elsif is_automate_server?(config) - url = "#{config["server"]}/profiles/#{owner}" - else - raise ServerConfigurationMissing - end + url = "#{config["server"]}/compliance/profiles/search" headers = get_headers(config) if profile_filter @@ -45,12 +33,9 @@ module InspecPlugins id, ver = nil end - if is_automate2_server?(config) - body = { owner: owner, name: id }.to_json - response = InspecPlugins::Compliance::HTTP.post_with_headers(url, headers, body, config["insecure"]) - else - response = InspecPlugins::Compliance::HTTP.get(url, headers, config["insecure"]) - end + body = { owner: owner, name: id }.to_json + response = InspecPlugins::Compliance::HTTP.post_with_headers(url, headers, body, config["insecure"]) + data = response.body response_code = response.code case response_code @@ -58,25 +43,12 @@ module InspecPlugins msg = "success" profiles = JSON.parse(data) # iterate over profiles - if is_compliance_server?(config) - mapped_profiles = [] - profiles.values.each do |org| - mapped_profiles += org.values - end - # Chef Automate pre 0.8.0 - elsif is_automate_server_pre_080?(config) - mapped_profiles = profiles.values.flatten - elsif is_automate2_server?(config) - mapped_profiles = [] - profiles["profiles"].each do |p| - mapped_profiles << p - end - else - mapped_profiles = profiles.map do |e| - e["owner_id"] = owner - e - end + + mapped_profiles = [] + profiles["profiles"].each do |p| + mapped_profiles << p end + # filter by name and version if they were specified in profile_filter mapped_profiles.select! do |p| (!ver || p["version"] == ver) && (!id || p["name"] == id) @@ -120,26 +92,9 @@ module InspecPlugins end def self.upload(config, owner, profile_name, archive_path) - # Chef Compliance - if is_compliance_server?(config) - url = "#{config["server"]}/owners/#{owner}/compliance/#{profile_name}/tar" - # Chef Automate pre 0.8.0 - elsif is_automate_server_pre_080?(config) - url = "#{config["server"]}/#{owner}" - elsif is_automate2_server?(config) - url = "#{config["server"]}/compliance/profiles?owner=#{owner}" - # Chef Automate - else - url = "#{config["server"]}/profiles/#{owner}" - end - + url = "#{config["server"]}/compliance/profiles?owner=#{owner}" headers = get_headers(config) - if is_automate2_server?(config) - res = InspecPlugins::Compliance::HTTP.post_multipart_file(url, headers, archive_path, config["insecure"]) - else - res = InspecPlugins::Compliance::HTTP.post_file(url, headers, archive_path, config["insecure"]) - end - + res = InspecPlugins::Compliance::HTTP.post_multipart_file(url, headers, archive_path, config["insecure"]) [res.is_a?(Net::HTTPSuccess), res.body] end @@ -210,16 +165,12 @@ module InspecPlugins def self.get_headers(config) token = get_token(config) - if is_automate_server?(config) || is_automate2_server?(config) - headers = { "chef-delivery-enterprise" => config["automate"]["ent"] } - if config["automate"]["token_type"] == "dctoken" - headers["x-data-collector-token"] = token - else - headers["chef-delivery-user"] = config["user"] - headers["chef-delivery-token"] = token - end + headers = { "chef-delivery-enterprise" => config["automate"]["ent"] } + if config["automate"]["token_type"] == "dctoken" + headers["x-data-collector-token"] = token else - headers = { "Authorization" => "Bearer #{token}" } + headers["chef-delivery-user"] = config["user"] + headers["chef-delivery-token"] = token end headers end @@ -232,16 +183,7 @@ module InspecPlugins end def self.target_url(config, profile) - owner, id, ver = profile_split(profile) - - return "#{config["server"]}/compliance/profiles/tar" if is_automate2_server?(config) - return "#{config["server"]}/owners/#{owner}/compliance/#{id}/tar" unless is_automate_server?(config) - - if ver.nil? - "#{config["server"]}/profiles/#{owner}/#{id}/tar" - else - "#{config["server"]}/profiles/#{owner}/#{id}/version/#{ver}/tar" - end + "#{config["server"]}/compliance/profiles/tar" end def self.profile_split(profile) @@ -260,33 +202,6 @@ module InspecPlugins uri.to_s.sub(%r{^compliance:\/\/}, "") end - def self.is_compliance_server?(config) - config["server_type"] == "compliance" - end - - def self.is_automate_server_pre_080?(config) - # Automate versions before 0.8.x do not have a valid version in the config - return false unless config["server_type"] == "automate" - - server_version_from_config(config).nil? - end - - def self.is_automate_server_080_and_later?(config) - # Automate versions 0.8.x and later will have a "version" key in the config - # that is properly parsed out via server_version_from_config below - return false unless config["server_type"] == "automate" - - !server_version_from_config(config).nil? - end - - def self.is_automate2_server?(config) - config["server_type"] == "automate2" - end - - def self.is_automate_server?(config) - config["server_type"] == "automate" - end - def self.server_version_from_config(config) # Automate versions 0.8.x and later will have a "version" key in the config # that looks like: "version":{"api":"compliance","version":"0.8.24"} @@ -295,89 +210,6 @@ module InspecPlugins config["version"]["version"] end - - def self.determine_server_type(url, insecure) - if target_is_automate2_server?(url, insecure) - :automate2 - elsif target_is_automate_server?(url, insecure) - :automate - elsif target_is_compliance_server?(url, insecure) - :compliance - else - Inspec::Log.debug("Could not determine server type using known endpoints") - nil - end - end - - def self.target_is_automate2_server?(url, insecure) - automate_endpoint = "/dex/auth" - response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure) - if response.code == "400" - Inspec::Log.debug( - "Received 400 from #{url}#{automate_endpoint} - " \ - "assuming target is a #{AUTOMATE_PRODUCT_NAME}2 instance" - ) - true - else - Inspec::Log.debug( - "Received #{response.code} from #{url}#{automate_endpoint} - " \ - "assuming target is not an #{AUTOMATE_PRODUCT_NAME}2 instance" - ) - false - end - end - - def self.target_is_automate_server?(url, insecure) - automate_endpoint = "/compliance/version" - response = InspecPlugins::Compliance::HTTP.get(url + automate_endpoint, nil, insecure) - case response.code - when "401" - Inspec::Log.debug( - "Received 401 from #{url}#{automate_endpoint} - " \ - "assuming target is a #{AUTOMATE_PRODUCT_NAME} instance" - ) - true - when "200" - # Chef Automate currently returns 401 for `/compliance/version` but some - # versions of OpsWorks Chef Automate return 200 and a Chef Manage page - # when unauthenticated requests are received. - if response.body.include?("Are You Looking For the #{SERVER_PRODUCT_NAME}?") - Inspec::Log.debug( - "Received 200 from #{url}#{automate_endpoint} - " \ - "assuming target is an #{AUTOMATE_PRODUCT_NAME} instance" - ) - true - else - Inspec::Log.debug( - "Received 200 from #{url}#{automate_endpoint} " \ - "but did not receive the Chef Manage page - " \ - "assuming target is not a #{AUTOMATE_PRODUCT_NAME} instance" - ) - false - end - else - Inspec::Log.debug( - "Received unexpected status code #{response.code} " \ - "from #{url}#{automate_endpoint} - " \ - "assuming target is not a #{AUTOMATE_PRODUCT_NAME} instance" - ) - false - end - end - - def self.target_is_compliance_server?(url, insecure) - # All versions of Chef Compliance return 200 for `/api/version` - compliance_endpoint = "/api/version" - - response = InspecPlugins::Compliance::HTTP.get(url + compliance_endpoint, nil, insecure) - return false unless response.code == "200" - - Inspec::Log.debug( - "Received 200 from #{url}#{compliance_endpoint} - " \ - "assuming target is a #{AUTOMATE_PRODUCT_NAME} server" - ) - true - end end end end diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb index 3b743c200..9bd29301c 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb @@ -11,20 +11,10 @@ module InspecPlugins def login(options) raise ArgumentError, "Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`" unless options["server"] + options["server_type"] = "automate2" options["server"] = URI("https://#{options["server"]}").to_s if URI(options["server"]).scheme.nil? - options["server_type"] = InspecPlugins::Compliance::API.determine_server_type(options["server"], options["insecure"]) - - case options["server_type"] - when :automate2 - Login::Automate2Server.login(options) - when :automate - Login::AutomateServer.login(options) - when :compliance - Login::ComplianceServer.login(options) - else - raise CannotDetermineServerType, "Unable to determine if #{options["server"]} is a #{AUTOMATE_PRODUCT_NAME} or #{COMPLIANCE_PRODUCT_NAME} server" - end + Login::Automate2Server.login(options) end module Automate2Server @@ -48,7 +38,7 @@ module InspecPlugins config["user"] = options["user"] config["owner"] = options["user"] config["insecure"] = options["insecure"] || false - config["server_type"] = options["server_type"].to_s + config["server_type"] = options["server_type"] config["token"] = token config["version"] = "0" @@ -69,133 +59,6 @@ module InspecPlugins end end - module AutomateServer - def self.login(options) - verify_thor_options(options) - - options["url"] = options["server"] + "/compliance" - token = options["dctoken"] || options["token"] - success, msg = API::Login.authenticate_login(options) - success ? store_access_token(options, token) : msg - end - - def self.store_access_token(options, token) - token_type = if options["token"] - "usertoken" - else - "dctoken" - end - - config = InspecPlugins::Compliance::Configuration.new - - config.clean - - config["automate"] = {} - config["automate"]["ent"] = options["ent"] - config["automate"]["token_type"] = token_type - config["server"] = options["url"] - config["user"] = options["user"] - config["insecure"] = options["insecure"] || false - config["server_type"] = options["server_type"].to_s - config["token"] = token - config["version"] = InspecPlugins::Compliance::API.version(config) - - config.store - API::Login.configuration_stored_message(config) - end - - # Automate login requires `--ent`, `--user`, and either `--token` or `--dctoken` - def self.verify_thor_options(o) - error_msg = [] - - error_msg.push("Please specify a user using `--user='USER'`") if o["user"].nil? - error_msg.push("Please specify an enterprise using `--ent='automate'`") if o["ent"].nil? - - if o["token"].nil? && o["dctoken"].nil? - error_msg.push("Please specify a token using `--token='AUTOMATE_TOKEN'` or `--dctoken='DATA_COLLECTOR_TOKEN'`") - end - - raise ArgumentError, error_msg.join("\n") unless error_msg.empty? - end - end - - module ComplianceServer - include Inspec::Dist - - def self.login(options) - compliance_verify_thor_options(options) - - options["url"] = options["server"] + "/api" - - if options["user"] && options["token"] - success, msg = API::Login.authenticate_login(options) - success ? compliance_store_access_token(options, options["token"]) : msg - elsif options["user"] && options["password"] - compliance_login_user_pass(options) - elsif options["refresh_token"] - compliance_login_refresh_token(options) - end - end - - def self.compliance_login_user_pass(options) - success, msg, token = InspecPlugins::Compliance::API.get_token_via_password( - options["url"], - options["user"], - options["password"], - options["insecure"] - ) - - raise msg unless success - - compliance_store_access_token(options, token) - end - - def self.compliance_login_refresh_token(options) - success, msg, token = InspecPlugins::Compliance::API.get_token_via_refresh_token( - options["url"], - options["refresh_token"], - options["insecure"] - ) - - raise msg unless success - - compliance_store_access_token(options, token) - end - - def self.compliance_store_access_token(options, token) - config = InspecPlugins::Compliance::Configuration.new - config.clean - - config["user"] = options["user"] if options["user"] - config["server"] = options["url"] - config["insecure"] = options["insecure"] || false - config["server_type"] = options["server_type"].to_s - config["token"] = token - config["version"] = InspecPlugins::Compliance::API.version(config) - - config.store - API::Login.configuration_stored_message(config) - end - - # Compliance login requires `--user` or `--refresh_token` - # If `--user` then either `--password`, `--token`, or `--refresh-token`, is required - def self.compliance_verify_thor_options(o) - error_msg = [] - - error_msg.push("Please specify a server using `#{EXEC_NAME} automate login https://SERVER` or `#{EXEC_NAME} compliance login https://SERVER`") if o["server"].nil? - - if o["user"].nil? && o["refresh_token"].nil? - error_msg.push("Please specify a `--user='USER'` or a `--refresh-token='TOKEN'`") - end - - if o["user"] && o["password"].nil? && o["token"].nil? && o["refresh_token"].nil? - error_msg.push("Please specify either a `--password`, `--token`, or `--refresh-token`") - end - - raise ArgumentError, error_msg.join("\n") unless error_msg.empty? - end - end - def self.authenticate_login(options) InspecPlugins::Compliance::API.authenticate_login_using_version_api( options["url"], diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb index 0c2be3ba4..c349c39b1 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb @@ -32,16 +32,8 @@ module InspecPlugins def self.check_compliance_token(uri, config) if config["token"].nil? && config["refresh_token"].nil? - if config["server_type"] == "automate" - server = "automate" - msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate_server --user USER --ent ENT --dctoken DCTOKEN or --token USERTOKEN" - elsif config["server_type"] == "automate2" - server = "automate2" - msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate2_server --user USER --token APITOKEN" - else - server = "compliance" - msg = "#{EXEC_NAME} [automate|compliance] login https://your_compliance_server --user admin --insecure --token 'PASTE TOKEN HERE' " - end + server = "automate2" + msg = "#{EXEC_NAME} [automate|compliance] login https://your_automate2_server --user USER --token APITOKEN" raise Inspec::FetcherFailure, <<~EOF Cannot fetch #{uri} because your #{server} token has not been @@ -119,19 +111,9 @@ module InspecPlugins # determine the owner_id and the profile name from the url def compliance_profile_name - m = if InspecPlugins::Compliance::API.is_automate_server_pre_080?(@config) - %r{^#{@config['server']}/(?[^/]+)/(?[^/]+)/tar$} - elsif InspecPlugins::Compliance::API.is_automate_server_080_and_later?(@config) - %r{^#{@config['server']}/profiles/(?[^/]+)/(?[^/]+)/tar$} - else - %r{^#{@config['server']}/owners/(?[^/]+)/compliance/(?[^/]+)/tar$} - end.match(@target) - - if InspecPlugins::Compliance::API.is_automate2_server?(@config) - m = {} - m[:owner] = @config["profile"][0] - m[:id] = @config["profile"][1] - end + m = {} + m[:owner] = @config["profile"][0] + m[:id] = @config["profile"][1] if m.nil? raise "Unable to determine compliance profile name. This can be caused by " \ diff --git a/lib/plugins/inspec-compliance/test/unit/api/login_test.rb b/lib/plugins/inspec-compliance/test/unit/api/login_test.rb index 564bb1eb0..b076dd080 100644 --- a/lib/plugins/inspec-compliance/test/unit/api/login_test.rb +++ b/lib/plugins/inspec-compliance/test/unit/api/login_test.rb @@ -13,16 +13,6 @@ describe InspecPlugins::Compliance::API do } end - let(:compliance_options) do - { - "server" => "https://compliance.example.com", - "user" => "someone", - "password" => "password", - "token" => "token", - "refresh_token" => "refresh_token", - } - end - let(:fake_config) do class FakeConfig def initialize @@ -51,9 +41,6 @@ describe InspecPlugins::Compliance::API do describe ".login" do describe "when target is a Chef Automate2 server" do - before do - InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:automate2) - end it "raises an error if `--user` is missing" do options = automate_options @@ -99,114 +86,6 @@ describe InspecPlugins::Compliance::API do end end - describe "when target is a Chef Automate server" do - before do - InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:automate) - end - - it "raises an error if `--user` is missing" do - options = automate_options - options.delete("user") - err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError) - _(err.message).must_match(/Please specify a user.*/) - _(err.message.lines.length).must_equal(1) - end - - it "raises an error if `--ent` is missing" do - options = automate_options - options.delete("ent") - err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError) - _(err.message).must_match(/Please specify an enterprise.*/) - _(err.message.lines.length).must_equal(1) - end - - it "raises an error if `--token` and `--dctoken` are missing" do - options = automate_options - options.delete("token") - options.delete("dctoken") - err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError) - _(err.message).must_match(/Please specify a token.*/) - _(err.message.lines.length).must_equal(1) - end - - it "stores an access token" do - stub_request(:get, automate_options["server"] + "/compliance/version") - .to_return(status: 200, body: "", headers: {}) - options = automate_options - InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config) - - InspecPlugins::Compliance::API.login(options) - _(fake_config["automate"]["ent"]).must_equal("automate") - _(fake_config["automate"]["token_type"]).must_equal("usertoken") - _(fake_config["user"]).must_equal("someone") - _(fake_config["server"]).must_equal("https://automate.example.com/compliance") - _(fake_config["server_type"]).must_equal("automate") - _(fake_config["token"]).must_equal("token") - end - - it "puts error message when api-token is invalid" do - stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json - stub_request(:get, automate_options["server"] + "/compliance/version") - .to_return(status: 401, body: stub_body, headers: {}) - options = automate_options - res = InspecPlugins::Compliance::API.login(options) - _(res).must_equal( - "Failed to authenticate to https://automate.example.com/compliance \n"\ - "Response code: 401\nBody: {\"error\":\"request not authenticated\",\"code\":16,\"message\":\"request not authenticated\",\"details\":[]}" - ) - end - end - - describe "when target is a Chef Compliance server" do - before do - InspecPlugins::Compliance::API.expects(:determine_server_type).returns(:compliance) - end - - it "raises an error if `--user` and `--refresh-token` are missing" do - options = automate_options - options.delete("user") - options.delete("refresh_token") - err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError) - _(err.message).must_match(/Please specify a.*--user.*--refresh-token.*/) - _(err.message.lines.length).must_equal(1) - end - - it "raises an error if `--user` is present but authentication method missing" do - options = automate_options - options.delete("password") - options.delete("token") - options.delete("refresh_token") - err = _ { InspecPlugins::Compliance::API.login(options) }.must_raise(ArgumentError) - _(err.message).must_match(/Please specify.*--password.*--token.*--refresh-token.*/) - _(err.message.lines.length).must_equal(1) - end - - it "stores an access token" do - stub_request(:get, compliance_options["server"] + "/api/version") - .to_return(status: 200, body: "", headers: {}) - options = compliance_options - InspecPlugins::Compliance::Configuration.expects(:new).returns(fake_config) - - InspecPlugins::Compliance::API.login(options) - _(fake_config["user"]).must_equal("someone") - _(fake_config["server"]).must_equal("https://compliance.example.com/api") - _(fake_config["server_type"]).must_equal("compliance") - _(fake_config["token"]).must_equal("token") - end - - it "puts error message when api-token is invalid" do - stub_body = { "error": "request not authenticated", "code": 16, "message": "request not authenticated", "details": [] }.to_json - stub_request(:get, automate_options["server"] + "/api/version") - .to_return(status: 401, body: stub_body, headers: {}) - options = automate_options - res = InspecPlugins::Compliance::API.login(options) - _(res).must_equal( - "Failed to authenticate to https://automate.example.com/api \n"\ - "Response code: 401\nBody: {\"error\":\"request not authenticated\",\"code\":16,\"message\":\"request not authenticated\",\"details\":[]}" - ) - end - end - describe "when target is neither a Chef Compliance nor Chef Automate server" do it "raises an error if `https://SERVER` is missing" do options = {} @@ -214,12 +93,6 @@ describe InspecPlugins::Compliance::API do _(err.message).must_match(/Please specify a server.*/) _(err.message.lines.length).must_equal(1) end - - it "rasies a `CannotDetermineServerType` error" do - InspecPlugins::Compliance::API.expects(:determine_server_type).returns(nil) - err = _ { InspecPlugins::Compliance::API.login(automate_options) }.must_raise(StandardError) - _(err.message).must_match(/Unable to determine/) - end end end end diff --git a/lib/plugins/inspec-compliance/test/unit/api_test.rb b/lib/plugins/inspec-compliance/test/unit/api_test.rb index f7ee31d34..61a932133 100644 --- a/lib/plugins/inspec-compliance/test/unit/api_test.rb +++ b/lib/plugins/inspec-compliance/test/unit/api_test.rb @@ -5,41 +5,43 @@ require_relative "../../lib/inspec-compliance/api" describe InspecPlugins::Compliance::API do let(:profiles_response) do - [{ "name" => "apache-baseline", - "title" => "DevSec Apache Baseline", - "maintainer" => "DevSec Hardening Framework Team", - "copyright" => "DevSec Hardening Framework Team", - "copyright_email" => "hello@dev-sec.io", - "license" => "Apache 2 license", - "summary" => "Test-suite for best-practice apache hardening", - "version" => "2.0.2", - "supports" => [{ "os-family" => "unix" }], - "depends" => nil, - "owner_id" => "admin" }, - { "name" => "apache-baseline", - "title" => "DevSec Apache Baseline", - "maintainer" => "Hardening Framework Team", - "copyright" => "Hardening Framework Team", - "copyright_email" => "hello@dev-sec.io", - "license" => "Apache 2 license", - "summary" => "Test-suite for best-practice apache hardening", - "version" => "2.0.1", - "supports" => [{ "os-family" => "unix" }], - "depends" => nil, - "latest_version" => "2.0.2", - "owner_id" => "admin" }, - { "name" => "cis-aix-5.3-6.1-level1", - "title" => "CIS AIX 5.3 and AIX 6.1 Benchmark Level 1", - "maintainer" => "Chef Software, Inc.", - "copyright" => "Chef Software, Inc.", - "copyright_email" => "support@chef.io", - "license" => "Proprietary, All rights reserved", - "summary" => "CIS AIX 5.3 and AIX 6.1 Benchmark Level 1 translated from SCAP", - "version" => "1.1.0", - "supports" => nil, - "depends" => nil, - "latest_version" => "1.1.0-3", - "owner_id" => "admin" }] + { "profiles": + [{ "name" => "apache-baseline", + "title" => "DevSec Apache Baseline", + "maintainer" => "DevSec Hardening Framework Team", + "copyright" => "DevSec Hardening Framework Team", + "copyright_email" => "hello@dev-sec.io", + "license" => "Apache 2 license", + "summary" => "Test-suite for best-practice apache hardening", + "version" => "2.0.2", + "supports" => [{ "os-family" => "unix" }], + "depends" => nil, + "owner_id" => "admin" }, + { "name" => "apache-baseline", + "title" => "DevSec Apache Baseline", + "maintainer" => "Hardening Framework Team", + "copyright" => "Hardening Framework Team", + "copyright_email" => "hello@dev-sec.io", + "license" => "Apache 2 license", + "summary" => "Test-suite for best-practice apache hardening", + "version" => "2.0.1", + "supports" => [{ "os-family" => "unix" }], + "depends" => nil, + "latest_version" => "2.0.2", + "owner_id" => "admin" }, + { "name" => "cis-aix-5.3-6.1-level1", + "title" => "CIS AIX 5.3 and AIX 6.1 Benchmark Level 1", + "maintainer" => "Chef Software, Inc.", + "copyright" => "Chef Software, Inc.", + "copyright_email" => "support@chef.io", + "license" => "Proprietary, All rights reserved", + "summary" => "CIS AIX 5.3 and AIX 6.1 Benchmark Level 1 translated from SCAP", + "version" => "1.1.0", + "supports" => nil, + "depends" => nil, + "latest_version" => "1.1.0-3", + "owner_id" => "admin" }], + } end describe ".version" do @@ -115,87 +117,6 @@ describe InspecPlugins::Compliance::API do end end - describe "automate/compliance is? checks" do - describe "when the config has a compliance server_type" do - it "automate/compliance server is? methods return correctly" do - config = InspecPlugins::Compliance::Configuration.new - config.clean - config["server_type"] = "compliance" - _(InspecPlugins::Compliance::API.is_compliance_server?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server_pre_080?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate2_server?(config)).must_equal false - end - end - - describe "when the config has a automate2 server_type" do - it "automate/compliance server is? methods return correctly" do - config = InspecPlugins::Compliance::Configuration.new - config.clean - config["server_type"] = "automate2" - _(InspecPlugins::Compliance::API.is_compliance_server?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server_pre_080?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate2_server?(config)).must_equal true - end - end - - describe "when the config has an automate server_type and no version key" do - it "automate/compliance server is? methods return correctly" do - config = InspecPlugins::Compliance::Configuration.new - config.clean - config["server_type"] = "automate" - _(InspecPlugins::Compliance::API.is_compliance_server?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server_pre_080?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate2_server?(config)).must_equal false - end - end - - describe "when the config has an automate server_type and a version key that is not a hash" do - it "automate/compliance server is? methods return correctly" do - config = InspecPlugins::Compliance::Configuration.new - config.clean - config["server_type"] = "automate" - config["version"] = "1.2.3" - _(InspecPlugins::Compliance::API.is_compliance_server?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server_pre_080?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate2_server?(config)).must_equal false - end - end - - describe "when the config has an automate server_type and a version hash with no version" do - it "automate/compliance server is? methods return correctly" do - config = InspecPlugins::Compliance::Configuration.new - config.clean - config["server_type"] = "automate" - config["version"] = {} - _(InspecPlugins::Compliance::API.is_compliance_server?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server_pre_080?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config)).must_equal false - end - end - - describe "when the config has an automate server_type and a version hash with a version" do - it "automate/compliance server is? methods return correctly" do - config = InspecPlugins::Compliance::Configuration.new - config.clean - config["server_type"] = "automate" - config["version"] = { "version" => "0.8.1" } - _(InspecPlugins::Compliance::API.is_compliance_server?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server?(config)).must_equal true - _(InspecPlugins::Compliance::API.is_automate_server_pre_080?(config)).must_equal false - _(InspecPlugins::Compliance::API.is_automate_server_080_and_later?(config)).must_equal true - end - end - end - describe ".server_version_from_config" do it "returns nil when the config has no version key" do config = {} @@ -229,29 +150,19 @@ describe InspecPlugins::Compliance::API do end describe "target_url" do - it "handles a automate profile with and without version" do + it "handles a automate2 profile with and without version" do config = InspecPlugins::Compliance::Configuration.new config.clean - config["server_type"] = "automate" - config["server"] = "https://myautomate" + config["server_type"] = "automate2" + config["server"] = "https://myautomate2" config["version"] = "1.6.99" - _(InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline")).must_equal "https://myautomate/profiles/admin/apache-baseline/tar" - _(InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline#2.0.2")).must_equal "https://myautomate/profiles/admin/apache-baseline/version/2.0.2/tar" - end - - it "handles a chef-compliance profile with and without version" do - config = InspecPlugins::Compliance::Configuration.new - config.clean - config["server_type"] = "compliance" - config["server"] = "https://mychefcompliance" - config["version"] = "1.1.2" - _(InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline")).must_equal "https://mychefcompliance/owners/admin/compliance/apache-baseline/tar" - _(InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline#2.0.2")).must_equal "https://mychefcompliance/owners/admin/compliance/apache-baseline/tar" + _(InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline")).must_equal "https://myautomate2/compliance/profiles/tar" + _(InspecPlugins::Compliance::API.target_url(config, "admin/apache-baseline#2.0.2")).must_equal "https://myautomate2/compliance/profiles/tar" end end describe "exist?" do - it "works with profiles returned by Automate" do + it "works with profiles returned by Automate 2" do # ruby 2.3.3 has issues running stub_requests properly # skipping for that specific version return if RUBY_VERSION == "2.3.3" @@ -259,14 +170,36 @@ describe InspecPlugins::Compliance::API do config = InspecPlugins::Compliance::Configuration.new config.clean config["owner"] = "admin" - config["server_type"] = "automate" - config["server"] = "https://myautomate" + config["server_type"] = "automate2" + config["server"] = "https://myautomate2" config["version"] = "1.6.99" config["automate"] = { "ent" => "automate", "token_type" => "dctoken" } config["version"] = { "api" => "compliance", "version" => "0.8.24" } - stub_request(:get, "https://myautomate/profiles/admin") - .with(headers: { "Accept" => "*/*", "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", "Chef-Delivery-Enterprise" => "automate", "User-Agent" => "Ruby", "X-Data-Collector-Token" => "" }) + stub_request(:post, "https://myautomate2/compliance/profiles/search") + .with( + body: "{\"owner\":\"admin\",\"name\":\"apache-baseline\"}", + headers: { + "Accept" => "*/*", + "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", + "Chef-Delivery-Enterprise" => "automate", + "User-Agent" => "Ruby", + "X-Data-Collector-Token" => "", + } + ) + .to_return(status: 200, body: profiles_response.to_json, headers: {}) + + stub_request(:post, "https://myautomate2/compliance/profiles/search") + .with( + body: "{\"owner\":\"admin\",\"name\":\"missing-in-action\"}", + headers: { + "Accept" => "*/*", + "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3", + "Chef-Delivery-Enterprise" => "automate", + "User-Agent" => "Ruby", + "X-Data-Collector-Token" => "", + } + ) .to_return(status: 200, body: profiles_response.to_json, headers: {}) _(InspecPlugins::Compliance::API.exist?(config, "admin/apache-baseline")).must_equal true @@ -275,112 +208,4 @@ describe InspecPlugins::Compliance::API do _(InspecPlugins::Compliance::API.exist?(config, "admin/missing-in-action")).must_equal false end end - - describe ".determine_server_type" do - let(:url) { "https://someserver.onthe.net/" } - - let(:compliance_endpoint) { "/api/version" } - let(:automate_endpoint) { "/compliance/version" } - let(:automate2_endpoint) { "/dex/auth" } - let(:headers) { nil } - let(:insecure) { true } - - let(:good_response) { mock } - let(:bad_response) { mock } - - it "returns `:automate2` when a 400 is received from `https://URL/dex/auth`" do - good_response.stubs(:code).returns("400") - - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate2_endpoint, headers, insecure) - .returns(good_response) - - _(InspecPlugins::Compliance::API.determine_server_type(url, insecure)).must_equal(:automate2) - end - - it "returns `:automate` when a 401 is received from `https://URL/compliance/version`" do - good_response.stubs(:code).returns("401") - bad_response.stubs(:code).returns("404") - - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate2_endpoint, headers, insecure) - .returns(bad_response) - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate_endpoint, headers, insecure) - .returns(good_response) - - _(InspecPlugins::Compliance::API.determine_server_type(url, insecure)).must_equal(:automate) - end - - # Chef Automate currently returns 401 for `/compliance/version` but some - # versions of OpsWorks Chef Automate return 200 and a Chef Manage page when - # unauthenticated requests are received. - it "returns `:automate` when a 200 is received from `https://URL/compliance/version`" do - bad_response.stubs(:code).returns("404") - good_response.stubs(:code).returns("200") - good_response.stubs(:body).returns("Are You Looking For the Chef Server?") - - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate2_endpoint, headers, insecure) - .returns(bad_response) - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate_endpoint, headers, insecure) - .returns(good_response) - - _(InspecPlugins::Compliance::API.determine_server_type(url, insecure)).must_equal(:automate) - end - - it "returns `nil` if a 200 is received from `https://URL/compliance/version` but not redirected to Chef Manage" do - bad_response.stubs(:code).returns("200") - bad_response.stubs(:body).returns("No Chef Manage here") - - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate_endpoint, headers, insecure) - .returns(bad_response) - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate2_endpoint, headers, insecure) - .returns(bad_response) - - mock_compliance_response = mock - mock_compliance_response.stubs(:code).returns("404") - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + compliance_endpoint, headers, insecure) - .returns(mock_compliance_response) - - _(InspecPlugins::Compliance::API.determine_server_type(url, insecure)).must_be_nil - end - - it "returns `:compliance` when a 200 is received from `https://URL/api/version`" do - good_response.stubs(:code).returns("200") - bad_response.stubs(:code).returns("404") - - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate_endpoint, headers, insecure) - .returns(bad_response) - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate2_endpoint, headers, insecure) - .returns(bad_response) - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + compliance_endpoint, headers, insecure) - .returns(good_response) - - _(InspecPlugins::Compliance::API.determine_server_type(url, insecure)).must_equal(:compliance) - end - - it "returns `nil` if it cannot determine the server type" do - bad_response.stubs(:code).returns("404") - - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate2_endpoint, headers, insecure) - .returns(bad_response) - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + automate_endpoint, headers, insecure) - .returns(bad_response) - InspecPlugins::Compliance::HTTP.expects(:get) - .with(url + compliance_endpoint, headers, insecure) - .returns(bad_response) - - _(InspecPlugins::Compliance::API.determine_server_type(url, insecure)).must_be_nil - end - end end diff --git a/lib/plugins/inspec-compliance/test/unit/target_test.rb b/lib/plugins/inspec-compliance/test/unit/target_test.rb index c8bc7d850..801a8a079 100644 --- a/lib/plugins/inspec-compliance/test/unit/target_test.rb +++ b/lib/plugins/inspec-compliance/test/unit/target_test.rb @@ -15,12 +15,11 @@ describe InspecPlugins::Compliance::Fetcher do it "returns an error when token is not set" do ex = assert_raises(Inspec::FetcherFailure) { fetcher.class.check_compliance_token("http://test.com", config) } - _(ex.message).must_include "Cannot fetch http://test.com because your compliance token has not been\nconfigured." + _(ex.message).must_include "Cannot fetch http://test.com because your automate2 token has not been\nconfigured." end end describe "when the server is an automate2 server" do - before { InspecPlugins::Compliance::API.expects(:is_automate2_server?).with(config).returns(true) } it "returns the correct owner and profile name" do config["profile"] = ["admin", "ssh-baseline", nil] @@ -29,54 +28,6 @@ describe InspecPlugins::Compliance::Fetcher do end end - describe "when the server is an automate server pre-0.8.0" do - before { InspecPlugins::Compliance::API.expects(:is_automate_server_pre_080?).with(config).returns(true) } - - it "returns the correct profile name when the url is correct" do - fetcher = InspecPlugins::Compliance::Fetcher.new("myserver/myowner/myprofile/tar", config) - _(fetcher.send(:compliance_profile_name)).must_equal "myowner/myprofile" - end - - it "raises an exception if the url is malformed" do - fetcher = InspecPlugins::Compliance::Fetcher.new("a/bad/url", config) - _(proc { fetcher.send(:compliance_profile_name) }).must_raise RuntimeError - end - end - - describe "when the server is an automate server 0.8.0-or-later" do - before do - InspecPlugins::Compliance::API.expects(:is_automate_server_pre_080?).with(config).returns(false) - InspecPlugins::Compliance::API.expects(:is_automate_server_080_and_later?).with(config).returns(true) - end - - it "returns the correct profile name when the url is correct" do - fetcher = InspecPlugins::Compliance::Fetcher.new("myserver/profiles/myowner/myprofile/tar", config) - _(fetcher.send(:compliance_profile_name)).must_equal "myowner/myprofile" - end - - it "raises an exception if the url is malformed" do - fetcher = InspecPlugins::Compliance::Fetcher.new("a/bad/url", config) - _(proc { fetcher.send(:compliance_profile_name) }).must_raise RuntimeError - end - end - - describe "when the server is not an automate server (likely a compliance server)" do - before do - InspecPlugins::Compliance::API.expects(:is_automate_server_pre_080?).with(config).returns(false) - InspecPlugins::Compliance::API.expects(:is_automate_server_080_and_later?).with(config).returns(false) - end - - it "returns the correct profile name when the url is correct" do - fetcher = InspecPlugins::Compliance::Fetcher.new("myserver/owners/myowner/compliance/myprofile/tar", config) - _(fetcher.send(:compliance_profile_name)).must_equal "myowner/myprofile" - end - - it "raises an exception if the url is malformed" do - fetcher = InspecPlugins::Compliance::Fetcher.new("a/bad/url", config) - _(proc { fetcher.send(:compliance_profile_name) }).must_raise RuntimeError - end - end - describe "when the server calls an automate profile" do let(:profiles_result) do [{ "name" => "ssh-baseline", From f3d96aba561be3b447152bfa698c6272b2efa55a Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 20 May 2021 18:37:01 +0000 Subject: [PATCH 193/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 39 ++++++++++++++++++--------------------- Dockerfile | 2 +- 2 files changed, 19 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e55bf7f4..7692bd3cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,30 +1,28 @@ # Change Log - -## [v4.37.17](https://github.com/inspec/inspec/tree/v4.37.17) (2021-05-19) - -#### Merged Pull Requests -- Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08)) + - -### Changes since 4.37.8 release - -#### Enhancements -- Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105)) - -#### Merged Pull Requests -- Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08)) -- Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105)) -- Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) -- Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) -- Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) + +## [v4.37.17](https://github.com/inspec/inspec/tree/v4.37.17) (2021-05-20) + +#### Enhancements +- Fix for port resource performance: adding more specific search while using ss command [#5522](https://github.com/inspec/inspec/pull/5522) ([Vasu1105](https://github.com/Vasu1105)) + +#### Merged Pull Requests +- Fix the lint and failing test for windows_feature resource [#5524](https://github.com/inspec/inspec/pull/5524) ([Vasu1105](https://github.com/Vasu1105)) +- Support zfs_pool and zfs_dataset resources on Linux. Handled #5075 [#5523](https://github.com/inspec/inspec/pull/5523) ([kannanr](https://github.com/kannanr)) +- Add basic docs for toml resource [#5514](https://github.com/inspec/inspec/pull/5514) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Add CI-CD docs [#5489](https://github.com/inspec/inspec/pull/5489) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Add explicit RHEL8 builders to omnibus build [#5527](https://github.com/inspec/inspec/pull/5527) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) +- Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105)) +- Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08)) + + ## [v4.37.8](https://github.com/inspec/inspec/tree/v4.37.8) (2021-05-12) #### Merged Pull Requests @@ -36,7 +34,6 @@ - Update Hugo and correct how build previews are generated [#5507](https://github.com/inspec/inspec/pull/5507) ([IanMadd](https://github.com/IanMadd)) - Modified windows_feature to indicate enabled rather than just available [#5506](https://github.com/inspec/inspec/pull/5506) ([jwdean](https://github.com/jwdean)) - Remove outdated instructions about testing AWS and Azure resources [#5499](https://github.com/inspec/inspec/pull/5499) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.37.0](https://github.com/inspec/inspec/tree/v4.37.0) (2021-05-05) diff --git a/Dockerfile b/Dockerfile index fdb246335..3c6b0767c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.37.8 +ARG VERSION=4.37.17 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 7e4e0f33fd3d256a4316c6fa117d368c9f913db1 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 20 May 2021 18:51:49 +0000 Subject: [PATCH 194/483] Bump version to 4.37.18 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7692bd3cd..dae418597 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.37.18](https://github.com/inspec/inspec/tree/v4.37.18) (2021-05-20) + +#### Merged Pull Requests +- Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) - + +### Changes since 4.37.17 release + +#### Merged Pull Requests +- Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 82a029b1f..75978d033 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.17 \ No newline at end of file +4.37.18 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index f39280431..be53dd601 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.17".freeze + VERSION = "4.37.18".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index d886fd98b..7fc099825 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.17".freeze + VERSION = "4.37.18".freeze end From df4f6ad37576e6921abc9a68b5d5b600c4d9f3f4 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 20 May 2021 18:54:45 +0000 Subject: [PATCH 195/483] Bump version to 4.37.19 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dae418597..2c8ff3742 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.18](https://github.com/inspec/inspec/tree/v4.37.18) (2021-05-20) + +## [v4.37.19](https://github.com/inspec/inspec/tree/v4.37.19) (2021-05-20) #### Merged Pull Requests -- Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) +- Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08)) ### Changes since 4.37.17 release #### Merged Pull Requests +- Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08)) - Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 75978d033..4abbe3edf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.18 \ No newline at end of file +4.37.19 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index be53dd601..90fe6e6a8 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.18".freeze + VERSION = "4.37.19".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 7fc099825..8b5fb85ca 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.18".freeze + VERSION = "4.37.19".freeze end From b84d4607d683657356f04dd374ef1801a5d14cb4 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 20 May 2021 18:57:52 +0000 Subject: [PATCH 196/483] Bump version to 4.37.20 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c8ff3742..466e487cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.19](https://github.com/inspec/inspec/tree/v4.37.19) (2021-05-20) + +## [v4.37.20](https://github.com/inspec/inspec/tree/v4.37.20) (2021-05-20) #### Merged Pull Requests -- Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08)) +- Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.17 release #### Merged Pull Requests +- Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08)) - Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 4abbe3edf..bdfb3271e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.19 \ No newline at end of file +4.37.20 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 90fe6e6a8..64635ec7d 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.19".freeze + VERSION = "4.37.20".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8b5fb85ca..ad7e0334f 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.19".freeze + VERSION = "4.37.20".freeze end From bc15deab93409bc5ba62b6980e39ffef03cb8d1e Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 21 May 2021 18:04:03 +0530 Subject: [PATCH 197/483] Update inspec init plugin: 1. To use double quotes as per chefstyle 2. Template files renamed to .erb Signed-off-by: Vasu1105 --- .../inspec-init/lib/inspec-init/cli_plugin.rb | 31 ++++++++++--------- .../inspec-init/lib/inspec-init/renderer.rb | 1 + .../plugins/inspec-plugin-template/Gemfile | 12 +++---- .../plugins/inspec-plugin-template/Rakefile | 16 +++++----- .../inspec-plugin-template.gemspec | 24 +++++++------- ...template.rb => inspec-plugin-template.erb} | 2 +- .../{cli_command.rb => cli_command.erb} | 16 +++++----- .../{plugin.rb => plugin.erb} | 12 +++---- .../{reporter.rb => reporter.erb} | 0 .../{version.rb => version.erb} | 2 +- ...est.rb => inspec_plugin_template_test.erb} | 18 +++++------ .../test/{helper.rb => helper.erb} | 6 ++-- .../{cli_args_test.rb => cli_args_test.erb} | 8 ++--- ...plugin_def_test.rb => plugin_def_test.erb} | 6 ++-- 14 files changed, 79 insertions(+), 75 deletions(-) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/{inspec-plugin-template.rb => inspec-plugin-template.erb} (93%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{cli_command.rb => cli_command.erb} (84%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{plugin.rb => plugin.erb} (90%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{reporter.rb => reporter.erb} (100%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/{version.rb => version.erb} (87%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/functional/{inspec_plugin_template_test.rb => inspec_plugin_template_test.erb} (89%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/{helper.rb => helper.erb} (87%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/{cli_args_test.rb => cli_args_test.erb} (92%) rename lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/{plugin_def_test.rb => plugin_def_test.erb} (94%) diff --git a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb index 1236b6818..06227fcec 100644 --- a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +++ b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb @@ -71,12 +71,15 @@ module InspecPlugins { "inspec-plugin-template.gemspec" => plugin_name + ".gemspec", File.join("lib", "inspec-plugin-template") => File.join("lib", plugin_name), - File.join("lib", "inspec-plugin-template.rb") => File.join("lib", plugin_name + ".rb"), - File.join("lib", "inspec-plugin-template", "cli_command.rb") => File.join("lib", plugin_name, "cli_command.rb"), - File.join("lib", "inspec-plugin-template", "reporter.rb") => File.join("lib", plugin_name, "reporter.rb"), - File.join("lib", "inspec-plugin-template", "plugin.rb") => File.join("lib", plugin_name, "plugin.rb"), - File.join("lib", "inspec-plugin-template", "version.rb") => File.join("lib", plugin_name, "version.rb"), - File.join("test", "functional", "inspec_plugin_template_test.rb") => File.join("test", "functional", snake_case + "_test.rb"), + File.join("lib", "inspec-plugin-template.erb") => File.join("lib", plugin_name + ".rb"), + File.join("lib", "inspec-plugin-template", "cli_command.erb") => File.join("lib", plugin_name, "cli_command.rb"), + File.join("lib", "inspec-plugin-template", "reporter.erb") => File.join("lib", plugin_name, "reporter.rb"), + File.join("lib", "inspec-plugin-template", "plugin.erb") => File.join("lib", plugin_name, "plugin.rb"), + File.join("lib", "inspec-plugin-template", "version.erb") => File.join("lib", plugin_name, "version.rb"), + File.join("test", "functional", "inspec_plugin_template_test.erb") => File.join("test", "functional", snake_case + "_test.rb"), + File.join("test", "unit", "cli_args_test.erb") => File.join("test", "unit", "cli_args_test.rb"), + File.join("test", "unit", "plugin_def_test.erb") => File.join("test", "unit", "plugin_def_test.rb"), + File.join("test", "helper.erb") => File.join("test", "helper.rb"), } end @@ -230,13 +233,13 @@ module InspecPlugins "Rakefile", File.join("test", "fixtures", "README.md"), File.join("test", "fixtures"), - File.join("test", "functional", "inspec_plugin_template_test.rb"), + File.join("test", "functional", "inspec_plugin_template_test.erb"), File.join("test", "functional", "README.md"), - File.join("test", "unit", "cli_args_test.rb"), - File.join("test", "unit", "plugin_def_test.rb"), + File.join("test", "unit", "cli_args_test.erb"), + File.join("test", "unit", "plugin_def_test.erb"), File.join("test", "unit", "README.md"), File.join("test", "unit"), - File.join("test", "helper.rb"), + File.join("test", "helper.erb"), File.join("test"), ] else @@ -247,14 +250,14 @@ module InspecPlugins # Remove hook-specific files unless requested_hooks.include?(:cli_command) skips += [ - File.join("lib", "inspec-plugin-template", "cli_command.rb"), - File.join("test", "unit", "cli_args_test.rb"), - File.join("test", "functional", "inspec_plugin_template_test.rb"), + File.join("lib", "inspec-plugin-template", "cli_command.erb"), + File.join("test", "unit", "cli_args_test.erb"), + File.join("test", "functional", "inspec_plugin_template_test.erb"), ] end unless requested_hooks.include?(:reporter) skips += [ - File.join("lib", "inspec-plugin-template", "reporter.rb"), + File.join("lib", "inspec-plugin-template", "reporter.erb"), ] end diff --git a/lib/plugins/inspec-init/lib/inspec-init/renderer.rb b/lib/plugins/inspec-init/lib/inspec-init/renderer.rb index 124ace2df..5620c9de5 100644 --- a/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +++ b/lib/plugins/inspec-init/lib/inspec-init/renderer.rb @@ -65,6 +65,7 @@ module InspecPlugins # read & render content content = render(File.read(source_file), template_values) # write file content + File.write(full_destination_item_path, content) else ui.warning "Ignoring #{ui.emphasis(source_file)}, because its not an file or directoy" diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile index 24333bd67..1750da388 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile @@ -1,11 +1,11 @@ -source 'https://rubygems.org' +source "https://rubygems.org" gemspec group :development do - gem 'bundler' - gem 'byebug' - gem 'minitest' - gem 'rake' - gem 'rubocop', '= 0.49.1' # Need to keep in sync with main InSpec project, so config files will work + gem "bundler" + gem "byebug" + gem "minitest" + gem "rake" + gem "rubocop", "= 0.49.1" # Need to keep in sync with main InSpec project, so config files will work end diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Rakefile b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Rakefile index 13f460f42..afbb56a08 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Rakefile +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Rakefile @@ -7,13 +7,13 @@ # This task template will make a task named 'test', and run # the tests that it finds. -require 'rake/testtask' +require "rake/testtask" Rake::TestTask.new do |t| - t.libs.push 'lib' + t.libs.push "lib" t.test_files = FileList[ - 'test/unit/*_test.rb', - 'test/functional/*_test.rb', + "test/unit/*_test.rb", + "test/functional/*_test.rb", ] t.verbose = true # Ideally, we'd run tests with warnings enabled, @@ -26,15 +26,15 @@ end #------------------------------------------------------------------# # Code Style Tasks #------------------------------------------------------------------# -require 'rubocop/rake_task' +require "rubocop/rake_task" RuboCop::RakeTask.new(:lint) do |t| # Choices of RuboCop rules to enforce are deeply personal. # Here, we set things up so that your plugin will use the Bundler-installed # inspec gem's copy of the InSpec project's rubocop.yml file (which # is indeed packaged with the inspec gem). - require 'inspec/globals' - inspec_rubocop_yml = File.join(Inspec.src_root, '.rubocop.yml') + require "inspec/globals" + inspec_rubocop_yml = File.join(Inspec.src_root, ".rubocop.yml") - t.options = ['--display-cop-names', '--config', inspec_rubocop_yml] + t.options = ["--display-cop-names", "--config", inspec_rubocop_yml] end diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec index 9579302b2..ff6670c8e 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec @@ -4,23 +4,23 @@ # It is traditional in a gemspec to dynamically load the current version # from a file in the source tree. The next three lines make that happen. -lib = File.expand_path('../lib', __FILE__) +lib = File.expand_path("../lib", __FILE__) $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) -require '<%= plugin_name %>/version' +require "<%= plugin_name %>/version" Gem::Specification.new do |spec| # Importantly, all InSpec plugins must be prefixed with `inspec-` (most # plugins) or `train-` (plugins which add new connectivity features). - spec.name = '<%= plugin_name %>' + spec.name = "<%= plugin_name %>" # It is polite to namespace your plugin under InspecPlugins::YourPluginInCamelCase spec.version = InspecPlugins::<%= module_name %>::VERSION - spec.authors = ['<%= author_name %>'] - spec.email = ['<%= author_email %>'] - spec.summary = '<%= summary %>' - spec.description = '<%= description %>' - spec.homepage = '<%= homepage %>' - spec.license = '<%= license_name %>' + spec.authors = ["<%= author_name %>"] + spec.email = ["<%= author_email %>"] + spec.summary = "<%= summary %>" + spec.description = "<%= description %>" + spec.homepage = "<%= homepage %>" + spec.license = "<%= license_name %>" # Though complicated-looking, this is pretty standard for a gemspec. # It just filters what will actually be packaged in the gem (leaving @@ -28,9 +28,9 @@ Gem::Specification.new do |spec| spec.files = %w{ README.md <%= snake_case %>.gemspec Gemfile } + Dir.glob( - 'lib/**/*', File::FNM_DOTMATCH + "lib/**/*", File::FNM_DOTMATCH ).reject { |f| File.directory?(f) } - spec.require_paths = ['lib'] + spec.require_paths = ["lib"] # If you rely on any other gems, list them here with any constraints. # This is how `inspec plugin install` is able to manage your dependencies. @@ -39,5 +39,5 @@ Gem::Specification.new do |spec| # All plugins should mention inspec, > 2.2.78 # 2.2.78 included the v2 Plugin API - spec.add_dependency 'inspec', '>=2.2.78', '<4.0.0' + spec.add_dependency "inspec", ">= 2.2.78", "< 4.0.0" end diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.erb similarity index 93% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.erb index 770e9eba7..75694e987 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.erb @@ -11,4 +11,4 @@ libdir = File.dirname(__FILE__) $LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir) -require '<%= plugin_name %>/plugin' +require "<%= plugin_name %>/plugin" diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.erb similarity index 84% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.erb index b765a1d8d..9f50e2b8b 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.erb @@ -1,4 +1,4 @@ -require 'inspec/resource' +require "inspec/resource" module InspecPlugins::<%= module_name %> # This class will provide the actual CLI implementation. @@ -21,31 +21,31 @@ module InspecPlugins::<%= module_name %> # Note: if you want your command (or subcommand) to have dashes in it, # use underscores where you want a dash, and Thor will convert them. # Thor will fail to find a command that is directly named with dashes. - subcommand_desc '<%= command_name_snake %> [COMMAND]', 'Your Usage Message Here' + subcommand_desc "<%= command_name_snake %> [COMMAND]", "Your Usage Message Here" # The usual rhythm for a Thor CLI file is description, options, command method. # Thor just has you call DSL methods in sequence prior to each command. # Let's make a command, 'do_something'. This will then be available - # as `inspec <%= command_name_dashes %> do-something + # as `inspec <%= command_name_dashes %> do-something` # (Change this method name to be something sensible for your plugin.) # First, provide a usage / description. This will appear # in `inspec help <%= command_name_dashes %>`. # As this is a usage message, you should write the command as it should appear # to the user (if you want it to have dashes, use dashes) - desc 'do-something WHAT [OPTIONS]', 'Does something' + desc "do-something WHAT [OPTIONS]", "Does something" # Let's include an option, -s, to summarize # Refer to the Thors docs; there is a lot you can do here. - option :summary, desc: 'Include a total at the bottom', \ + option :summary, desc: "Include a total at the bottom", \ type: :boolean, default: true, aliases: [:s] - # OK, now the actual method itself. If you provide params, you're telling Thor that + # OK, now the actual method itself. If you provide params, you're telling Thor that # you accept CLI arguments after all options have been consumed. # Note again that the method name has an underscore, but when invoked # on the CLI, use a dash. - def do_something(what = 'nothing') + def do_something(what = "nothing") # The code here will *only* be executed if someone actually # runs `inspec <%= command_name_dashes %> do-something`. @@ -55,7 +55,7 @@ module InspecPlugins::<%= module_name %> # Talk to the user using the `ui` object (see Inspec::UI) # ui.error('Whoops!') - ui.warning('This is a generated plugin with a default implementation. Edit lib/<%= plugin_name %>/cli_command.rb to make it do what you want.') + ui.warning("This is a generated plugin with a default implementation. Edit lib/<%= plugin_name %>/cli_command.rb to make it do what you want.") ui.exit(:success) # or :usage_error end end diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb similarity index 90% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb index 67c5cd378..6bea32e3e 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb @@ -7,13 +7,13 @@ # fast and light by only loading heavy things when they are needed. # Presumably this is light -require '<%= plugin_name %>/version' +require "<%= plugin_name %>/version" # The InspecPlugins namespace is where all plugins should declare themselves. -# The 'Inspec' capitalization is used throughout the InSpec source code; yes, it's +# The "Inspec" capitalization is used throughout the InSpec source code; yes, it's # strange. module InspecPlugins - # Pick a reasonable namespace here for your plugin. A reasonable choice + # Pick a reasonable namespace here for your plugin. A reasonable choice # would be the CamelCase version of your plugin gem name. # <%= plugin_name %> => <%= module_name %> module <%= module_name %> @@ -26,7 +26,7 @@ module InspecPlugins # major versions. class Plugin < ::Inspec.plugin(2) # Internal machine name of the plugin. InSpec will use this in errors, etc. - plugin_name :'<%= plugin_name %>' + plugin_name :"<%= plugin_name %>" <% if hooks[:cli_command] %> # Define a new CLI subcommand. @@ -43,7 +43,7 @@ module InspecPlugins # functionality. # For example, InSpec will activate this hook when `inspec help` is # executed, so that this plugin's usage message will be included in the help. - require '<%= plugin_name %>/cli_command' + require "<%= plugin_name %>/cli_command" # Having loaded our functionality, return a class that will let the # CLI engine tap into it. @@ -59,7 +59,7 @@ module InspecPlugins # Calling this hook doesn't mean the reporter is being executed - just # that we should be ready to do so. So, load the file that defines the # functionality. - require '<%= plugin_name %>/reporter' + require "<%= plugin_name %>/reporter" # Having loaded our functionality, return a class that will let the # reporting engine tap into it. diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.erb similarity index 100% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/reporter.erb diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.erb similarity index 87% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.erb index b739ed48b..7b0b6d7cc 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.erb @@ -3,6 +3,6 @@ # to learn the current version. module InspecPlugins module <%= module_name %> - VERSION = '0.1.0'.freeze + VERSION = "0.1.0".freeze end end diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/functional/inspec_plugin_template_test.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/functional/inspec_plugin_template_test.erb similarity index 89% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/functional/inspec_plugin_template_test.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/functional/inspec_plugin_template_test.erb index b1c705c19..3567944ff 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/functional/inspec_plugin_template_test.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/functional/inspec_plugin_template_test.erb @@ -4,11 +4,11 @@ # Functional tests generally do not have inside knowledge of how the plugin works. # Include our test harness -require_relative '../helper' +require_relative "../helper" # Because InSpec is a Spec-style test suite, we're going to use Minitest::Spec # here, for familiar look and feel. However, this isn't InSpec (or RSpec) code. -describe 'inspec list-resources core' do +describe "inspec list-resources core" do # Our helper.rb locates this library from the InSpec install that # Bundler installed for us. If we want its methods, we still must # import it. Including it here will make it available in all child @@ -40,7 +40,7 @@ describe 'inspec list-resources core' do # A selection of core resources, just spot checking. # This is an example of using Ruby to define sets of tests. - ['process', 'service', 'user', 'file'].each do |resource_name| + %w(process service user file).each do |resource_name| it "should mention the '#{resource_name}' resource" do outcome.stdout.must_include(resource_name) end @@ -48,7 +48,7 @@ describe 'inspec list-resources core' do # Check for the summary it "should mention the summary" do - outcome.stdout.must_include('resources total') + outcome.stdout.must_include("resources total") end end @@ -63,12 +63,12 @@ describe 'inspec list-resources core' do it("should be silent on stderr") { outcome.stderr.must_be_empty } # Here, we want to know it DID match some things, and NOT some others. - ['user', 'users'].each do |resource_name| + %w(user users).each do |resource_name| it "should mention the '#{resource_name}' resource" do outcome.stdout.must_include(resource_name) end end - ['process', 'service', 'file'].each do |resource_name| + %w(process service file).each do |resource_name| it "should NOT mention the '#{resource_name}' resource" do outcome.stdout.wont_include(resource_name) end @@ -89,14 +89,14 @@ describe 'inspec list-resources core' do # Check for the summary it "should mention a zero-resource summary" do - outcome.stdout.must_include('0 resources total') + outcome.stdout.must_include("0 resources total") end end # Exercise the summary option, which defaults to 'true'. describe "when run with the no-summary flag" do # Alter the command string to include the no-summary option - let(:outcome) { run_inspec_process_with_this_plugin('listresources core --no-summary') } + let(:outcome) { run_inspec_process_with_this_plugin("listresources core --no-summary") } # Should be well-behaved... it("should exit successfully") { assert_exit_code 0, outcome } @@ -104,7 +104,7 @@ describe 'inspec list-resources core' do # Check for the summary it "should NOT mention summary" do - outcome.stdout.wont_include('0 resources total') + outcome.stdout.wont_include("0 resources total") end end end diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/helper.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/helper.erb similarity index 87% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/helper.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/helper.erb index 328a75273..1b68f72ea 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/helper.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/helper.erb @@ -6,11 +6,11 @@ # InSpec core provides a number of such libraries and facilities, in the file # lib/plugins/shared/core_plugin_test_helper.rb . So, one job in this file is # to locate and load that file. -require 'inspec/../plugins/shared/core_plugin_test_helper' +require "inspec/../plugins/shared/core_plugin_test_helper" # Also load the InSpec plugin system. We need this so we can unit-test the plugin # classes, which will rely on the plugin system. -require 'inspec/plugin/v2' +require "inspec/plugin/v2" # Caution: loading all of InSpec (i.e. require 'inspec') may cause interference with # minitest/spec; one symptom would be appearing to have no tests. @@ -19,6 +19,6 @@ require 'inspec/plugin/v2' # You can select from a number of test harnesses. Since InSpec uses Spec-style controls # in profile code, you will probably want to use something like minitest/spec, which provides # Spec-style tests. -require 'minitest/autorun' # loads all styles and runs tests automatically +require "minitest/autorun" # loads all styles and runs tests automatically # You might want to put some debugging tools here. We run tests to find bugs, after all. diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/cli_args_test.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/cli_args_test.erb similarity index 92% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/cli_args_test.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/cli_args_test.erb index 68b4c92e8..7015130f8 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/cli_args_test.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/cli_args_test.erb @@ -2,10 +2,10 @@ # <%= plugin_name %> are correct. # Include our test harness -require_relative '../helper' +require_relative "../helper" # Load the class under test, the CliCommand definition. -require '<%= plugin_name %>/cli_command' +require "<%= plugin_name %>/cli_command" # Because InSpec is a Spec-style test suite, we're going to use Minitest::Spec # here, for familiar look and feel. However, this isn't InSpec (or RSpec) code. @@ -24,10 +24,10 @@ describe InspecPlugins::<%= module_name %>::CliCommand do # modify and add to the lines below to test your actual options. # This is a Hash of Structs that tells us details of options for the 'do_something' subcommand. - let(:do_something_options) { cli_class.all_commands['do_something'].options } + let(:do_something_options) { cli_class.all_commands["do_something"].options } # To group tests together, you can nest 'describe' in minitest/spec - describe 'the do-something subcommand' do + describe "the do-something subcommand" do # Some tests through here use minitest Expectations, which attach to all # Objects, and begin with 'must' (positive) or 'wont' (negative) diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.rb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.erb similarity index 94% rename from lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.rb rename to lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.erb index 84c4841b2..5b291b127 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.rb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.erb @@ -2,10 +2,10 @@ # the inspec-resource-lister plugin is configured correctly. # Include our test harness -require_relative '../helper' +require_relative "../helper" # Load the class under test, the Plugin definition. -require '<%= plugin_name %>/plugin' +require "<%= plugin_name %>/plugin" # Because InSpec is a Spec-style test suite, we're going to use Minitest::Spec # here, for familiar look and feel. However, this isn't InSpec (or RSpec) code. @@ -16,7 +16,7 @@ describe InspecPlugins::<%= module_name %>::Plugin do # can reference easily. # Internally, plugins are always known by a Symbol name. Convert here. - let(:plugin_name) { :'<%= plugin_name %>' } + let(:plugin_name) { :"<%= plugin_name %>" } # The Registry knows about all plugins that ship with InSpec by # default, as well as any that are installed by the user. When a From 39303635e9bd8c089d4e5e96e332baf6b691239e Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 21 May 2021 18:51:08 +0530 Subject: [PATCH 198/483] Fix failing test Signed-off-by: Vasu1105 --- .../functional/inspec_init_plugin_test.rb | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb b/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb index bca345f0a..bebd48c16 100644 --- a/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb +++ b/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb @@ -45,28 +45,28 @@ class InitPluginCli < Minitest::Test File.join(plugin, "Gemfile") => [], # No interpolation File.join(plugin, "Rakefile") => [], # No interpolation File.join(plugin, plugin + ".gemspec") => [ - %r{require '#{plugin}/version'}, - /spec\.name\s+=\s+'#{plugin}'/, + %r{require "#{plugin}/version"}, + /spec\.name\s+=\s+"#{plugin}"/, /spec\.version\s+=\s+InspecPlugins::#{module_name}::VERSION/, /README\.md\s+#{snake_case}\.gemspec\s+Gemfile/, - /spec\.authors\s+=\s+\['Your Name'\]/, - /spec\.email\s+=\s+\['you@example\.com'\]/, - /spec\.summary\s+=\s+'A plugin with a default summary'/, - /spec\.description\s+=\s+''/, - %r{spec\.homepage\s+=\s+'https://github.com/you/#{plugin}'}, - /spec\.license\s+=\s+'Apache-2\.0'/, + /spec\.authors\s+=\s+\["Your Name"\]/, + /spec\.email\s+=\s+\["you@example\.com"\]/, + /spec\.summary\s+=\s+"A plugin with a default summary"/, + /spec\.description\s+=\s+""/, + %r{spec\.homepage\s+=\s+"https://github.com/you/#{plugin}}, + /spec\.license\s+=\s+"Apache-2\.0"/, ], File.join(plugin, "lib", plugin + ".rb") => [ - %r{require\s'#{plugin}/plugin'}, + %r{require\s"#{plugin}/plugin"}, ], File.join(plugin, "lib", plugin, "plugin.rb") => [ - %r{require\s'#{plugin}/version'}, + %r{require\s"#{plugin}/version"}, /\#\s#{plugin}\s=>\s#{module_name}/, /module\s#{module_name}/, - /plugin_name\s+:'#{plugin}'/, + /plugin_name\s+:"#{plugin}"/, # Default assumes one cli hook /cli_command :my_command/, - %r{require\s'#{plugin}/cli_command'}, + %r{require\s"#{plugin}/cli_command"}, /InspecPlugins::#{module_name}::CliCommand/, ], File.join(plugin, "lib", plugin, "version.rb") => [ @@ -75,8 +75,8 @@ class InitPluginCli < Minitest::Test File.join(plugin, "lib", plugin, "cli_command.rb") => [ /module\sInspecPlugins::#{module_name}/, /\#\smakes\s`inspec\smy-command\s\.\.\.`\swork\./, - /subcommand_desc\s'my_command\s\[COMMAND\]'/, - /\#\sas\s`inspec\smy-command\sdo-something/, + /subcommand_desc\s"my_command\s\[COMMAND\]"/, + /\#\sas\s`inspec\smy-command\sdo-something`/, /\#\sin\s`inspec\shelp\smy-command`/, /\#\sruns\s`inspec\smy-command\sdo-something`./, %r{Edit\slib/#{plugin}/cli_command\.rb\sto\smake\sit\sdo}, @@ -87,12 +87,12 @@ class InitPluginCli < Minitest::Test # Whatever goes here ], File.join(plugin, "test", "unit", "plugin_def_test.rb") => [ - %r{require\s'#{plugin}/plugin'}, + %r{require\s"#{plugin}/plugin"}, /describe InspecPlugins::#{module_name}::Plugin\sdo/, - /let\(:plugin_name\) \{ \:'#{plugin}\' \}/, + /let\(:plugin_name\) \{ \:"#{plugin}\" \}/, ], File.join(plugin, "test", "unit", "cli_args_test.rb") => [ - %r{require '#{plugin}/cli_command'}, + %r{require "#{plugin}/cli_command"}, /describe InspecPlugins::#{module_name}::CliCommand do/, /let\(\:cli_class\) \{ InspecPlugins::#{module_name}::CliCommand \}/, ], @@ -150,12 +150,12 @@ class InitPluginCli < Minitest::Test File.join(plugin, "Rakefile") => [], File.join(plugin, plugin + ".gemspec") => [ /spec\.version\s+=\s+InspecPlugins::FunPlugin::VERSION/, - /spec\.authors\s+=\s+\['Bob'\]/, - /spec\.email\s+=\s+\['bob@example\.com'\]/, - /spec\.summary\s+=\s+'A fantastic plugin'/, - /spec\.description\s+=\s+'That you will really like'/, - %r{spec\.homepage\s+=\s+'http://example.com'}, - /spec\.license\s+=\s+'BSD-3-Clause'/, + /spec\.authors\s+=\s+\["Bob"\]/, + /spec\.email\s+=\s+\["bob@example\.com"\]/, + /spec\.summary\s+=\s+"A fantastic plugin"/, + /spec\.description\s+=\s+"That you will really like"/, + %r{spec\.homepage\s+=\s+"http://example.com"}, + /spec\.license\s+=\s+"BSD-3-Clause"/, ], File.join(plugin, "lib", plugin + ".rb") => [], File.join(plugin, "lib", plugin, "plugin.rb") => [], From ee6fd1b15822f0fd80869c469dbb654d3b1a8137 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 24 May 2021 14:53:48 +0530 Subject: [PATCH 199/483] Fix multiline descripition issue of not parsing the data correctly Signed-off-by: Vasu1105 --- .../inspec-plugin-template/inspec-plugin-template.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec index ff6670c8e..9449ba8a7 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec @@ -18,7 +18,7 @@ Gem::Specification.new do |spec| spec.authors = ["<%= author_name %>"] spec.email = ["<%= author_email %>"] spec.summary = "<%= summary %>" - spec.description = "<%= description %>" + spec.description = "<%= description.join(" ")%>" spec.homepage = "<%= homepage %>" spec.license = "<%= license_name %>" From 14906ec1cd79caaa448813668ed5a369540ba961 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 24 May 2021 15:33:15 +0530 Subject: [PATCH 200/483] Update inspec init plugin to deprecate --hook option and replace it with --activators. Make alias for backword compatibility Signed-off-by: Vasu1105 --- .../inspec-init/lib/inspec-init/cli_plugin.rb | 47 +++++++++++-------- .../lib/inspec-plugin-template/plugin.erb | 18 +++---- .../test/unit/README.md | 2 +- .../test/unit/plugin_def_test.erb | 4 +- 4 files changed, 39 insertions(+), 32 deletions(-) diff --git a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb index 06227fcec..f22758bb8 100644 --- a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +++ b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb @@ -17,7 +17,8 @@ module InspecPlugins option :description, type: :string, default: "", desc: "Multi-line description of the plugin" option :summary, type: :string, default: "A plugin with a default summary", desc: "One-line summary of your plugin" option :license_name, type: :string, default: "Apache-2.0", desc: "The name of a license" - option :hook, type: :array, default: ["cli_command:my_command"], desc: "A list of plugin hooks, in the form type1:name1, type2:name2, etc" + option :activator, type: :array, default: ["cli_command:my_command"], desc: "A list of plugin activator, in the form type1:name1, type2:name2, etc" + option :hook, type: :array, desc: "Legacy name for --activator - Deprecated." # These vars have calculated defaults option :homepage, type: :string, default: nil, desc: "A URL for your project, often a GitHub link" option :module_name, type: :string, default: nil, desc: "Module Name for your plugin package. Will change plugin name to CamelCase by default." @@ -29,6 +30,12 @@ module InspecPlugins plugin_type = determine_plugin_type(plugin_name) snake_case = plugin_name.tr("-", "_") + # Handle deprecation of option --hook + unless options[:hook].nil? + Inspec::Log.warn("Use --activator on the command line instead of --hook. --hook options will be deprecated in future.") + options[:activator] = options.delete(:hook) + end + template_vars = { name: plugin_name, plugin_name: plugin_name, @@ -41,7 +48,7 @@ module InspecPlugins templates_path: TEMPLATES_PATH, overwrite: options[:overwrite], file_rename_map: make_rename_map(plugin_type, plugin_name, snake_case), - skip_files: make_skip_list(template_vars["hooks"].keys), + skip_files: make_skip_list(template_vars["activator"].keys), } renderer = InspecPlugins::Init::Renderer.new(ui, render_opts) @@ -96,7 +103,7 @@ module InspecPlugins ui.error("You requested interactive prompting for the template variables, but this does not seem to be an interactive terminal.") ui.exit(:usage_error) end - vars.merge(parse_hook_option(options[:hook])) + vars.merge(parse_activator_option(options[:activator])) end def vars_from_defaults @@ -124,7 +131,7 @@ module InspecPlugins ], }, homepage: { default_setter: proc { options[:homepage] ||= "https://github.com/" + options[:author_email].split("@").first + "/" + options[:plugin_name] } }, - # TODO: Handle hooks, when we ever have more than one type of plugin + # TODO: Handle activator, when we ever have more than one type of plugin } prompt_for_options(order) @@ -156,26 +163,26 @@ module InspecPlugins end end - def parse_hook_option(raw_option) - hooks_by_type = {} + def parse_activator_option(raw_option) + activator_by_type = {} raw_option.each do |entry| parts = entry.split(":") type = parts.first.to_sym name = parts.last - if hooks_by_type.key?(type) - ui.error "The InSpec plugin generator can currently only generate one hook of each type" + if activator_by_type.key?(type) + ui.error "The InSpec plugin generator can currently only generate one activator of each type" ui.exit(:usage_error) end - hooks_by_type[type] = name + activator_by_type[type] = name end - vars = { hooks: hooks_by_type } - if hooks_by_type.key?(:cli_command) - vars[:command_name_dashes] = hooks_by_type[:cli_command].tr("_", "-") - vars[:command_name_snake] = hooks_by_type[:cli_command].tr("-", "_") - elsif hooks_by_type.key?(:reporter) - vars[:reporter_name_dashes] = hooks_by_type[:reporter].tr("_", "-") - vars[:reporter_name_snake] = hooks_by_type[:reporter].tr("-", "_") + vars = { activator: activator_by_type } + if activator_by_type.key?(:cli_command) + vars[:command_name_dashes] = activator_by_type[:cli_command].tr("_", "-") + vars[:command_name_snake] = activator_by_type[:cli_command].tr("-", "_") + elsif activator_by_type.key?(:reporter) + vars[:reporter_name_dashes] = activator_by_type[:reporter].tr("_", "-") + vars[:reporter_name_snake] = activator_by_type[:reporter].tr("-", "_") end vars end @@ -213,7 +220,7 @@ module InspecPlugins end end - def make_skip_list(requested_hooks) + def make_skip_list(requested_activator) skips = [] case options[:detail] when "full" # rubocop: disable Lint/EmptyWhen @@ -247,15 +254,15 @@ module InspecPlugins ui.exit(:usage_error) end - # Remove hook-specific files - unless requested_hooks.include?(:cli_command) + # Remove activator-specific files + unless requested_activator.include?(:cli_command) skips += [ File.join("lib", "inspec-plugin-template", "cli_command.erb"), File.join("test", "unit", "cli_args_test.erb"), File.join("test", "functional", "inspec_plugin_template_test.erb"), ] end - unless requested_hooks.include?(:reporter) + unless requested_activator.include?(:reporter) skips += [ File.join("lib", "inspec-plugin-template", "reporter.erb"), ] diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb index 6bea32e3e..e541b1c15 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb @@ -1,6 +1,6 @@ # Plugin Definition file # The purpose of this file is to declare to InSpec what plugin_types (capabilities) -# are included in this plugin, and provide hooks that will load them as needed. +# are included in this plugin, and provide activator that will load them as needed. # It is important that this file load successfully and *quickly*. # Your plugin's functionality may never be used on this InSpec run; so we keep things @@ -20,7 +20,7 @@ module InspecPlugins # This simple class handles the plugin definition, so calling it simply Plugin is OK. # Inspec.plugin returns various Classes, intended to be superclasses for various # plugin components. Here, the one-arg form gives you the Plugin Definition superclass, - # which mainly gives you access to the hook / plugin_type DSL. + # which mainly gives you access to the activator / plugin_type DSL. # The number '2' says you are asking for version 2 of the plugin API. If there are # future versions, InSpec promises plugin API v2 will work for at least two more InSpec # major versions. @@ -28,20 +28,20 @@ module InspecPlugins # Internal machine name of the plugin. InSpec will use this in errors, etc. plugin_name :"<%= plugin_name %>" - <% if hooks[:cli_command] %> + <% if activator[:cli_command] %> # Define a new CLI subcommand. # The argument here will be used to match against the command line args, - # and if the user said `inspec list-resources`, this hook will get called. - # Notice that you can define multiple hooks with different names, and they + # and if the user said `inspec list-resources`, this activator will get called. + # Notice that you can define multiple activator with different names, and they # don't have to match the plugin name. # We'd like this to be list-resources, but Thor does not support hyphens # see https://github.com/erikhuda/thor/pull/613 cli_command :<%= command_name_snake %> do - # Calling this hook doesn't mean the subcommand is being executed - just + # Calling this activator doesn't mean the subcommand is being executed - just # that we should be ready to do so. So, load the file that defines the # functionality. - # For example, InSpec will activate this hook when `inspec help` is + # For example, InSpec will activate this activator when `inspec help` is # executed, so that this plugin's usage message will be included in the help. require "<%= plugin_name %>/cli_command" @@ -51,12 +51,12 @@ module InspecPlugins end <% end %> - <% if hooks[:reporter] %> + <% if activator[:reporter] %> # Define a new Reporter. # The argument here will be used to match against the CLI --reporter option. # `--reporter <%= reporter_name_snake %>` will load your reporter and call its renderer. reporter :<%= reporter_name_snake %> do - # Calling this hook doesn't mean the reporter is being executed - just + # Calling this activator doesn't mean the reporter is being executed - just # that we should be ready to do so. So, load the file that defines the # functionality. require "<%= plugin_name %>/reporter" diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md index 090b57494..24cfb1b01 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md @@ -3,7 +3,7 @@ ## What Tests are Provided? * plugin_def_test.rb - Would be useful in any plugin. Verifies that the plugin is properly detected and registered. - <% if hooks.key?(:cli_command) %> + <% if activator.key?(:cli_command) %> * cli_args_test.rb - Tests the CLI options for a CLI Command plugin <% end %> diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.erb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.erb index 5b291b127..d3c6aaff7 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.erb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/plugin_def_test.erb @@ -43,9 +43,9 @@ describe InspecPlugins::<%= module_name %>::Plugin do status.api_generation.must_equal(2) end - # Plugins can support several different activator hooks, each of which has a type. + # Plugins can support several different activator, each of which has a type. # Since this is (primarily) a CliCommand plugin, we'd expect to see that among our types. - it "should include a cli_command activator hook" do + it "should include a cli_command activator" do status.plugin_types.must_include(:cli_command) end end From cb573e605074672a8bd2b8efc4a3c8039b039e68 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 24 May 2021 15:45:35 +0530 Subject: [PATCH 201/483] Fix typo Signed-off-by: Vasu1105 --- lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb index f22758bb8..68c102acd 100644 --- a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +++ b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb @@ -32,7 +32,7 @@ module InspecPlugins # Handle deprecation of option --hook unless options[:hook].nil? - Inspec::Log.warn("Use --activator on the command line instead of --hook. --hook options will be deprecated in future.") + Inspec::Log.warn("Use --activator on the command line instead of --hook. --hook option will be deprecated in future.") options[:activator] = options.delete(:hook) end From a3feab0943439a6bd10d65529b9572e0c56dfb0f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 24 May 2021 16:50:37 +0530 Subject: [PATCH 202/483] Handles string for for descripiton parsing Signed-off-by: Vasu1105 --- .../inspec-plugin-template/inspec-plugin-template.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec index 9449ba8a7..81c21f42f 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec @@ -18,7 +18,7 @@ Gem::Specification.new do |spec| spec.authors = ["<%= author_name %>"] spec.email = ["<%= author_email %>"] spec.summary = "<%= summary %>" - spec.description = "<%= description.join(" ")%>" + spec.description = "<%= description.is_a?(Array) ? description.join(" "): description %>" spec.homepage = "<%= homepage %>" spec.license = "<%= license_name %>" From 6a45164e87703f61902fc8372d8e5da0255d4ad7 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 24 May 2021 18:05:18 +0530 Subject: [PATCH 203/483] Updated to use Inspec.deprecate instead of log to deprecate the --hook option Signed-off-by: Vasu1105 --- etc/deprecations.json | 5 +++++ lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/deprecations.json b/etc/deprecations.json index 7f35fae31..f062e40af 100644 --- a/etc/deprecations.json +++ b/etc/deprecations.json @@ -120,6 +120,11 @@ "object_classes": { "action": "warn", "suffix": "These classes will be removed in InSpec 5.0." + }, + "cli_option_hook":{ + "action": "warn", + "prefix": "The --hook option is being replaced by the --activator option.", + "suffix": "This options will be removed in InSpec 4.0." } } } diff --git a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb index 68c102acd..efd66d143 100644 --- a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +++ b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb @@ -32,7 +32,7 @@ module InspecPlugins # Handle deprecation of option --hook unless options[:hook].nil? - Inspec::Log.warn("Use --activator on the command line instead of --hook. --hook option will be deprecated in future.") + Inspec.deprecate "cli_option_hook" options[:activator] = options.delete(:hook) end From 0d1c82dae2dfa4aad13b47c2ff3fddc1a8198def Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 24 May 2021 18:46:20 +0530 Subject: [PATCH 204/483] Dev docs for inspec init plugin Signed-off-by: Vasu1105 --- dev-docs/inspec-init-plugin.md | 54 +++++++++++++++++++ .../functional/inspec_init_plugin_test.rb | 2 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 dev-docs/inspec-init-plugin.md diff --git a/dev-docs/inspec-init-plugin.md b/dev-docs/inspec-init-plugin.md new file mode 100644 index 000000000..bdb8bbe48 --- /dev/null +++ b/dev-docs/inspec-init-plugin.md @@ -0,0 +1,54 @@ +# About `inspec init plugin` cli command + +## Purpose + +`inspec init plugin` generates the scaffold of InSpec plugin, which can extend the functionality of InSpec itself. + +## Operational Notes + +### Generating InSpec Plugin + + `inspec init plugin --help` + + ``` + Usage: + inspec init plugin PLUGIN_NAME [options] + + Options: + [--prompt], [--no-prompt] # Interactively prompt for information to put in your generated plugin. + # Default: true + [--detail=DETAIL] # How detailed of a plugin to generate. 'full' is a normal full gem with tests; 'core' has tests but no gemspec; 'test-fixture' is stripped down for a test fixture. + # Default: full + [--author-email=AUTHOR_EMAIL] # Author Email for gemspec + # Default: you@example.com + [--author-name=AUTHOR_NAME] # Author Name for gemspec + # Default: Your Name + [--description=DESCRIPTION] # Multi-line description of the plugin + [--summary=SUMMARY] # One-line summary of your plugin + # Default: A plugin with a default summary + [--license-name=LICENSE_NAME] # The name of a license + # Default: Apache-2.0 + [--activator=one two three] # A list of plugin activator, in the form type1:name1, type2:name2, etc + # Default: ["cli_command:my_command"] + [--hook=one two three] # Legacy name for --activator - Deprecated. + [--homepage=HOMEPAGE] # A URL for your project, often a GitHub link + [--module-name=MODULE_NAME] # Module Name for your plugin package. Will change plugin name to CamelCase by default. + [--copyright=COPYRIGHT] # A copyright statement, to be added to LICENSE + [--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error + [--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error) + + Generates an InSpec plugin, which can extend the functionality of InSpec itself. + ``` +### Options + `inspec init plugin` command requires few details about the plugin to be added. This can be added using command line prompt or by passing them as the options like for e.g `--author-name`,`--author-email`, `--description`, --module-name etc. + + `--detail` This option can be used to skip generation of test files or gemspec file. Available values `full`, `core` or `test-fixture`. + + `--activator` Available activator type are `cli_command` and `reporter`. The default activator type is "cli_command". + Usage: `inspec init pluign --activator "cli_command:my_test"` + `OR` + `inspec init plugin --activator "reporter:my_reporter"` + + **Note:** The InSpec plugin generator can currently only generate one activator of each type. + + `--hook` Legacy name for `--activator` - Deprecated. diff --git a/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb b/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb index bebd48c16..51a444eff 100644 --- a/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb +++ b/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb @@ -64,7 +64,7 @@ class InitPluginCli < Minitest::Test /\#\s#{plugin}\s=>\s#{module_name}/, /module\s#{module_name}/, /plugin_name\s+:"#{plugin}"/, - # Default assumes one cli hook + # Default assumes one cli activator /cli_command :my_command/, %r{require\s"#{plugin}/cli_command"}, /InspecPlugins::#{module_name}::CliCommand/, From 6ce9c042321a0d75dc7ca9b587c1ce64a16273a2 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 25 May 2021 17:47:46 +0530 Subject: [PATCH 205/483] Check added for automate server 2 for server presence Signed-off-by: Nikita Mathur --- .../inspec-compliance/lib/inspec-compliance/api.rb | 10 +++++++++- lib/plugins/inspec-compliance/test/unit/api_test.rb | 9 +++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb index 8b067bd3b..bc2b7bf2b 100644 --- a/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +++ b/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb @@ -24,7 +24,11 @@ module InspecPlugins # the username of the account is used that is logged in def self.profiles(config, profile_filter = nil) # rubocop:disable Metrics/PerceivedComplexity, Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength owner = config["owner"] || config["user"] - url = "#{config["server"]}/compliance/profiles/search" + if is_automate2_server?(config) + url = "#{config["server"]}/compliance/profiles/search" + else + raise ServerConfigurationMissing + end headers = get_headers(config) if profile_filter @@ -210,6 +214,10 @@ module InspecPlugins config["version"]["version"] end + + def self.is_automate2_server?(config) + config["server_type"] == "automate2" + end end end end diff --git a/lib/plugins/inspec-compliance/test/unit/api_test.rb b/lib/plugins/inspec-compliance/test/unit/api_test.rb index 61a932133..0194d0656 100644 --- a/lib/plugins/inspec-compliance/test/unit/api_test.rb +++ b/lib/plugins/inspec-compliance/test/unit/api_test.rb @@ -208,4 +208,13 @@ describe InspecPlugins::Compliance::API do _(InspecPlugins::Compliance::API.exist?(config, "admin/missing-in-action")).must_equal false end end + + describe "when the config has a automate2 server_type" do + it "automate server 2 is? methods return correctly" do + config = InspecPlugins::Compliance::Configuration.new + config.clean + config["server_type"] = "automate2" + _(InspecPlugins::Compliance::API.is_automate2_server?(config)).must_equal true + end + end end From 849536a63a345bc414103091555f85e70d16ed69 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 26 May 2021 06:21:50 +0530 Subject: [PATCH 206/483] Minor updates rename activator to activators in some places Signed-off-by: Vasu1105 --- .../inspec-init/lib/inspec-init/cli_plugin.rb | 32 +++++++++---------- .../lib/inspec-plugin-template/plugin.erb | 6 ++-- .../test/unit/README.md | 2 +- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb index efd66d143..524cd5ebd 100644 --- a/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +++ b/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb @@ -17,7 +17,7 @@ module InspecPlugins option :description, type: :string, default: "", desc: "Multi-line description of the plugin" option :summary, type: :string, default: "A plugin with a default summary", desc: "One-line summary of your plugin" option :license_name, type: :string, default: "Apache-2.0", desc: "The name of a license" - option :activator, type: :array, default: ["cli_command:my_command"], desc: "A list of plugin activator, in the form type1:name1, type2:name2, etc" + option :activator, type: :array, default: ["cli_command:my_command"], desc: "A list of plugin activators, in the form type1:name1, type2:name2, etc" option :hook, type: :array, desc: "Legacy name for --activator - Deprecated." # These vars have calculated defaults option :homepage, type: :string, default: nil, desc: "A URL for your project, often a GitHub link" @@ -48,7 +48,7 @@ module InspecPlugins templates_path: TEMPLATES_PATH, overwrite: options[:overwrite], file_rename_map: make_rename_map(plugin_type, plugin_name, snake_case), - skip_files: make_skip_list(template_vars["activator"].keys), + skip_files: make_skip_list(template_vars["activators"].keys), } renderer = InspecPlugins::Init::Renderer.new(ui, render_opts) @@ -131,7 +131,7 @@ module InspecPlugins ], }, homepage: { default_setter: proc { options[:homepage] ||= "https://github.com/" + options[:author_email].split("@").first + "/" + options[:plugin_name] } }, - # TODO: Handle activator, when we ever have more than one type of plugin + # TODO: Handle activators, when we ever have more than one type of plugin } prompt_for_options(order) @@ -164,25 +164,25 @@ module InspecPlugins end def parse_activator_option(raw_option) - activator_by_type = {} + activators_by_type = {} raw_option.each do |entry| parts = entry.split(":") type = parts.first.to_sym name = parts.last - if activator_by_type.key?(type) + if activators_by_type.key?(type) ui.error "The InSpec plugin generator can currently only generate one activator of each type" ui.exit(:usage_error) end - activator_by_type[type] = name + activators_by_type[type] = name end - vars = { activator: activator_by_type } - if activator_by_type.key?(:cli_command) - vars[:command_name_dashes] = activator_by_type[:cli_command].tr("_", "-") - vars[:command_name_snake] = activator_by_type[:cli_command].tr("-", "_") - elsif activator_by_type.key?(:reporter) - vars[:reporter_name_dashes] = activator_by_type[:reporter].tr("_", "-") - vars[:reporter_name_snake] = activator_by_type[:reporter].tr("-", "_") + vars = { activators: activators_by_type } + if activators_by_type.key?(:cli_command) + vars[:command_name_dashes] = activators_by_type[:cli_command].tr("_", "-") + vars[:command_name_snake] = activators_by_type[:cli_command].tr("-", "_") + elsif activators_by_type.key?(:reporter) + vars[:reporter_name_dashes] = activators_by_type[:reporter].tr("_", "-") + vars[:reporter_name_snake] = activators_by_type[:reporter].tr("-", "_") end vars end @@ -220,7 +220,7 @@ module InspecPlugins end end - def make_skip_list(requested_activator) + def make_skip_list(requested_activators) skips = [] case options[:detail] when "full" # rubocop: disable Lint/EmptyWhen @@ -255,14 +255,14 @@ module InspecPlugins end # Remove activator-specific files - unless requested_activator.include?(:cli_command) + unless requested_activators.include?(:cli_command) skips += [ File.join("lib", "inspec-plugin-template", "cli_command.erb"), File.join("test", "unit", "cli_args_test.erb"), File.join("test", "functional", "inspec_plugin_template_test.erb"), ] end - unless requested_activator.include?(:reporter) + unless requested_activators.include?(:reporter) skips += [ File.join("lib", "inspec-plugin-template", "reporter.erb"), ] diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb index e541b1c15..e9a40136a 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.erb @@ -28,11 +28,11 @@ module InspecPlugins # Internal machine name of the plugin. InSpec will use this in errors, etc. plugin_name :"<%= plugin_name %>" - <% if activator[:cli_command] %> + <% if activators[:cli_command] %> # Define a new CLI subcommand. # The argument here will be used to match against the command line args, # and if the user said `inspec list-resources`, this activator will get called. - # Notice that you can define multiple activator with different names, and they + # Notice that you can define multiple activators with different names, and they # don't have to match the plugin name. # We'd like this to be list-resources, but Thor does not support hyphens @@ -51,7 +51,7 @@ module InspecPlugins end <% end %> - <% if activator[:reporter] %> + <% if activators[:reporter] %> # Define a new Reporter. # The argument here will be used to match against the CLI --reporter option. # `--reporter <%= reporter_name_snake %>` will load your reporter and call its renderer. diff --git a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md index 24cfb1b01..3f08a114e 100644 --- a/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md +++ b/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/test/unit/README.md @@ -3,7 +3,7 @@ ## What Tests are Provided? * plugin_def_test.rb - Would be useful in any plugin. Verifies that the plugin is properly detected and registered. - <% if activator.key?(:cli_command) %> + <% if activators.key?(:cli_command) %> * cli_args_test.rb - Tests the CLI options for a CLI Command plugin <% end %> From b7d765584acafee35ec54056bb224e2eefd9f36e Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 26 May 2021 22:09:42 +0000 Subject: [PATCH 207/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 23 ++++++++++------------- Dockerfile | 2 +- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 466e487cd..038e880f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,22 +1,20 @@ # Change Log - -## [v4.37.20](https://github.com/inspec/inspec/tree/v4.37.20) (2021-05-20) - -#### Merged Pull Requests -- Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe)) + - -### Changes since 4.37.17 release - -#### Merged Pull Requests -- Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08)) -- Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) + +## [v4.37.20](https://github.com/inspec/inspec/tree/v4.37.20) (2021-05-26) + +#### Merged Pull Requests +- Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) +- Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08)) +- Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe)) + + ## [v4.37.17](https://github.com/inspec/inspec/tree/v4.37.17) (2021-05-20) #### Enhancements @@ -31,7 +29,6 @@ - Changes returns nil on file non-existence through matcher `more_permissive_than` [#5519](https://github.com/inspec/inspec/pull/5519) ([Nik08](https://github.com/Nik08)) - Update control-eval Readme docs. [#5516](https://github.com/inspec/inspec/pull/5516) ([Vasu1105](https://github.com/Vasu1105)) - Added Common Errors page doc [#5517](https://github.com/inspec/inspec/pull/5517) ([Nik08](https://github.com/Nik08)) - ## [v4.37.8](https://github.com/inspec/inspec/tree/v4.37.8) (2021-05-12) diff --git a/Dockerfile b/Dockerfile index 3c6b0767c..2c9e05dee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.37.17 +ARG VERSION=4.37.20 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 3eea2b055a670ba48f39a57391b89107e599db88 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 31 May 2021 21:38:30 +0530 Subject: [PATCH 208/483] Fix related to loading dependent profiles from a profile in shell Signed-off-by: Nikita Mathur --- lib/inspec/fetcher/local.rb | 2 +- lib/inspec/fetcher/mock.rb | 8 +++++--- .../shell-inheritance/controls/example.rb | 2 ++ .../dependencies/shell-inheritance/inspec.yml | 12 ++++++++++++ test/functional/helper.rb | 1 + test/functional/inspec_shell_test.rb | 19 +++++++++++++++++++ 6 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 test/fixtures/profiles/dependencies/shell-inheritance/controls/example.rb create mode 100644 test/fixtures/profiles/dependencies/shell-inheritance/inspec.yml diff --git a/lib/inspec/fetcher/local.rb b/lib/inspec/fetcher/local.rb index 61fe4f5cb..eeeeb3be7 100644 --- a/lib/inspec/fetcher/local.rb +++ b/lib/inspec/fetcher/local.rb @@ -3,7 +3,7 @@ require "openssl" unless defined?(OpenSSL) module Inspec::Fetcher class Local < Inspec.fetcher(1) name "local" - priority 0 + priority 1 def self.resolve(target) if target.is_a?(String) diff --git a/lib/inspec/fetcher/mock.rb b/lib/inspec/fetcher/mock.rb index e45247e4a..e951127c5 100644 --- a/lib/inspec/fetcher/mock.rb +++ b/lib/inspec/fetcher/mock.rb @@ -6,9 +6,11 @@ module Inspec::Fetcher priority 0 def self.resolve(target) - return nil unless target.is_a? Hash - - new(target) + if (target.is_a? Hash) && ((target.keys & %i{cwd path backend}).empty?) + new(target) + else + nil + end end def initialize(data) diff --git a/test/fixtures/profiles/dependencies/shell-inheritance/controls/example.rb b/test/fixtures/profiles/dependencies/shell-inheritance/controls/example.rb new file mode 100644 index 000000000..98d3b5748 --- /dev/null +++ b/test/fixtures/profiles/dependencies/shell-inheritance/controls/example.rb @@ -0,0 +1,2 @@ +include_controls 'profile_a' +include_controls 'profile_b' \ No newline at end of file diff --git a/test/fixtures/profiles/dependencies/shell-inheritance/inspec.yml b/test/fixtures/profiles/dependencies/shell-inheritance/inspec.yml new file mode 100644 index 000000000..6c3aecceb --- /dev/null +++ b/test/fixtures/profiles/dependencies/shell-inheritance/inspec.yml @@ -0,0 +1,12 @@ +name: Shell Inheritance +title: InSpec example of using inheritance profile in shell +maintainer: Chef Software, Inc. +copyright: Chef Software, Inc. +copyright_email: support@chef.io +license: Apache 2 license +version: 1.0.0 +depends: + - name: profile_a + path: test/fixtures/profiles/dependencies/profile_a + - name: profile_b + path: test/fixtures/profiles/dependencies/profile_b diff --git a/test/functional/helper.rb b/test/functional/helper.rb index 65217b46c..c46d3dede 100644 --- a/test/functional/helper.rb +++ b/test/functional/helper.rb @@ -34,6 +34,7 @@ module FunctionalHelper let(:meta_profile) { File.join(examples_path, "meta-profile") } let(:example_control) { File.join(example_profile, "controls", "example-tmp.rb") } let(:inheritance_profile) { File.join(examples_path, "inheritance") } + let(:shell_inheritance_profile) { File.join(repo_path, "test", "fixtures", "profiles", "dependencies", "shell-inheritance") } let(:failure_control) { File.join(profile_path, "failures", "controls", "failures.rb") } let(:simple_inheritance) { File.join(profile_path, "simple-inheritance") } let(:sensitive_profile) { File.join(examples_path, "profile-sensitive") } diff --git a/test/functional/inspec_shell_test.rb b/test/functional/inspec_shell_test.rb index 324796d55..07ff1b9e3 100644 --- a/test/functional/inspec_shell_test.rb +++ b/test/functional/inspec_shell_test.rb @@ -49,6 +49,16 @@ describe "inspec shell tests" do assert_exit_code 0, res end + it "loads a profile and its dependencies" do + res = inspec("shell -c 'example_config' --depends #{shell_inheritance_profile}") + + _(res.stdout.chop).must_equal "example_config" + + _(res.stderr).must_equal "" + + assert_exit_code 0, res + end + it "confirm file caching is disabled" do out = assert_shell_c("inspec.backend.cache_enabled?(:file)", 0) @@ -243,6 +253,15 @@ describe "inspec shell tests" do assert_exit_code 0, res end + it "loads a profile and its dependencies" do + cmd = "echo 'example_config' | #{exec_inspec} shell --depends #{shell_inheritance_profile}" + res = CMD.run_command(cmd) + + _(res.stdout).must_include "=> example_config" + + assert_exit_code 0, res + end + it "displays the target device information for the user without requiring the help command" do out = do_shell("1+1") _(out.stdout).must_include "You are currently running on:" From 003bee3036cc993af01f33a4d4ad0a87713926c5 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 31 May 2021 22:08:01 +0000 Subject: [PATCH 209/483] Bump version to 4.37.21 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 038e880f0..9c58cbeb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.37.21](https://github.com/inspec/inspec/tree/v4.37.21) (2021-05-31) + +#### Merged Pull Requests +- Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) - + +### Changes since 4.37.20 release + +#### Merged Pull Requests +- Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index bdfb3271e..29de05a58 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.20 \ No newline at end of file +4.37.21 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 64635ec7d..d3af37921 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.20".freeze + VERSION = "4.37.21".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index ad7e0334f..c3eee18bb 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.20".freeze + VERSION = "4.37.21".freeze end From a855c7a5557937cdfd33b3c393ae8ea38a3d5307 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 31 May 2021 22:39:46 +0000 Subject: [PATCH 210/483] Bump version to 4.37.22 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c58cbeb2..e7c906b7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.21](https://github.com/inspec/inspec/tree/v4.37.21) (2021-05-31) + +## [v4.37.22](https://github.com/inspec/inspec/tree/v4.37.22) (2021-05-31) #### Merged Pull Requests -- Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) +- Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08)) ### Changes since 4.37.20 release #### Merged Pull Requests +- Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08)) - Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 29de05a58..4347dbddb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.21 \ No newline at end of file +4.37.22 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index d3af37921..5550958d4 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.21".freeze + VERSION = "4.37.22".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index c3eee18bb..dd00d219d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.21".freeze + VERSION = "4.37.22".freeze end From 99116a12a31437a3cb8ffb458bf7fafc942967cc Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 31 May 2021 22:49:25 +0000 Subject: [PATCH 211/483] Bump version to 4.37.23 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e7c906b7c..501ea03e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.22](https://github.com/inspec/inspec/tree/v4.37.22) (2021-05-31) + +## [v4.37.23](https://github.com/inspec/inspec/tree/v4.37.23) (2021-05-31) #### Merged Pull Requests -- Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08)) +- Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.20 release #### Merged Pull Requests +- Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08)) - Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 4347dbddb..ed28195ac 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.22 \ No newline at end of file +4.37.23 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 5550958d4..d879b1fed 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.22".freeze + VERSION = "4.37.23".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index dd00d219d..fde041f53 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.22".freeze + VERSION = "4.37.23".freeze end From a0680e72e17f0f18630c2d6305600c9ef83826ec Mon Sep 17 00:00:00 2001 From: Jeff Blaine Date: Tue, 1 Jun 2021 17:30:24 -0400 Subject: [PATCH 212/483] sshd_config for daemon, not client - typo --- docs-chef-io/content/inspec/resources/sshd_config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/sshd_config.md b/docs-chef-io/content/inspec/resources/sshd_config.md index 59d945249..cdd5cdeb9 100644 --- a/docs-chef-io/content/inspec/resources/sshd_config.md +++ b/docs-chef-io/content/inspec/resources/sshd_config.md @@ -25,7 +25,7 @@ This resource first became available in v1.0.0 of InSpec. ## Syntax -An `sshd_config` resource block declares the client OpenSSH configuration data to be tested: +An `sshd_config` resource block declares the OpenSSH daemon configuration data to be tested: describe sshd_config('path') do its('name') { should include('foo') } From 79308dbeccd350903a43d11846bd6bff3860f882 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 1 Jun 2021 17:18:17 -0700 Subject: [PATCH 213/483] Minor reformatting for dev-docs/inspec-init-plugin Signed-off-by: Ian Maddaus --- dev-docs/inspec-init-plugin.md | 61 +++++++++++++++++----------------- 1 file changed, 31 insertions(+), 30 deletions(-) diff --git a/dev-docs/inspec-init-plugin.md b/dev-docs/inspec-init-plugin.md index bdb8bbe48..e8879a08e 100644 --- a/dev-docs/inspec-init-plugin.md +++ b/dev-docs/inspec-init-plugin.md @@ -1,4 +1,4 @@ -# About `inspec init plugin` cli command +# About `inspec init plugin` CLI command ## Purpose @@ -8,39 +8,40 @@ ### Generating InSpec Plugin - `inspec init plugin --help` +`inspec init plugin --help` - ``` - Usage: - inspec init plugin PLUGIN_NAME [options] +``` +Usage: + inspec init plugin PLUGIN_NAME [options] - Options: - [--prompt], [--no-prompt] # Interactively prompt for information to put in your generated plugin. - # Default: true - [--detail=DETAIL] # How detailed of a plugin to generate. 'full' is a normal full gem with tests; 'core' has tests but no gemspec; 'test-fixture' is stripped down for a test fixture. - # Default: full - [--author-email=AUTHOR_EMAIL] # Author Email for gemspec - # Default: you@example.com - [--author-name=AUTHOR_NAME] # Author Name for gemspec - # Default: Your Name - [--description=DESCRIPTION] # Multi-line description of the plugin - [--summary=SUMMARY] # One-line summary of your plugin - # Default: A plugin with a default summary - [--license-name=LICENSE_NAME] # The name of a license - # Default: Apache-2.0 - [--activator=one two three] # A list of plugin activator, in the form type1:name1, type2:name2, etc - # Default: ["cli_command:my_command"] - [--hook=one two three] # Legacy name for --activator - Deprecated. - [--homepage=HOMEPAGE] # A URL for your project, often a GitHub link - [--module-name=MODULE_NAME] # Module Name for your plugin package. Will change plugin name to CamelCase by default. - [--copyright=COPYRIGHT] # A copyright statement, to be added to LICENSE - [--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error - [--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error) +Options: + [--prompt], [--no-prompt] # Interactively prompt for information to put in your generated plugin. + # Default: true + [--detail=DETAIL] # How detailed of a plugin to generate. 'full' is a normal full gem with tests; 'core' has tests but no gemspec; 'test-fixture' is stripped down for a test fixture. + # Default: full + [--author-email=AUTHOR_EMAIL] # Author Email for gemspec + # Default: you@example.com + [--author-name=AUTHOR_NAME] # Author Name for gemspec + # Default: Your Name + [--description=DESCRIPTION] # Multi-line description of the plugin + [--summary=SUMMARY] # One-line summary of your plugin + # Default: A plugin with a default summary + [--license-name=LICENSE_NAME] # The name of a license + # Default: Apache-2.0 + [--activator=one two three] # A list of plugin activator, in the form type1:name1, type2:name2, etc + # Default: ["cli_command:my_command"] + [--hook=one two three] # Legacy name for --activator - Deprecated. + [--homepage=HOMEPAGE] # A URL for your project, often a GitHub link + [--module-name=MODULE_NAME] # Module Name for your plugin package. Will change plugin name to CamelCase by default. + [--copyright=COPYRIGHT] # A copyright statement, to be added to LICENSE + [--log-level=LOG_LEVEL] # Set the log level: info (default), debug, warn, error + [--log-location=LOG_LOCATION] # Location to send diagnostic log messages to. (default: $stdout or Inspec::Log.error) + +Generates an InSpec plugin, which can extend the functionality of InSpec itself. +``` - Generates an InSpec plugin, which can extend the functionality of InSpec itself. - ``` ### Options - `inspec init plugin` command requires few details about the plugin to be added. This can be added using command line prompt or by passing them as the options like for e.g `--author-name`,`--author-email`, `--description`, --module-name etc. + `inspec init plugin` command requires few details about the plugin to be added. This can be added using command line prompt or by passing them as the options like for e.g `--author-name`,`--author-email`, `--description`, `--module-name`, etc. `--detail` This option can be used to skip generation of test files or gemspec file. Available values `full`, `core` or `test-fixture`. From 99ae095c66b59fddd9534a3fe0841b18047b384a Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 1 Jun 2021 22:48:10 -0400 Subject: [PATCH 214/483] Initial attempt at an isql-base sybase_session resource, with many rough edges remaining Signed-off-by: Clinton Wolfe --- lib/inspec/resources/sybase_session.rb | 78 ++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 lib/inspec/resources/sybase_session.rb diff --git a/lib/inspec/resources/sybase_session.rb b/lib/inspec/resources/sybase_session.rb new file mode 100644 index 000000000..b7557e61c --- /dev/null +++ b/lib/inspec/resources/sybase_session.rb @@ -0,0 +1,78 @@ +require "inspec/resources/command" +require "inspec/utils/database_helpers" +require "hashie/mash" +require "csv" unless defined?(CSV) + +module Inspec::Resources + # STABILITY: Experimental + # This resource needs further testing and refinement + # + class SybaseSession < Inspec.resource(1) + name "sybase_session" + supports platform: "unix" + # supports platform: "windows" # TODO + desc "Use the sybasedb_session InSpec resource to test commands against an Sybase database" + example <<~EXAMPLE + sql = sybasedb_session(username: 'my_user', password: 'password', server: 'SYBASE', database: 'pubs2') + describe sql.query(\"SELECT * FROM authors\").row(0).column('au_lname') do + its('value') { should eq 'Smith' } + end + EXAMPLE + + # TODO: allow to set -I interfaces file + # TODO: allow to customize -s column separator + attr_reader :bin, :col_sep, :database, :password, :server, :sybase_home, :username + + def initialize(opts = {}) + @username = opts[:username] + @password = opts[:password] + @database = opts[:database] + @server = opts[:server] + @sybase_home = opts[:sybase_home] || "/opt/sap" + @bin = opts[:bin] || "isql" + @col_sep = "|" + + fail_resource "Can't run Sybase checks without authentication" unless (username && password) + fail_resource "You must provide a server name for the session" unless server + fail_resource "You must provide a database name for the session" unless database + fail_resource "Cannot find #{bin} CLI tool" unless inspec.command(bin).exist? + end + + def query(sql) + # We must write the SQl to a temp file on the remote target + # try to get a temp path + sql_file_path = "/tmp/sybase_tmp_sql" # TODO: use tempfile utility if available + + # TODO: replace echos with a a train upload command if possible. + # echos are senstive to shell interpolation, such as the asterisk in SELECT * + res = inspec.command("echo #{sql} > #{sql_file_path}").exit_status # TODO: handle + res = inspec.command("echo go >> #{sql_file_path}").exit_status # TODO: handle + + # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil. + command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}" + inspec_cmd = inspec.command(command) + + # TODO: isql is ill-behaved, and returns 0 on error + # TODO: check sdterr for errors on 0 return + # TODO: check stdout for error messages when stderr is empty "Msg 102, Level 15, State 181:\nServer 'SYBASE', Line 1:\nIncorrect syntax near '.'.\n" + res = inspec_cmd.exit_status # TODO: handle + res = inspec.command("rm #{sql_file_path}").exit_status # TODO: handle + DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout)) + end + + def to_s + "Sybase Session" + end + + private + + def parse_csv_result(stdout) + output = stdout.sub(/\r/, "").strip + # TODO: remove second header row + # TODO: remove trailing blank line and summary line (23 rows affected) + header_converter = ->(header) { header.downcase.strip } + field_converter = ->(field) { field&.strip } + CSV.parse(output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) } + end + end +end From 7d91371d9f99e87e9f7d963ace0049c2e0038248 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 2 Jun 2021 15:35:23 +0530 Subject: [PATCH 215/483] Fix mysql_session resource to handle the exceptions if the mysql session is not established. Currently it does not raise any exception due to which the inspec test gives false result Signed-off-by: Vasu1105 --- lib/inspec/resources/mysql_session.rb | 12 ++++++++++-- test/unit/resources/mysql_session_test.rb | 11 +++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/inspec/resources/mysql_session.rb b/lib/inspec/resources/mysql_session.rb index 8f24b6510..895ce3305 100644 --- a/lib/inspec/resources/mysql_session.rb +++ b/lib/inspec/resources/mysql_session.rb @@ -44,10 +44,12 @@ module Inspec::Resources @port = port @socket = socket init_fallback if user.nil? || pass.nil? - skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? || @pass.nil? + raise Inspec::Exceptions::ResourceFailed, "Can't run MySQL SQL checks without authentication." if @user.nil? || @pass.nil? + set_connection end def query(q, db = "") + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if self.resource_failed? mysql_cmd = create_mysql_cmd(q, db) cmd = if !@pass.nil? inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/) @@ -56,7 +58,7 @@ module Inspec::Resources end out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error:.*/ - Lines.new(out, "MySQL query with errors: #{q}", cmd.exit_status) + raise Inspec::Exceptions::ResourceFailed, "MySQL query with errors: #{out}" else Lines.new(cmd.stdout.strip, "MySQL query: #{q}", cmd.exit_status) end @@ -68,6 +70,12 @@ module Inspec::Resources private + # Querying on the database to make sure conneciton can be established. If not this will set the resource exception + # message which we raise before querying on the database using mysql_session object. + def set_connection + query("show databases") + end + def escape_string(query) Shellwords.escape(query) end diff --git a/test/unit/resources/mysql_session_test.rb b/test/unit/resources/mysql_session_test.rb index 1347e3867..f65c93a63 100644 --- a/test/unit/resources/mysql_session_test.rb +++ b/test/unit/resources/mysql_session_test.rb @@ -26,4 +26,15 @@ describe "Inspec::Resources::MysqlSession" do expected_to_s = %q{Command: `mysql -uroot -pREDACTED -h localhost -s -e "SELECT 1 FROM DUAL;"`} _(resource.to_s).must_equal(expected_to_s) end + it "fails when no user, password" do + resource = load_resource("mysql_session", nil, nil, "localhost", 3306) + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run MySQL SQL checks without authentication." + end + it "failes when no connection established" do + resource = load_resource("mysql_session", "root", "root", "localhost", 3306) + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_include "MySQL query with errors" + end + end From 0cf4d3dcf4f033d703a2c958c10151b79246ef2f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 2 Jun 2021 16:01:06 +0530 Subject: [PATCH 216/483] Fix linter Signed-off-by: Vasu1105 --- lib/inspec/resources/mysql_session.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/inspec/resources/mysql_session.rb b/lib/inspec/resources/mysql_session.rb index 895ce3305..916262bc7 100644 --- a/lib/inspec/resources/mysql_session.rb +++ b/lib/inspec/resources/mysql_session.rb @@ -45,11 +45,13 @@ module Inspec::Resources @socket = socket init_fallback if user.nil? || pass.nil? raise Inspec::Exceptions::ResourceFailed, "Can't run MySQL SQL checks without authentication." if @user.nil? || @pass.nil? + set_connection end def query(q, db = "") raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if self.resource_failed? + mysql_cmd = create_mysql_cmd(q, db) cmd = if !@pass.nil? inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/) From 7da5c4aec31d041fefa6209d28de324aeb53f1a6 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 2 Jun 2021 22:06:58 -0400 Subject: [PATCH 217/483] Add error handling and output handling to sybase_session Signed-off-by: Clinton Wolfe --- lib/inspec/resources/sybase_session.rb | 35 ++++++++++++++++---------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/lib/inspec/resources/sybase_session.rb b/lib/inspec/resources/sybase_session.rb index b7557e61c..70bd3415d 100644 --- a/lib/inspec/resources/sybase_session.rb +++ b/lib/inspec/resources/sybase_session.rb @@ -32,7 +32,7 @@ module Inspec::Resources @bin = opts[:bin] || "isql" @col_sep = "|" - fail_resource "Can't run Sybase checks without authentication" unless (username && password) + fail_resource "Can't run Sybase checks without authentication" unless username && password fail_resource "You must provide a server name for the session" unless server fail_resource "You must provide a database name for the session" unless database fail_resource "Cannot find #{bin} CLI tool" unless inspec.command(bin).exist? @@ -45,19 +45,27 @@ module Inspec::Resources # TODO: replace echos with a a train upload command if possible. # echos are senstive to shell interpolation, such as the asterisk in SELECT * - res = inspec.command("echo #{sql} > #{sql_file_path}").exit_status # TODO: handle - res = inspec.command("echo go >> #{sql_file_path}").exit_status # TODO: handle + inspec.command("echo #{sql} > #{sql_file_path}").exit_status # TODO: handle + inspec.command("echo go >> #{sql_file_path}").exit_status # TODO: handle # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil. command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}" - inspec_cmd = inspec.command(command) + isql_cmd = inspec.command(command) - # TODO: isql is ill-behaved, and returns 0 on error - # TODO: check sdterr for errors on 0 return - # TODO: check stdout for error messages when stderr is empty "Msg 102, Level 15, State 181:\nServer 'SYBASE', Line 1:\nIncorrect syntax near '.'.\n" - res = inspec_cmd.exit_status # TODO: handle - res = inspec.command("rm #{sql_file_path}").exit_status # TODO: handle - DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout)) + # Check for isql errors + res = isql_cmd.exit_status + raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0 + # isql is ill-behaved, and returns 0 on error + raise Inspec::Exceptions::ResourceFailed.new("isql exited with error '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless isql_cmd.stderr == "" + # check stdout for error messages when stderr is empty "Msg 102, Level 15, State 181:\nServer 'SYBASE', Line 1:\nIncorrect syntax near '.'.\n" + raise Inspec::Exceptions::ResourceFailed.new("isql exited with error #{isql_cmd.stdout}") if isql_cmd.stdout.match?(/Msg\s\d+,\sLevel\s\d+,\sState\s\d+/) + + # Clean up temporary file + rm_cmd = inspec.command("rm #{sql_file_path}") + res = rm_cmd.exit_status # TODO: handle + raise Inspec::Exceptions::ResourceFailed.new("Unable to delete temproary SQL input file at #{sql_file_path}: #{rm_cmd.stderr}") unless res == 0 + + DatabaseHelper::SQLQueryResult.new(isql_cmd, parse_csv_result(isql_cmd.stdout)) end def to_s @@ -68,11 +76,12 @@ module Inspec::Resources def parse_csv_result(stdout) output = stdout.sub(/\r/, "").strip - # TODO: remove second header row - # TODO: remove trailing blank line and summary line (23 rows affected) + lines = output.lines + # Remove second row (all dashes) and last two rows (blank and summary line) + trimmed_output = ([lines[0]] << lines.slice(2..-3)).join("\n") header_converter = ->(header) { header.downcase.strip } field_converter = ->(field) { field&.strip } - CSV.parse(output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) } + CSV.parse(trimmed_output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) } end end end From 4000749e956b9d6310bbb17d14d360d130cbaf8b Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 3 Jun 2021 12:48:02 +0530 Subject: [PATCH 218/483] Comment added to explain usage of priority in fetchers Signed-off-by: Nikita Mathur --- lib/inspec/fetcher/local.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/inspec/fetcher/local.rb b/lib/inspec/fetcher/local.rb index eeeeb3be7..65e7d08b4 100644 --- a/lib/inspec/fetcher/local.rb +++ b/lib/inspec/fetcher/local.rb @@ -4,6 +4,7 @@ module Inspec::Fetcher class Local < Inspec.fetcher(1) name "local" priority 1 + # Priority is used for setting precedence of fetchers. And registry plugin(v1) decides which fetcher to use for loading profiles by using this priority def self.resolve(target) if target.is_a?(String) From 3d31bbf09be16862cc84202b2aee8087d1030fe7 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 3 Jun 2021 19:02:43 +0530 Subject: [PATCH 219/483] Fixed typo Signed-off-by: Vasu1105 --- test/unit/resources/mysql_session_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/mysql_session_test.rb b/test/unit/resources/mysql_session_test.rb index f65c93a63..decfc246d 100644 --- a/test/unit/resources/mysql_session_test.rb +++ b/test/unit/resources/mysql_session_test.rb @@ -31,7 +31,7 @@ describe "Inspec::Resources::MysqlSession" do _(resource.resource_failed?).must_equal true _(resource.resource_exception_message).must_equal "Can't run MySQL SQL checks without authentication." end - it "failes when no connection established" do + it "fails when no connection established" do resource = load_resource("mysql_session", "root", "root", "localhost", 3306) _(resource.resource_failed?).must_equal true _(resource.resource_exception_message).must_include "MySQL query with errors" From c801a03b88225704ac57ba7c31a870220fba75d9 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 3 Jun 2021 19:11:25 +0530 Subject: [PATCH 220/483] Fix postgres_session resource to raise exception if database connection is not established due to any reason or there is error with query Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres_session.rb | 11 ++++++++++- test/unit/resources/postgres_session_test.rb | 10 ++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 6261a8b87..55fdd6ccd 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -45,14 +45,19 @@ module Inspec::Resources @pass = pass @host = host || "localhost" @port = port || 5432 + raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil? + + set_connection end def query(query, db = []) + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if self.resource_failed? + psql_cmd = create_psql_cmd(query, db) cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/) out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/ - Lines.new(out, "PostgreSQL query with errors: #{query}") + raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}" else Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}") end @@ -60,6 +65,10 @@ module Inspec::Resources private + def set_connection + query('\du') + end + def escaped_query(query) Shellwords.escape(query) end diff --git a/test/unit/resources/postgres_session_test.rb b/test/unit/resources/postgres_session_test.rb index b2b8d44c2..2df7e39b1 100644 --- a/test/unit/resources/postgres_session_test.rb +++ b/test/unit/resources/postgres_session_test.rb @@ -28,4 +28,14 @@ describe "Inspec::Resources::PostgresSession" do resource = load_resource("postgres_session", "myuser", "mypass") _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h localhost -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" end + it "fails when no user, password" do + resource = load_resource("postgres_session", nil, nil, "localhost", 5432) + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run PostgreSQL SQL checks without authentication." + end + it "fails when no connection established" do + resource = load_resource("postgres_session", "postgres", "postgres", "localhost", 5432) + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_include "PostgreSQL query with errors" + end end From 6395137a5d061bc8ebd0ecd8405650da21fc6bfc Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 3 Jun 2021 19:24:44 +0530 Subject: [PATCH 221/483] Removed unwanted self Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres_session.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 55fdd6ccd..66af08e95 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -51,7 +51,7 @@ module Inspec::Resources end def query(query, db = []) - raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if self.resource_failed? + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? psql_cmd = create_psql_cmd(query, db) cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/) From 53df45a9237387de7022e1be095735c0732fd5b3 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 3 Jun 2021 19:31:11 +0530 Subject: [PATCH 222/483] Removed redundant self Signed-off-by: Vasu1105 --- lib/inspec/resources/mysql_session.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/mysql_session.rb b/lib/inspec/resources/mysql_session.rb index 916262bc7..29c0687b5 100644 --- a/lib/inspec/resources/mysql_session.rb +++ b/lib/inspec/resources/mysql_session.rb @@ -50,7 +50,7 @@ module Inspec::Resources end def query(q, db = "") - raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if self.resource_failed? + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? mysql_cmd = create_mysql_cmd(q, db) cmd = if !@pass.nil? From 5c3a9fd470cb416db6cc6d2d93cdfda7ea8ded9a Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 3 Jun 2021 19:57:59 +0000 Subject: [PATCH 223/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 23 ++++++++++------------- Dockerfile | 2 +- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 501ea03e6..e1e3f963d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,29 +1,26 @@ # Change Log - -## [v4.37.23](https://github.com/inspec/inspec/tree/v4.37.23) (2021-05-31) - -#### Merged Pull Requests -- Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe)) + - -### Changes since 4.37.20 release - -#### Merged Pull Requests -- Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08)) -- Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) + +## [v4.37.23](https://github.com/inspec/inspec/tree/v4.37.23) (2021-06-03) + +#### Merged Pull Requests +- Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) +- Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08)) +- Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe)) + + ## [v4.37.20](https://github.com/inspec/inspec/tree/v4.37.20) (2021-05-26) #### Merged Pull Requests - Added new automate doc link for login tokens in `inspec automate login --help` command [#5529](https://github.com/inspec/inspec/pull/5529) ([Nik08](https://github.com/Nik08)) - Bugfix for `inspec detect --no-color` to not return colourful output [#5530](https://github.com/inspec/inspec/pull/5530) ([Nik08](https://github.com/Nik08)) - Drop EOL Ubuntu 16.04, build on 18.04 [#5532](https://github.com/inspec/inspec/pull/5532) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.37.17](https://github.com/inspec/inspec/tree/v4.37.17) (2021-05-20) diff --git a/Dockerfile b/Dockerfile index 2c9e05dee..f478a4bad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.37.20 +ARG VERSION=4.37.23 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From ea935ca2c11daa3c9a7f23dc09d5187b61651c41 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 3 Jun 2021 22:57:55 +0000 Subject: [PATCH 224/483] Bump version to 4.37.24 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1e3f963d..5b652f1c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.37.24](https://github.com/inspec/inspec/tree/v4.37.24) (2021-06-03) + +#### Merged Pull Requests +- sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) - + +### Changes since 4.37.23 release + +#### Merged Pull Requests +- sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) diff --git a/VERSION b/VERSION index ed28195ac..ddfcee373 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.23 \ No newline at end of file +4.37.24 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index d879b1fed..b6693d6fd 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.23".freeze + VERSION = "4.37.24".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index fde041f53..6b3a3bce0 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.23".freeze + VERSION = "4.37.24".freeze end From 52c4fe586a064531398ef84971f0fbd0d4b39f0d Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 4 Jun 2021 03:25:05 +0000 Subject: [PATCH 225/483] Bump version to 4.37.25 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b652f1c3..92d1267b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.24](https://github.com/inspec/inspec/tree/v4.37.24) (2021-06-03) + +## [v4.37.25](https://github.com/inspec/inspec/tree/v4.37.25) (2021-06-04) #### Merged Pull Requests -- sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) +- Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08)) ### Changes since 4.37.23 release #### Merged Pull Requests +- Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08)) - sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) diff --git a/VERSION b/VERSION index ddfcee373..32637b540 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.24 \ No newline at end of file +4.37.25 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index b6693d6fd..3f38d3271 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.24".freeze + VERSION = "4.37.25".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 6b3a3bce0..cef8be56c 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.24".freeze + VERSION = "4.37.25".freeze end From db72bb402e2b8a40c3a39d04ff8de9b112ba79d3 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 4 Jun 2021 03:28:22 +0000 Subject: [PATCH 226/483] Bump version to 4.37.26 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92d1267b8..7367ce281 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.25](https://github.com/inspec/inspec/tree/v4.37.25) (2021-06-04) + +## [v4.37.26](https://github.com/inspec/inspec/tree/v4.37.26) (2021-06-04) #### Merged Pull Requests -- Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08)) +- Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) ### Changes since 4.37.23 release #### Merged Pull Requests +- Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) - Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08)) - sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) diff --git a/VERSION b/VERSION index 32637b540..d04fc9e07 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.25 \ No newline at end of file +4.37.26 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 3f38d3271..9fed9309d 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.25".freeze + VERSION = "4.37.26".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index cef8be56c..5809e1cd1 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.25".freeze + VERSION = "4.37.26".freeze end From 38206d80e8363061994a9a21b346c8e7ec435977 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 4 Jun 2021 11:21:01 +0530 Subject: [PATCH 227/483] Fixed review comments Signed-off-by: Vasu1105 --- lib/inspec/resources/mysql_session.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/inspec/resources/mysql_session.rb b/lib/inspec/resources/mysql_session.rb index 29c0687b5..aad231c80 100644 --- a/lib/inspec/resources/mysql_session.rb +++ b/lib/inspec/resources/mysql_session.rb @@ -46,7 +46,7 @@ module Inspec::Resources init_fallback if user.nil? || pass.nil? raise Inspec::Exceptions::ResourceFailed, "Can't run MySQL SQL checks without authentication." if @user.nil? || @pass.nil? - set_connection + test_connection end def query(q, db = "") @@ -74,8 +74,8 @@ module Inspec::Resources # Querying on the database to make sure conneciton can be established. If not this will set the resource exception # message which we raise before querying on the database using mysql_session object. - def set_connection - query("show databases") + def test_connection + query("select now()") end def escape_string(query) From 3a37a6f766d0ce3be4d359a578e721252ca7efd9 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 4 Jun 2021 11:41:23 +0530 Subject: [PATCH 228/483] Fixed review comments Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres_session.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 66af08e95..8d122588b 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -47,7 +47,7 @@ module Inspec::Resources @port = port || 5432 raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil? - set_connection + test_connection end def query(query, db = []) @@ -65,8 +65,8 @@ module Inspec::Resources private - def set_connection - query('\du') + def test_connection + query("select now()") end def escaped_query(query) From 6f4bd2413d1ace255eddeeb75eb30d003ee326e5 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 4 Jun 2021 15:42:14 +0530 Subject: [PATCH 229/483] Fixed failing test Signed-off-by: Vasu1105 --- test/fixtures/profiles/skippy-controls/controls/skipper.rb | 6 ------ test/functional/inspec_exec_junit_test.rb | 2 +- test/functional/inspec_exec_test.rb | 5 ++--- 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/test/fixtures/profiles/skippy-controls/controls/skipper.rb b/test/fixtures/profiles/skippy-controls/controls/skipper.rb index 7baf3209a..8fd3e3083 100644 --- a/test/fixtures/profiles/skippy-controls/controls/skipper.rb +++ b/test/fixtures/profiles/skippy-controls/controls/skipper.rb @@ -3,9 +3,3 @@ control 'CONTROL super' do skip 'This will be skipped super intentionally.' end end - -control 'CONTROL database' do - describe mysql_session do - its('something') { should be 3 } - end -end diff --git a/test/functional/inspec_exec_junit_test.rb b/test/functional/inspec_exec_junit_test.rb index a8f17b92f..fd8775564 100644 --- a/test/functional/inspec_exec_junit_test.rb +++ b/test/functional/inspec_exec_junit_test.rb @@ -97,7 +97,7 @@ describe "inspec exec with junit formatter" do _(run_result.stderr).must_equal "" _(schema.validate(doc)).must_be_empty suite = doc.xpath("//testsuite").first - _(suite.attr("skipped")).must_equal "2" + _(suite.attr("skipped")).must_equal "1" testcase = doc.xpath("//testcase").first _(testcase.xpath("//skipped")).wont_be_empty end diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index e3ebad369..b4410ca26 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -299,8 +299,7 @@ Test Summary: 0 successful, 0 failures, 0 skipped it "exits with an error" do _(stdout).must_include "skippy\n ↺ This will be skipped super intentionally.\n" - _(stdout).must_include " ↺ CONTROL database: MySQL Session\n ↺ Can't run MySQL SQL checks without authentication\n" - _(stdout).must_include "Profile Summary: 0 successful controls, 0 control failures, 2 controls skipped\nTest Summary: 0 successful, 0 failures, 2 skipped\n" + _(stdout).must_include "Profile Summary: 0 successful controls, 0 control failures, 1 control skipped\nTest Summary: 0 successful, 0 failures, 1 skipped\n" _(stderr).must_equal "" @@ -312,7 +311,7 @@ Test Summary: 0 successful, 0 failures, 0 skipped let(:out) { inspec("exec " + File.join(profile_path, "skippy-controls") + " --no-distinct-exit --no-create-lockfile") } it "exits with code 0 and skipped tests in output" do - _(stdout).must_include "Profile Summary: 0 successful controls, 0 control failures, 2 controls skipped\nTest Summary: 0 successful, 0 failures, 2 skipped\n" + _(stdout).must_include "Profile Summary: 0 successful controls, 0 control failures, 1 control skipped\nTest Summary: 0 successful, 0 failures, 1 skipped\n" _(stderr).must_equal "" From 3019c3ccd97577218debdbcf7a977ca4608ab35a Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 8 Jun 2021 17:34:22 -0700 Subject: [PATCH 230/483] Fix relative links Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/glossary.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/glossary.md b/docs-chef-io/content/inspec/glossary.md index 054ecbbec..d0e00838f 100644 --- a/docs-chef-io/content/inspec/glossary.md +++ b/docs-chef-io/content/inspec/glossary.md @@ -113,7 +113,7 @@ _'Cadillac'_ is an [expected result](#expected-result). Some matchers take an ex #### its('count') { should _be >=_ 10 } -_be >=_ is an [operator matcher](#operator matcher). It allows you to perform numeric comparisons. All plural resources have a `count` property. +_be >=_ is an [operator matcher](#operator-matcher). It allows you to perform numeric comparisons. All plural resources have a `count` property. ## Text Glossary @@ -129,11 +129,11 @@ The _`control`_ keyword is used to declare a _`control block`_. Here, the word ' ### core resource -A [resource](#resource) that is included with InSpec; you are not required to install additional [plugins](#plugin) or depend on a [resource pack](#resource pack) to use the resource. +A [resource](#resource) that is included with InSpec; you are not required to install additional [plugins](#plugin) or depend on a [resource pack](#resource-pack) to use the resource. ### custom resource -A [resource](#resource) that is _not_ included with InSpec. It may be a resource of your own creation, or one you obtain by depending on a [resource pack](#resource pack). +A [resource](#resource) that is _not_ included with InSpec. It may be a resource of your own creation, or one you obtain by depending on a [resource pack](#resource-pack). ### describe @@ -359,7 +359,7 @@ end ### resource-specific matcher -A [matcher](#matcher) that operates directly on the [resource](#resource), as opposed to operating on a property as a [universal matcher](#universal matcher) does. +A [matcher](#matcher) that operates directly on the [resource](#resource), as opposed to operating on a property as a [universal matcher](#universal-matcher) does. Resource-specific matchers often provide highly customized behavior. Check the [resource documentation](#/inspec/resources/) to discover which resource-specific matchers are available for your resource. From 5738112db697cb19daf361a085ee96f1e2c58933 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 8 Jun 2021 23:23:32 -0400 Subject: [PATCH 231/483] Change upload implementation from echo-based to native train-based Signed-off-by: Clinton Wolfe --- lib/inspec/resources/sybase_session.rb | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/lib/inspec/resources/sybase_session.rb b/lib/inspec/resources/sybase_session.rb index 70bd3415d..27678f276 100644 --- a/lib/inspec/resources/sybase_session.rb +++ b/lib/inspec/resources/sybase_session.rb @@ -2,6 +2,7 @@ require "inspec/resources/command" require "inspec/utils/database_helpers" require "hashie/mash" require "csv" unless defined?(CSV) +require "tempfile" unless defined?(Tempfile) module Inspec::Resources # STABILITY: Experimental @@ -41,12 +42,7 @@ module Inspec::Resources def query(sql) # We must write the SQl to a temp file on the remote target # try to get a temp path - sql_file_path = "/tmp/sybase_tmp_sql" # TODO: use tempfile utility if available - - # TODO: replace echos with a a train upload command if possible. - # echos are senstive to shell interpolation, such as the asterisk in SELECT * - inspec.command("echo #{sql} > #{sql_file_path}").exit_status # TODO: handle - inspec.command("echo go >> #{sql_file_path}").exit_status # TODO: handle + sql_file_path = upload_sql_file(sql) # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil. command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}" @@ -83,5 +79,23 @@ module Inspec::Resources field_converter = ->(field) { field&.strip } CSV.parse(trimmed_output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) } end + + def upload_sql_file(sql) + remote_temp_dir = "/tmp" + remote_file_path = nil + local_temp_file = Tempfile.new(["sybase", ".sql"]) + begin + local_temp_file.write("#{sql}\n") + local_temp_file.write("go\n") + local_temp_file.flush + filename = File.basename(local_temp_file.path) + remote_file_path = "#{remote_temp_dir}/#{filename}" + inspec.backend.upload([local_temp_file.path], remote_temp_dir) + ensure + local_temp_file.close + local_temp_file.unlink + end + remote_file_path + end end end From 63654e32b95d3abc8cd22bc03880019c24a30271 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 8 Jun 2021 23:33:32 -0400 Subject: [PATCH 232/483] Fix bug in isql output parsing Signed-off-by: Clinton Wolfe --- lib/inspec/resources/sybase_session.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/inspec/resources/sybase_session.rb b/lib/inspec/resources/sybase_session.rb index 27678f276..cd5cdd901 100644 --- a/lib/inspec/resources/sybase_session.rb +++ b/lib/inspec/resources/sybase_session.rb @@ -71,10 +71,10 @@ module Inspec::Resources private def parse_csv_result(stdout) - output = stdout.sub(/\r/, "").strip + output = stdout.gsub(/\r/, "").strip lines = output.lines - # Remove second row (all dashes) and last two rows (blank and summary line) - trimmed_output = ([lines[0]] << lines.slice(2..-3)).join("\n") + # Remove second row (all dashes) and last 2 rows (blank and summary lines) + trimmed_output = ([lines[0]] << lines.slice(2..-3)).join("") header_converter = ->(header) { header.downcase.strip } field_converter = ->(field) { field&.strip } CSV.parse(trimmed_output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) } From b437a4cd07501ef2ed7a9616b0c2a67363b5ce7a Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 10 Jun 2021 00:39:03 +0000 Subject: [PATCH 233/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 14 +++++++++----- Dockerfile | 2 +- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7367ce281..b10d10a7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,23 +7,27 @@ - Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) - -### Changes since 4.37.23 release + +### Changes since 4.37.25 release #### Merged Pull Requests - Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) -- Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08)) -- sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) +## [v4.37.25](https://github.com/inspec/inspec/tree/v4.37.25) (2021-06-10) + +#### Merged Pull Requests +- sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) +- Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08)) + + ## [v4.37.23](https://github.com/inspec/inspec/tree/v4.37.23) (2021-06-03) #### Merged Pull Requests - Update inspec init plugin [#5536](https://github.com/inspec/inspec/pull/5536) ([Vasu1105](https://github.com/Vasu1105)) - Removed support for compliance and a1 server from InSpec compliance [#5534](https://github.com/inspec/inspec/pull/5534) ([Nik08](https://github.com/Nik08)) - Add Ubuntu to list of FIPS platforms [#5533](https://github.com/inspec/inspec/pull/5533) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.37.20](https://github.com/inspec/inspec/tree/v4.37.20) (2021-05-26) diff --git a/Dockerfile b/Dockerfile index f478a4bad..5570be075 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.37.23 +ARG VERSION=4.37.25 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 8b351fbd0f6a066922cd2dc2767a01402da55e32 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 10 Jun 2021 00:50:29 +0000 Subject: [PATCH 234/483] Bump version to 4.37.27 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b10d10a7d..216160c19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.26](https://github.com/inspec/inspec/tree/v4.37.26) (2021-06-04) + +## [v4.37.27](https://github.com/inspec/inspec/tree/v4.37.27) (2021-06-10) #### Merged Pull Requests -- Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) +- Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.37.25 release #### Merged Pull Requests +- Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) - Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index d04fc9e07..c40de88a4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.26 \ No newline at end of file +4.37.27 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 9fed9309d..bd9bd640c 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.26".freeze + VERSION = "4.37.27".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 5809e1cd1..8083d17b1 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.26".freeze + VERSION = "4.37.27".freeze end From 3d69833514243129df727a33927da6d9a2f4771b Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 10 Jun 2021 00:53:27 +0000 Subject: [PATCH 235/483] Bump version to 4.37.28 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 216160c19..6a30182fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.37.27](https://github.com/inspec/inspec/tree/v4.37.27) (2021-06-10) + +## [v4.37.28](https://github.com/inspec/inspec/tree/v4.37.28) (2021-06-10) #### Merged Pull Requests -- Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) +- Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.37.25 release #### Merged Pull Requests +- Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) - Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) - Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index c40de88a4..c4b7d457c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.27 \ No newline at end of file +4.37.28 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index bd9bd640c..0785ceb96 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.27".freeze + VERSION = "4.37.28".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8083d17b1..60ac37376 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.27".freeze + VERSION = "4.37.28".freeze end From 13415c9bb9754c1e6aabab94144faa22a346d249 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 9 Jun 2021 21:14:19 -0400 Subject: [PATCH 236/483] Add docs for sybase_session Signed-off-by: Clinton Wolfe --- .../inspec/resources/sybase_session.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/sybase_session.md diff --git a/docs-chef-io/content/inspec/resources/sybase_session.md b/docs-chef-io/content/inspec/resources/sybase_session.md new file mode 100644 index 000000000..567658710 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/sybase_session.md @@ -0,0 +1,55 @@ ++++ +title = "sybase_session resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "sybase_session" + identifier = "inspec/resources/os/sybase_session.md sybase_session resource" + parent = "inspec/resources/os" ++++ + +Use the `sybase_session` Chef InSpec audit resource to test SQL commands run against a Sybase / SAP ASE database. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +### Requirements + +The `isql` command line tool must be installed on the target system. + +## Syntax + +A `sybase_session` resource block declares the server, database, username and password to use for the session, and then the command to be run: + + describe sybase_session(database: 'pubs2', server: 'SYBASE', username: 'username', password: 'password').query('QUERY').row(0).column('result') do + its('value') { should eq('expected') } + end + +where + +- `sybase_session` declares a server, database, username and password with permission to run the query. +- `query('QUERY')` contains the query to be run +- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test for matching values in the pubs2 sample database + + sql = sybase_session(database: 'pubs2', server: 'SYBASE', username: 'my_user', password: 'password') + + describe sql.query("SELECT au_lname FROM authors").row(0).column('au_lname') do + its("value") { should eq 'Bennet' } + end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + From 30980a35ef90d4319972530c3f0c0e0026e95ac4 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 9 Jun 2021 21:51:29 -0400 Subject: [PATCH 237/483] Document bin and sybase_home params Signed-off-by: Clinton Wolfe --- .../inspec/resources/sybase_session.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs-chef-io/content/inspec/resources/sybase_session.md b/docs-chef-io/content/inspec/resources/sybase_session.md index 567658710..df8768863 100644 --- a/docs-chef-io/content/inspec/resources/sybase_session.md +++ b/docs-chef-io/content/inspec/resources/sybase_session.md @@ -37,6 +37,35 @@ where - `query('QUERY')` contains the query to be run - `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test +### Optional Parameters + +#### bin + +You may use the `bin` parameter to specify the path to the `isql` cli tool. + + describe sybase_session(database: 'pubs2', + server: 'SYBASE', + username: 'username', + password: 'password', + bin: '/opt/sap/OCS-16_0/bin/isql', + ).query('QUERY').row(0).column('result') do + its('value') { should eq('expected') } + end + + +#### sybase_home + +You may use the `sybase_home` parameter to specify the path to the sybase installation. + + describe sybase_session(database: 'pubs2', + server: 'SYBASE', + username: 'username', + password: 'password', + sybase_home: '/opt/sap', + ).query('QUERY').row(0).column('result') do + its('value') { should eq('expected') } + end + ## Examples The following examples show how to use this Chef InSpec audit resource. From 4e9c8b327218ca3f8f6ba2cfcf486bcf913a72a5 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Thu, 10 Jun 2021 22:41:07 -0400 Subject: [PATCH 238/483] Add sybase_conf config resource, based on using sybase_session to call sp_configure Signed-off-by: Clinton Wolfe --- lib/inspec/resources/sybase_conf.rb | 37 ++++++++++++++++++++++++++ lib/inspec/resources/sybase_session.rb | 16 ++++++++--- 2 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 lib/inspec/resources/sybase_conf.rb diff --git a/lib/inspec/resources/sybase_conf.rb b/lib/inspec/resources/sybase_conf.rb new file mode 100644 index 000000000..3d252cfff --- /dev/null +++ b/lib/inspec/resources/sybase_conf.rb @@ -0,0 +1,37 @@ +require "inspec/resources/sybase_session" + +module Inspec::Resources + class SybaseConf < Inspec.resource(1) + name "sybase_conf" + supports platform: "unix" + # supports platform: "windows" # TODO + desc "Use the sybase_conf InSpec resource to test Sybase config settings" + example <<~EXAMPLE + describe sybase_conf("max memory", password: 'password', server: 'SYBASE') do + its("run_value") { should cmp 180224 } + end + EXAMPLE + + attr_reader :conf_param, :sql_query + def initialize(conf_param_name, opts = {}) + @conf_param = conf_param_name + opts[:username] ||= "sa" + opts[:database] ||= "master" + sql_session = inspec.sybase_session(opts) + @sql_query = sql_session.query("sp_configure \"#{conf_param}\"") + end + + def run_value + sql_query.row(0).column("Run Value").value + end + + def config_value + sql_query.row(0).column("Config Value").value + end + + def to_s + "Sybase Conf #{conf_param}" + end + + end +end diff --git a/lib/inspec/resources/sybase_session.rb b/lib/inspec/resources/sybase_session.rb index cd5cdd901..eb8125f73 100644 --- a/lib/inspec/resources/sybase_session.rb +++ b/lib/inspec/resources/sybase_session.rb @@ -12,9 +12,9 @@ module Inspec::Resources name "sybase_session" supports platform: "unix" # supports platform: "windows" # TODO - desc "Use the sybasedb_session InSpec resource to test commands against an Sybase database" + desc "Use the sybase_session InSpec resource to test commands against an Sybase database" example <<~EXAMPLE - sql = sybasedb_session(username: 'my_user', password: 'password', server: 'SYBASE', database: 'pubs2') + sql = sybase_session(username: 'my_user', password: 'password', server: 'SYBASE', database: 'pubs2') describe sql.query(\"SELECT * FROM authors\").row(0).column('au_lname') do its('value') { should eq 'Smith' } end @@ -75,7 +75,17 @@ module Inspec::Resources lines = output.lines # Remove second row (all dashes) and last 2 rows (blank and summary lines) trimmed_output = ([lines[0]] << lines.slice(2..-3)).join("") - header_converter = ->(header) { header.downcase.strip } + header_converter = Proc.new do |header| + # This is here to suppress a warning from Hashie::Mash when it encounters a + # header column that ends up with the name "default", which happens when using the + # sybase_conf resource. It does mean that aly query whose output field includes the name + # Default (exactly) will get renamed to default_value, but that seems unlikely. + if header.match?(/^Default\s+$/) + "default_value" + else + header.downcase.strip + end + end field_converter = ->(field) { field&.strip } CSV.parse(trimmed_output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) } end From 638c36928381d94f0f6ff1633381aeb213408a42 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Thu, 10 Jun 2021 23:03:52 -0400 Subject: [PATCH 239/483] Add docs for sybase_conf Signed-off-by: Clinton Wolfe --- .../content/inspec/resources/sybase_conf.md | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/sybase_conf.md diff --git a/docs-chef-io/content/inspec/resources/sybase_conf.md b/docs-chef-io/content/inspec/resources/sybase_conf.md new file mode 100644 index 000000000..b3011e7db --- /dev/null +++ b/docs-chef-io/content/inspec/resources/sybase_conf.md @@ -0,0 +1,71 @@ ++++ +title = "sybase_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "sybase_conf" + identifier = "inspec/resources/os/sybase_conf.md sybase_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `sybase_conf` Chef InSpec audit resource to test configuration of a Sybase / SAP ASE database. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +### Requirements + +The `isql` command line tool must be installed on the target system. + +You must have access to a database user that has access to the `sa` role on the `master` database. + +## Syntax + +A `sybase_conf` resource block declares the configuration item name, server, and password to use. + + describe sybase_session('config item', server: 'SYBASE', password: 'password') do + its('run_value') { should cmp 'expected' } + its('config_value') { should cmp 'expected' } + end + +where + +- `sybase_conf` declares a config item, server, and password with permission to run `sp_configure`. +- `its('run_value') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value +- `its('config_value') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value + +### Optional Parameters + +`sybase_conf` is based on `sybase_session`, and accepts all parameters that `sybase_session` accepts, including optional parameters `username`, `database`, `sybase_home`, and `bin`. + +In particular: + +#### `database` + +Defaults to `master`. + +#### `username` + +Defaults to `sa`. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test for max memory configuration + + describe sybase_session('max memory', server: 'SYBASE', password: 'password') do + its('run_value') { should cmp 180224 } + its('config_value') { should cmp 180224 } + end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + From da00e359aa14ac956d990d47989f61a312b0367c Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 14 Jun 2021 18:17:05 +0530 Subject: [PATCH 240/483] Add mongodb_conf resource to InSpec Signed-off-by: Vasu1105 --- .../content/inspec/resources/mongodb_conf.md | 69 +++++++++++++++++++ lib/inspec/resources.rb | 2 + lib/inspec/resources/mongodb.rb | 66 ++++++++++++++++++ lib/inspec/resources/mongodb_conf.rb | 43 ++++++++++++ test/fixtures/cmd/mongodb-version | 1 + test/fixtures/files/mongod.conf | 24 +++++++ test/fixtures/files/mongodb-version | 1 + test/helpers/mock_loader.rb | 2 + test/unit/resources/mongodb_conf_test.rb | 19 +++++ test/unit/resources/mongodb_test.rb | 16 +++++ 10 files changed, 243 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/mongodb_conf.md create mode 100644 lib/inspec/resources/mongodb.rb create mode 100644 lib/inspec/resources/mongodb_conf.rb create mode 100644 test/fixtures/cmd/mongodb-version create mode 100644 test/fixtures/files/mongod.conf create mode 100644 test/fixtures/files/mongodb-version create mode 100644 test/unit/resources/mongodb_conf_test.rb create mode 100644 test/unit/resources/mongodb_test.rb diff --git a/docs-chef-io/content/inspec/resources/mongodb_conf.md b/docs-chef-io/content/inspec/resources/mongodb_conf.md new file mode 100644 index 000000000..333e78073 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/mongodb_conf.md @@ -0,0 +1,69 @@ ++++ +title = "mongodb_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "mongodb_conf" + identifier = "inspec/resources/os/mongodb_conf.md mongodb_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `mongodb_conf` Chef InSpec audit resource to test the contents of the configuration file for MongoDB, typically located at `/etc/mongod.conf` or `C:\Program Files\MongoDB\Server\\bin\mongod.cfg`, depending on the platform. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `mongodb_conf` resource block declares one (or more) settings in the `mongodb.conf` file, and then compares the setting in the configuration file to the value stated in the test: + + describe mongodb_conf('path') do + its('setting') { should eq 'value' } + end + +where + +- `'setting'` specifies a setting in the `mongodb.conf` file +- `('path')` is the non-default path to the `mongodb.conf` file (optional) +- `should eq 'value'` is the value that is expected + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test the key management configuration options + + describe mongodb_conf do + its(['security', 'enableEncryption']) { should eq true } + end + +### Test the port on which MongoDB listens + + describe mongodb_conf do + its('port') { should eq 27017 } + end + +### Test the security configuration options + + describe mongodb_conf do + its(['security', 'authorization']) { should eq 'enabled' } + end + + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + +### setting + +The `setting` matcher tests specific, named settings in the `mongod.conf` file: + + its(['setting') { should eq 'value' } + +Use a `setting` matcher for each setting to be tested. diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 6f153e94d..1bdf0021d 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -71,6 +71,8 @@ require "inspec/resources/key_rsa" require "inspec/resources/ksh" require "inspec/resources/limits_conf" require "inspec/resources/login_defs" +require "inspec/resources/mongodb" +require "inspec/resources/mongodb_conf" require "inspec/resources/mount" require "inspec/resources/mssql_session" require "inspec/resources/mysql" diff --git a/lib/inspec/resources/mongodb.rb b/lib/inspec/resources/mongodb.rb new file mode 100644 index 000000000..66600b587 --- /dev/null +++ b/lib/inspec/resources/mongodb.rb @@ -0,0 +1,66 @@ +module Inspec::Resources + class Mongodb < Inspec.resource(1) + name "mongodb" + supports platform: "unix" + supports platform: "windows" + + desc "The 'mongodb' resource is a helper for the 'mongodb_conf' & 'mongodb_session' resources. Please use those instead." + + attr_reader :conf_path + + def initialize + case inspec.os[:family] + when "debian", "fedora", "redhat", "linux", "suse" + init_linux + when "darwin" + init_macos + when "windows" + init_windows + end + end + + def to_s + "MongoDB" + end + + private + + def init_linux + @conf_path = "/etc/mongod.conf" + end + + def init_macos + @conf_path = "/usr/local/etc/mongod.conf" + end + + def init_windows + dir = "C:\\Program Files\\MongoDB\\Server" + @version = version_from_dir(dir) + unless @version.to_s.empty? + @conf_path = "#{dir}\\#{@version}\\bin\\mongod.cfg" + end + end + + def version_from_dir(dir) + dirs = inspec.command("Get-ChildItem -Path \"#{dir}\" -Name").stdout + entries = dirs.lines.count + case entries + when 0 + warn "Could not determine version of installed MongoDB by inspecting #{dir}" + nil + when 1 + warn "Using #{dirs}: #{dir_to_version(dirs)}" + dir_to_version(dirs) + else + warn "Multiple versions of MongoDB installed or incorrect base dir #{dir}" + first = dir_to_version(dirs.lines.first) + warn "Using the first version found: #{first}" + first + end + end + + def dir_to_version(dir) + dir.chomp.split("/").last + end + end +end diff --git a/lib/inspec/resources/mongodb_conf.rb b/lib/inspec/resources/mongodb_conf.rb new file mode 100644 index 000000000..ec1dd986f --- /dev/null +++ b/lib/inspec/resources/mongodb_conf.rb @@ -0,0 +1,43 @@ +require "inspec/resources/json" +require "inspec/resources/mongodb" + +module Inspec::Resources + class MongodbConf < JsonConfig + name "mongodb_conf" + supports platform: "unix" + supports platform: "windows" + desc "Use the mongodb_conf InSpec audit resource to test the contents of the configuration file for MongoDB, typically located at `/etc/mongod.conf` or `C:\\Program Files\\MongoDB\\Server\\\\bin\\mongod.cfg`, depending on the platform." + example <<~EXAMPLE + describe mongodb_conf do + its(["storage", "dbPath"]) { should eq "/var/lib/mongodb" } + its("port") { should eq 27017 } + end + EXAMPLE + + def initialize(conf_path = nil) + @conf_path = conf_path || inspec.mongodb.conf_path + + if @conf_path.nil? + return skip_resource "MongoDB conf path is not set." + end + + super(@conf_path) + end + + def port + params["net"]["port"] + end + + private + + def parse(content) + YAML.load(content) + rescue => e + raise Inspec::Exceptions::ResourceFailed, "Unable to parse `mongod.conf` or `mongod.cfg` file: #{e.message}" + end + + def resource_base_name + "MongoDB Configuration" + end + end +end diff --git a/test/fixtures/cmd/mongodb-version b/test/fixtures/cmd/mongodb-version new file mode 100644 index 000000000..515be8f91 --- /dev/null +++ b/test/fixtures/cmd/mongodb-version @@ -0,0 +1 @@ +4.4 diff --git a/test/fixtures/files/mongod.conf b/test/fixtures/files/mongod.conf new file mode 100644 index 000000000..a19226ed5 --- /dev/null +++ b/test/fixtures/files/mongod.conf @@ -0,0 +1,24 @@ +# mongod.conf + +# for documentation of all options, see: +# http://docs.mongodb.org/manual/reference/configuration-options/ + +# Where and how to store data. +storage: + dbPath: /var/lib/mongodb + journal: + enabled: true +# engine: +# mmapv1: +# wiredTiger: + +# where to write logging data. +systemLog: + destination: file + logAppend: true + path: /var/log/mongodb/mongod.log + +# network interfaces +net: + port: 27017 + bindIp: 127.0.0.1 diff --git a/test/fixtures/files/mongodb-version b/test/fixtures/files/mongodb-version new file mode 100644 index 000000000..515be8f91 --- /dev/null +++ b/test/fixtures/files/mongodb-version @@ -0,0 +1 @@ +4.4 diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 7652abd40..300540fa4 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -110,6 +110,7 @@ class MockLoader "/etc/audit/auditd.conf" => mockfile.call("auditd.conf"), "/etc/mysql/my.cnf" => mockfile.call("mysql.conf"), "/etc/mysql/mysql2.conf" => mockfile.call("mysql2.conf"), + "/etc/mongod.conf" => mockfile.call("mongod.conf"), "/etc/rabbitmq/rabbitmq.config" => mockfile.call("rabbitmq.config"), "kitchen.yml" => mockfile.call("kitchen.yml"), "example.csv" => mockfile.call("example.csv"), @@ -564,6 +565,7 @@ class MockLoader "sestatus" => cmd.call("sestatus"), "semodule -lfull" => cmd.call("semodule-lfull"), "semanage boolean -l -n" => cmd.call("semanage-boolean"), + "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"), } if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") diff --git a/test/unit/resources/mongodb_conf_test.rb b/test/unit/resources/mongodb_conf_test.rb new file mode 100644 index 000000000..8b071f977 --- /dev/null +++ b/test/unit/resources/mongodb_conf_test.rb @@ -0,0 +1,19 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/mongodb_conf" + +describe "Inspec::Resources::MongodbConf" do + it "verify mongd.conf config parsing" do + resource = load_resource("mongodb_conf", "/etc/mongod.conf") + _(resource.params["storage"]["dbPath"]).must_equal "/var/lib/mongodb" + _(resource.params["systemLog"]["path"]).must_equal "/var/log/mongodb/mongod.log" + _(resource.port).must_equal 27017 + end + + it "verify mongd.conf config parsing use default configuration file location." do + resource = load_resource("mongodb_conf") + _(resource.params["storage"]["dbPath"]).must_equal "/var/lib/mongodb" + _(resource.params["systemLog"]["path"]).must_equal "/var/log/mongodb/mongod.log" + _(resource.port).must_equal 27017 + end +end diff --git a/test/unit/resources/mongodb_test.rb b/test/unit/resources/mongodb_test.rb new file mode 100644 index 000000000..4ac119eae --- /dev/null +++ b/test/unit/resources/mongodb_test.rb @@ -0,0 +1,16 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/mongodb" + +describe "Inspec::Resources::Mongodb" do + it "sets default configuration path" do + resource = MockLoader.new(:windows).load_resource("mongodb") + _(resource.conf_path).must_equal "C:\\Program Files\\MongoDB\\Server\\4.4\\bin\\mongod.cfg" + end + + it "sets default configuration path" do + resource = MockLoader.new(:centos7).load_resource("mongodb") + _(resource.conf_path).must_equal "/etc/mongod.conf" + end +end + From 5f85e177455cd80857710db2049cdd43e66c3db9 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 14 Jun 2021 19:41:56 +0530 Subject: [PATCH 241/483] Removed warning as per review comments Signed-off-by: Vasu1105 --- lib/inspec/resources/mongodb.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/inspec/resources/mongodb.rb b/lib/inspec/resources/mongodb.rb index 66600b587..a7099539f 100644 --- a/lib/inspec/resources/mongodb.rb +++ b/lib/inspec/resources/mongodb.rb @@ -49,7 +49,6 @@ module Inspec::Resources warn "Could not determine version of installed MongoDB by inspecting #{dir}" nil when 1 - warn "Using #{dirs}: #{dir_to_version(dirs)}" dir_to_version(dirs) else warn "Multiple versions of MongoDB installed or incorrect base dir #{dir}" From 4c0eb932a5181873c63b02f592bfb84882912b78 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 14 Jun 2021 13:36:24 -0400 Subject: [PATCH 242/483] Include x25519 KEX module in omnibus build Signed-off-by: Clinton Wolfe --- Gemfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Gemfile b/Gemfile index 6bf1174d9..0eeb50c7a 100644 --- a/Gemfile +++ b/Gemfile @@ -25,6 +25,7 @@ group :omnibus do gem "appbundler" gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec + gem "x25519" # ed25519 KEX module end group :test do @@ -55,6 +56,7 @@ end if Gem.ruby_version >= Gem::Version.new("2.7.0") group :kitchen do gem "berkshelf" + gem "chef", ">= 16.0" # Required to allow net-ssh > 6 gem "test-kitchen", ">= 2.8" gem "kitchen-inspec", ">= 2.0" gem "kitchen-dokken", ">= 2.11" From 77112671bada29af3389ccd4ecb93b4ad00af7a7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 14 Jun 2021 19:23:02 +0000 Subject: [PATCH 243/483] Bump version to 4.37.29 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a30182fe..737be2eda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.37.28](https://github.com/inspec/inspec/tree/v4.37.28) (2021-06-10) + +## [v4.37.29](https://github.com/inspec/inspec/tree/v4.37.29) (2021-06-14) -#### Merged Pull Requests -- Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) +#### Bug Fixes +- Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.25 release +#### Bug Fixes +- Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe)) + #### Merged Pull Requests - Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) - Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index c4b7d457c..7cf9558cd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.28 \ No newline at end of file +4.37.29 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 0785ceb96..4a5ea347a 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.28".freeze + VERSION = "4.37.29".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 60ac37376..cfc94c6c1 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.28".freeze + VERSION = "4.37.29".freeze end From 607d9a1ebc02db9c9c3155b0b6bdc3bffcae4f3c Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 15 Jun 2021 20:04:00 +0530 Subject: [PATCH 244/483] Removed port property Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/mongodb_conf.md | 6 +++--- lib/inspec/resources/mongodb_conf.rb | 6 +----- test/unit/resources/mongodb_conf_test.rb | 3 +-- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/mongodb_conf.md b/docs-chef-io/content/inspec/resources/mongodb_conf.md index 333e78073..31004df84 100644 --- a/docs-chef-io/content/inspec/resources/mongodb_conf.md +++ b/docs-chef-io/content/inspec/resources/mongodb_conf.md @@ -40,19 +40,19 @@ The following examples show how to use this Chef InSpec audit resource. ### Test the key management configuration options describe mongodb_conf do - its(['security', 'enableEncryption']) { should eq true } + its(["security", "enableEncryption"]) { should eq true } end ### Test the port on which MongoDB listens describe mongodb_conf do - its('port') { should eq 27017 } + its(["net", "port"]) { should eq 27017 } end ### Test the security configuration options describe mongodb_conf do - its(['security', 'authorization']) { should eq 'enabled' } + its(["security", "authorization"]) { should eq "enabled" } end diff --git a/lib/inspec/resources/mongodb_conf.rb b/lib/inspec/resources/mongodb_conf.rb index ec1dd986f..6f1370f66 100644 --- a/lib/inspec/resources/mongodb_conf.rb +++ b/lib/inspec/resources/mongodb_conf.rb @@ -10,7 +10,7 @@ module Inspec::Resources example <<~EXAMPLE describe mongodb_conf do its(["storage", "dbPath"]) { should eq "/var/lib/mongodb" } - its("port") { should eq 27017 } + its(["net", "port"]) { should eq 27017 } end EXAMPLE @@ -24,10 +24,6 @@ module Inspec::Resources super(@conf_path) end - def port - params["net"]["port"] - end - private def parse(content) diff --git a/test/unit/resources/mongodb_conf_test.rb b/test/unit/resources/mongodb_conf_test.rb index 8b071f977..6b0c86d1c 100644 --- a/test/unit/resources/mongodb_conf_test.rb +++ b/test/unit/resources/mongodb_conf_test.rb @@ -7,13 +7,12 @@ describe "Inspec::Resources::MongodbConf" do resource = load_resource("mongodb_conf", "/etc/mongod.conf") _(resource.params["storage"]["dbPath"]).must_equal "/var/lib/mongodb" _(resource.params["systemLog"]["path"]).must_equal "/var/log/mongodb/mongod.log" - _(resource.port).must_equal 27017 + _(resource.params["net"]["port"]).must_equal 27017 end it "verify mongd.conf config parsing use default configuration file location." do resource = load_resource("mongodb_conf") _(resource.params["storage"]["dbPath"]).must_equal "/var/lib/mongodb" _(resource.params["systemLog"]["path"]).must_equal "/var/log/mongodb/mongod.log" - _(resource.port).must_equal 27017 end end From d1f0e21d67426ac91a6fe4be661a7d0a4a7b8ab5 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 15 Jun 2021 11:44:56 -0700 Subject: [PATCH 245/483] Add operator matcher section Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/glossary.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs-chef-io/content/inspec/glossary.md b/docs-chef-io/content/inspec/glossary.md index d0e00838f..e03333b89 100644 --- a/docs-chef-io/content/inspec/glossary.md +++ b/docs-chef-io/content/inspec/glossary.md @@ -273,6 +273,26 @@ describe car(owner: 'Tony Clifton') do end ``` +### Operator Matcher + +An operator matcher allows you to use operators to compare numerical [expected results](#expected-result) against a [property](#property). All plural resources have a `count` property. + +For example: + +```ruby + describe cars do + its('count') { should be >= 10 } + end +``` + +Operators include: + +- `==` +- `>=` +- `<=` +- `>` +- `<` + ### plural resource A _`plural resource`_ is a [resource](#resource) that specializes in performing searches and represents multiple occurrences of the resource on the [target](#target) platform. Plural resources are used to audit counts, inspect group properties, and have the unique ability to enforce negative tests ("nothing like this should exist") often required by compliance standards. Plural resources are not intended to perform in-depth auditing of an individual; use [singular resources](#singular-resource) for that. From 476858bbbbc961d2fb55b5911b5ccb876e150920 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 15 Jun 2021 11:45:33 -0700 Subject: [PATCH 246/483] Other minor fixes Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/glossary.md | 84 ++++++++++++------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/docs-chef-io/content/inspec/glossary.md b/docs-chef-io/content/inspec/glossary.md index e03333b89..46da628ef 100644 --- a/docs-chef-io/content/inspec/glossary.md +++ b/docs-chef-io/content/inspec/glossary.md @@ -30,7 +30,7 @@ Let's look at some simple examples. ### Singular Resource Example -```inspec +```ruby describe car(owner: 'Tony Clifton') do it { should exist } its('license_plate') { should cmp 'MOONMAN' } @@ -73,7 +73,7 @@ _should\_not_ indicates this is a negated test. So, this test passes if the matc ### Plural Resource Example -```inspec +```ruby describe cars.where(color: /^b/) do it { should exist } its('manufacturers') { should include 'Cadillac' } @@ -117,31 +117,31 @@ _be >=_ is an [operator matcher](#operator-matcher). It allows you to perform nu ## Text Glossary -### attribute +### Attribute Deprecated name for [input](#input). -### control +### Control -### control block +### Control Block The _`control`_ keyword is used to declare a _`control block`_. Here, the word 'control' means a 'regulatory control, recommendation, or requirement' - not a software engineering construct. A `control block` has a name (which usually refers to the assigned ID of the regulatory recommendation it implements), metadata such as descriptions, references, and tags, and finally groups together related [describe blocks](#describe-block) to implement the checks. -### core resource +### Core Resource A [resource](#resource) that is included with InSpec; you are not required to install additional [plugins](#plugin) or depend on a [resource pack](#resource-pack) to use the resource. -### custom resource +### Custom Resource A [resource](#resource) that is _not_ included with InSpec. It may be a resource of your own creation, or one you obtain by depending on a [resource pack](#resource-pack). -### describe +### Describe -### describe block +### Describe Block The _`describe`_ keyword is used with a _`describe block`_ to refer to a Chef InSpec resource. You use the `describe` keyword along with the name of a [resource](#resource) to enclose related [tests](#test) that apply to the resource. Multiple describe blocks are usually grouped together in a [control](#control), but you can also use them outside of a control. -```Ruby +```ruby control 'Rule 1.1 - Color restrictions' do # Count only blue cars describe cars.where(color: 'blue') do @@ -156,19 +156,19 @@ _DSL_ is an acronym for _Domain Specific Language_. It refers to the language ex For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource DSL page](/inspec/dsl_resource/). -### expected result +### Expected Result When using a [matcher](#matcher), the _`expected result`_ is the value the matcher will compare against the [property](#property) being accessed. In this example, the [`cmp`](/inspec/matchers/#cmp) matcher is being used to compare the `color` property to the expected result 'black'. -```Ruby +```ruby describe car(owner: 'Bruce Wayne') do its('color') { should cmp 'black' } end ``` -### filter statement +### Filter Statement When using a [plural resource](#plural-resource), a _`filter statement`_ is used to select individual test subjects using [filter criteria](#filter-criteria). A filter statement almost always is indicated by the keyword `where`, and may be repeated using method chaining. @@ -176,16 +176,16 @@ A filter statement may use method call syntax (which allows basic criteria opera In this example, `where(...)` is the filter statement. -```Ruby +```ruby # Count only blue cars describe cars.where(color: 'blue') do its('count') { should eq 20 } end ``` -### filter criterion +### Filter Criterion -### filter criteria +### Filter Criteria When using a [plural resource](#plural-resource), a _`filter criterion`_ is used to select individual test subjects within a [filter statement](#filter-statement). You may use multiple _`filter criteria`_ in a single filter statement. @@ -193,7 +193,7 @@ When method-call syntax is used with the filter statement, you provide filter cr Here, `(color: blue)` is a single filter criterion being used with a filter statement in method-call syntax. -```Ruby +```ruby # Count only blue cars describe cars.where(color: 'blue') do its('count') { should eq 20 } @@ -204,14 +204,14 @@ When block-method syntax is used with the filter statement, you provide a block. Here, `{ engine_cylinders >= 6 }` is a block-syntax filter statement referring to one filter criterion. -```Ruby +```ruby # Vroom! describe cars.where { engine_cylinders >= 6 } do its('city_mpg_ratings') { should_not include '4-star' } end ``` -### input +### Input An _`input`_ is a value that Chef InSpec can source from a number of providers, including from the command line, profile metadata, or within the control file DSL itself. You can use this feature either to change a [profile's](#profile) behavior by passing different attribute files or to store secrets that should not be directly present in a profile. @@ -221,7 +221,7 @@ The CLI syntax for inputs is documented under the [`inspec exec`](/inspec/cli/#e Inputs are documented in detail in the [input documentation](/inspec/inputs/). -### it +### It Within a [describe block](#describe), _`it`_ declares an individual [test](#test) directly against the [resource](#resource) (as opposed to testing against one of the resource's [properties](#property), as [its](#its) does). Though it is possible to use [universal matchers](#universal-matcher) with `it`, it is much more typical to use [resource-specific matchers](#resource-specific-matchers). @@ -229,13 +229,13 @@ Within a [describe block](#describe), _`it`_ declares an individual [test](#test Here, `it { should ... }` declares a test, calling the `classy?` matcher on Tony Clifton's car. -```Ruby +```ruby describe car(owner: 'Tony Clifton') do it { should be_classy } end ``` -### its +### Its Within a [describe block](#describe), _`its`_ declares an individual [test](#test) against a property of the [resource](#resource) (as opposed to testing directly against the resource itself, as [it](#it) does). You must use [universal matchers](#universal-matcher) with `its`; you cannot use [resource-specific matchers](#resource-specific-matchers). @@ -245,7 +245,7 @@ The property to access is passed as a single string argument to `its`. As an adv Here, `its('fuzzy_dice') { should ... }` declares a test, testing against the `fuzzy_dice` property of Tony Clifton's car. Let's assume - Tony being Tony - that `fuzzy_dice` will return an Array. -```Ruby +```ruby describe car(owner: 'Tony Clifton') do its('fuzzy_dice') { should_not be_empty } its('fuzzy_dice.count') { should be >= 2 } @@ -253,7 +253,7 @@ describe car(owner: 'Tony Clifton') do end ``` -### matcher +### Matcher A _`matcher`_ performs the actual assertions against [resources](#resource) or the [properties](#property) of resources. Matchers always return a true/false value. Matchers fall into two camps: @@ -266,7 +266,7 @@ For information on how RSpec matchers are related o Chef InSpec matchers, see [C Here, `be_classy` is a resource-specific matcher operating directly on the `car`, while `cmp` is a universal matcher operating on the `manufacturer` property. -```Ruby +```ruby describe car(owner: 'Tony Clifton') do it { should be_classy } its('manufacturer') { should cmp 'Cadillac' } @@ -303,7 +303,7 @@ Plural resources support [filter statements](#filter-statement). See the [resour Here, `cars` is a plural resource. -```Ruby +```ruby describe cars.where(color: 'blue') do its('count') { should eq 20 } its('license_plates') { should include 'AUTOAZUL' } @@ -317,7 +317,7 @@ describe cars.where(color: 'blue') do end ``` -### profile +### Profile A _`profile`_ is a set of related [controls](#control) in a distributable form. You might have a locally-developed profile that your organization uses to define baseline security on all machines, or you might use a pre-defined profile that implements the requirements of a specific compliance standard. For full details about the capabilities of a profile, see the [profile documentation](/inspec/profiles/). @@ -325,7 +325,7 @@ Profiles may be distributed locally as a directory tree, as a tarball or zipfile Aside from controls, profiles can also contain [custom resources](#custom-resource). If the profile contains only custom resources and no controls, we call it a [resource pack](#resource-pack). -### property +### Property A fact about a [resource](#resource). Typically, you use the [its](#its) keyword to access the property and write a [test](#test) within a [describe block](#describe-block), and then use a [universal matcher](#universal-matcher) to make assertions about the value of the property. @@ -333,17 +333,17 @@ Each resource has different properties. See the [resource documentation](/inspec Here, `manufacturer` is a property of the `car` resource. -```Ruby +```ruby describe car(owner: 'Tony Clifton') do its('manufacturer') { should cmp 'Cadillac' } end ``` -### reporter +### Reporter An output format for the `inspec exec` command line. Several reporters are available, including JSON and JUnit; see the [inspec exec documentation](/inspec/cli/#exec). -### resource +### Resource A _`resource`_ represents a category of things on the [target](#target) you wish to examine. For example, to check for the existence and permissions of a file, you would use the [`file`](/inspec/resources/file/) resource. Chef InSpec offers dozens of different resources, from the highly specialized (such as `aws_security_group`, which examines firewall rules in AWS) to the very general (such as `command`, which runs a command and lets you examine its output). @@ -353,17 +353,17 @@ Resources are used within a [describe block](#describe-block) to perform [tests] Here, `car` is a resource. -```Ruby +```ruby describe car(owner: 'Tony Clifton') do it { should be_classy } end ``` -### resource pack +### Resource Pack A _resource pack_ is a type of [profile](#profile) that is used to distribute [custom resources](#custom-resource). This specialized type of profile contains no [controls](#control), but it does contain a `libraries` directory within which Ruby files define custom resources. -### resource parameter +### Resource Parameter _`resource parameters`_ are information passed to the resource when they are declared. Typically, resource parameters provide identifying information or connectivity information. Resource parameters are not the same as a [filter statement](#filter-statement). @@ -371,13 +371,13 @@ Resource parameters vary from resource to resource; refer to the [resource docum Here, `owner: 'Tony Clifton'` is a resource parameter. -```Ruby +```ruby describe car(owner: 'Tony Clifton') do it { should be_classy } end ``` -### resource-specific matcher +### Resource-Specific Matcher A [matcher](#matcher) that operates directly on the [resource](#resource), as opposed to operating on a property as a [universal matcher](#universal-matcher) does. @@ -385,25 +385,25 @@ Resource-specific matchers often provide highly customized behavior. Check the [ For example, the hypothetical `car` resource defines a `classy?` method, which is exposed as the `be_classy` matcher in Chef InSpec tests. -```Ruby +```ruby describe car(owner: 'Tony Clifton') do it { should be_classy } end ``` -### singular resource +### Singular Resource A [resource](#resource) intended to uniquely identify a single object on the [target](#target). Singular resources specialize in providing richer auditing capabilities via resource-specific matchers. Compare to [plural resources](#plural-resource). -### target +### Target The _`target`_ is the OS or API on which Chef InSpec is performing audits. In Chef InSpec 1.x, this was always an operating system target (a bare metal machine, VM, or container). In Chef InSpec 2.x and later, this can be an OS target, or an API target, including cloud providers such as AWS. Chef InSpec is agentless, meaning that the Chef InSpec code and profiles remain on your workstation, and the target is remotely interrogated without installing anything. -### test +### Test A _`test`_ is an individual assertion about the state of the [resource](#resource) or one of its [properties](#property). All tests begin with the keyword [it](#it) or [its](#its). Tests are grouped within a [describe block](#describe-block). -### universal matcher +### Universal Matcher A _universal matcher_ is a [matcher](#matcher) that can be used on the [properties](#property) of any type of [resource](#resource). For example, you can use the `cmp` matcher to check the value of properties without having to worry about Ruby type-casting. Universal matchers are almost always used with the [its](#its) keyword. @@ -411,7 +411,7 @@ Universal matchers are documented on the [Universal Matchers](/inspec/matchers/) Here, we access the 'color' property, then use the `cmp` universal matcher to compare the property to the 'black' [expected result](#expected-result). -```Ruby +```ruby describe car(owner: 'Bruce Wayne') do its('color') { should cmp 'black' } end From 71222c0014d7af40c826be71ae5c9bc94bf70237 Mon Sep 17 00:00:00 2001 From: Sandra Tiffin Date: Wed, 16 Jun 2021 11:31:27 +0100 Subject: [PATCH 247/483] Fix AWS secret key environment variable name Signed-off-by: Sandra Tiffin --- docs-chef-io/content/inspec/platforms.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/platforms.md b/docs-chef-io/content/inspec/platforms.md index 1fe8e272a..9b8ddf5db 100644 --- a/docs-chef-io/content/inspec/platforms.md +++ b/docs-chef-io/content/inspec/platforms.md @@ -35,7 +35,7 @@ create an IAM user specifically for auditing activities. #### Using Environment Variables to provide credentials You may provide the credentials to Chef InSpec by setting the following environment -variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_KEY_ID`. You may +variables: `AWS_REGION`, `AWS_ACCESS_KEY_ID`, and `AWS_SECRET_ACCESS_KEY`. You may also use `AWS_PROFILE`, or if you are using MFA, `AWS_SESSION_TOKEN`. See the [AWS Command Line Interface Docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) for details. @@ -216,4 +216,4 @@ $ inspec detect -t gcp:// Name: gcp Families: cloud, api Release: google-cloud-v -``` \ No newline at end of file +``` From c28bacdab7e80105d41c5f16f18617b249c6cac8 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 16 Jun 2021 19:37:56 +0530 Subject: [PATCH 248/483] Oracle session exception handling Signed-off-by: Nikita Mathur --- lib/inspec/resources/oracledb_session.rb | 12 +++++-- test/unit/resources/oracledb_session_test.rb | 33 ++++++++++++++++++-- 2 files changed, 39 insertions(+), 6 deletions(-) diff --git a/lib/inspec/resources/oracledb_session.rb b/lib/inspec/resources/oracledb_session.rb index 19be00943..cf2da5c75 100644 --- a/lib/inspec/resources/oracledb_session.rb +++ b/lib/inspec/resources/oracledb_session.rb @@ -38,11 +38,12 @@ module Inspec::Resources @sqlcl_bin = opts[:sqlcl_bin] || nil @sqlplus_bin = opts[:sqlplus_bin] || "sqlplus" skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && su_user - fail_resource "Can't run Oracle checks without authentication" unless su_user && (user || password) - fail_resource "You must provide a service name for the session" unless service + fail_resource "Can't run Oracle checks without authentication" unless su_user || (user || password) end def query(sql) + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? + if @sqlcl_bin && inspec.command(@sqlcl_bin).exist? @bin = @sqlcl_bin format_options = "set sqlformat csv\nSET FEEDBACK OFF" @@ -53,8 +54,13 @@ module Inspec::Resources command = command_builder(format_options, sql) inspec_cmd = inspec.command(command) + out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr - DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout)) + if inspec_cmd.exit_status != 0 || out.downcase =~ /^error.*/ + raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}" + else + DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout)) + end end def to_s diff --git a/test/unit/resources/oracledb_session_test.rb b/test/unit/resources/oracledb_session_test.rb index be7f7fc70..f46ab9fdb 100644 --- a/test/unit/resources/oracledb_session_test.rb +++ b/test/unit/resources/oracledb_session_test.rb @@ -51,11 +51,10 @@ describe "Inspec::Resources::OracledbSession" do _(resource.resource_exception_message).must_equal "Can't run Oracle checks without authentication" end - it "fails when no service name is provided" do + it "does not fails when no service name is provided" do resource = quick_resource(:oracledb_session, :windows, user: "USER", password: "password", host: "localhost", port: 1527, sqlplus_bin: "C:/sqlplus.exe") - _(resource.resource_failed?).must_equal true - _(resource.resource_exception_message).must_equal "You must provide a service name for the session" + _(resource.resource_failed?).must_equal false end it "verify oracledb_session configuration" do @@ -69,4 +68,32 @@ describe "Inspec::Resources::OracledbSession" do _(resource.su_user).must_equal "osuser" _(resource.bin).must_equal "sqlplus" end + + it "fails when no connection established in linux" do + resource = quick_resource(:oracledb_session, :linux, user: "USER", password: "wrongpassword", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "/bin/sqlplus") do |cmd| + cmd.strip! + case cmd + when "/bin/sqlplus -S \"USER\"/\"wrongpassword\"@localhost:1527/ORCL <<'EOC'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\nEOC" then + stdout_file "test/fixtures/cmd/oracle-error" + else + raise cmd.inspect + end + end + ex = assert_raises(Inspec::Exceptions::ResourceFailed) { resource.query("SELECT NAME AS VALUE FROM v$database") } + _(ex.message).must_include("Oracle query with errors") + end + + it "fails when no connection established in windows" do + resource = quick_resource(:oracledb_session, :windows, user: "USER", password: "wrongpassword", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "C:/sqlplus.exe") do |cmd| + cmd.strip! + case cmd + when "@'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\n'@ | C:/sqlplus.exe -S \"USER\"/\"wrongpassword\"@localhost:1527/ORCL" then + stdout_file "test/fixtures/cmd/oracle-error" + else + raise cmd.inspect + end + ex = assert_raises(Inspec::Exceptions::ResourceFailed) { resource.query("SELECT NAME AS VALUE FROM v$database") } + _(ex.message).must_include("Oracle query with errors") + end + end end From 362eadb06782b9c29ba95e905a592ea145aca896 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 14 Jun 2021 19:35:00 -0400 Subject: [PATCH 249/483] Add an awful little check to detect x86 arch Signed-off-by: Clinton Wolfe --- Gemfile | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 0eeb50c7a..82d4eabb3 100644 --- a/Gemfile +++ b/Gemfile @@ -20,12 +20,22 @@ end # but our runtime dep is still 3.9+ gem "rspec", ">= 3.10" +def probably_x86? + # We don't currently build on ARM windows, so assume x86 there + return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/ + + # Otherwise rely on uname -m + `uname -m`.match?(/^(x86_64|i\d86)/) +end + group :omnibus do gem "rb-readline" gem "appbundler" gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec - gem "x25519" # ed25519 KEX module + if probably_x86? + gem "x25519" # ed25519 KEX module, not supported on ARM + end end group :test do From 54ff422974930fd7b0a079602060e06ff9bc7149 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 16 Jun 2021 21:48:37 +0000 Subject: [PATCH 250/483] Bump version to 4.37.30 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 737be2eda..9868dca52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.37.29](https://github.com/inspec/inspec/tree/v4.37.29) (2021-06-14) + +## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16) -#### Bug Fixes -- Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe)) +#### Merged Pull Requests +- Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe)) @@ -14,6 +14,7 @@ - Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) - Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) - Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index 7cf9558cd..6b6380846 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.29 \ No newline at end of file +4.37.30 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 4a5ea347a..526d3fb4c 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.29".freeze + VERSION = "4.37.30".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index cfc94c6c1..bdb76b3ef 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.29".freeze + VERSION = "4.37.30".freeze end From 12aa77271b254dc596459a12fc38777beb3b525c Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 16 Jun 2021 23:01:23 +0000 Subject: [PATCH 251/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 31 ++++++++++++++----------------- Dockerfile | 2 +- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9868dca52..1186993f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,32 +1,29 @@ # Change Log - -## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16) - -#### Merged Pull Requests -- Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe)) + - -### Changes since 4.37.25 release - -#### Bug Fixes -- Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe)) - -#### Merged Pull Requests -- Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) -- Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) -- Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) + +## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16) + +#### Bug Fixes +- Include x25519 KEX module in omnibus build [#5563](https://github.com/inspec/inspec/pull/5563) ([clintoncwolfe](https://github.com/clintoncwolfe)) + +#### Merged Pull Requests +- Minor MD reformatting for dev-docs page [#5550](https://github.com/inspec/inspec/pull/5550) ([IanMadd](https://github.com/IanMadd)) +- Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) +- Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) +- Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe)) + + ## [v4.37.25](https://github.com/inspec/inspec/tree/v4.37.25) (2021-06-10) #### Merged Pull Requests - sshd_config is for daemon, not client - typo [#5549](https://github.com/inspec/inspec/pull/5549) ([jblaine](https://github.com/jblaine)) - Fix related to loading dependent profiles from a profile in shell [#5547](https://github.com/inspec/inspec/pull/5547) ([Nik08](https://github.com/Nik08)) - ## [v4.37.23](https://github.com/inspec/inspec/tree/v4.37.23) (2021-06-03) diff --git a/Dockerfile b/Dockerfile index 5570be075..7e1661e88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.37.25 +ARG VERSION=4.37.30 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 597b3e375a41db1d845b10dad62fa002bb9b2adb Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 17 Jun 2021 02:25:40 +0000 Subject: [PATCH 252/483] Bump version to 4.38.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1186993f8..cf11cb1aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.38.0](https://github.com/inspec/inspec/tree/v4.38.0) (2021-06-17) + +#### Merged Pull Requests +- Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) - + +### Changes since 4.37.30 release + +#### Merged Pull Requests +- Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 6b6380846..d815923e8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.37.30 \ No newline at end of file +4.38.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 526d3fb4c..8754c116c 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.37.30".freeze + VERSION = "4.38.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index bdb76b3ef..dbc7720c2 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.37.30".freeze + VERSION = "4.38.0".freeze end From 077ada008efd88ecf410cfe1c51678c5334e7300 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 17 Jun 2021 02:28:30 +0000 Subject: [PATCH 253/483] Bump version to 4.38.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf11cb1aa..2713b497f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.38.0](https://github.com/inspec/inspec/tree/v4.38.0) (2021-06-17) + +## [v4.38.1](https://github.com/inspec/inspec/tree/v4.38.1) (2021-06-17) #### Merged Pull Requests -- Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) +- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) ### Changes since 4.37.30 release #### Merged Pull Requests +- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) - Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index d815923e8..3d5a181da 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.0 \ No newline at end of file +4.38.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 8754c116c..e71c1a249 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.0".freeze + VERSION = "4.38.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index dbc7720c2..6ed1858bc 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.0".freeze + VERSION = "4.38.1".freeze end From d08b8bb8f3ed20c3e5ea2803805cfa7b6b92d49f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 18 Jun 2021 14:14:25 +0530 Subject: [PATCH 254/483] exception handling when exception in case of no error Signed-off-by: Nikita Mathur --- lib/inspec/resources/oracledb_session.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/inspec/resources/oracledb_session.rb b/lib/inspec/resources/oracledb_session.rb index cf2da5c75..0eeb06990 100644 --- a/lib/inspec/resources/oracledb_session.rb +++ b/lib/inspec/resources/oracledb_session.rb @@ -56,10 +56,14 @@ module Inspec::Resources inspec_cmd = inspec.command(command) out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr - if inspec_cmd.exit_status != 0 || out.downcase =~ /^error.*/ + if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/ raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}" else - DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout)) + begin + DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout)) + rescue + raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}" + end end end From 88641c3fac0f0862a65c11d5eb3339799b8824af Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 21 Jun 2021 12:09:53 +0530 Subject: [PATCH 255/483] Fix in oracle command which weren't working in windows powershell Signed-off-by: Nikita Mathur --- lib/inspec/resources/oracledb_session.rb | 6 +++--- test/unit/resources/oracledb_session_test.rb | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/inspec/resources/oracledb_session.rb b/lib/inspec/resources/oracledb_session.rb index 0eeb06990..4da2de5e4 100644 --- a/lib/inspec/resources/oracledb_session.rb +++ b/lib/inspec/resources/oracledb_session.rb @@ -87,11 +87,11 @@ module Inspec::Resources end if @db_role.nil? - %{#{sql_prefix}#{bin} "#{user}"/"#{password}"@#{host}:#{port}/#{@service}#{sql_postfix}} + "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}" elsif @su_user.nil? - %{#{sql_prefix}#{bin} "#{user}"/"#{password}"@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}} + "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}" else - %{su - #{@su_user} -c "env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"} + "su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}" end end diff --git a/test/unit/resources/oracledb_session_test.rb b/test/unit/resources/oracledb_session_test.rb index f46ab9fdb..eeca847ec 100644 --- a/test/unit/resources/oracledb_session_test.rb +++ b/test/unit/resources/oracledb_session_test.rb @@ -7,7 +7,7 @@ describe "Inspec::Resources::OracledbSession" do resource = quick_resource(:oracledb_session, :linux, user: "USER", password: "password", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "/bin/sqlplus") do |cmd| cmd.strip! case cmd - when "/bin/sqlplus -S \"USER\"/\"password\"@localhost:1527/ORCL <<'EOC'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\nEOC" then + when "/bin/sqlplus -S USER/password@localhost:1527/ORCL <<'EOC'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\nEOC" then stdout_file "test/fixtures/cmd/oracle-result" else raise cmd.inspect @@ -24,7 +24,7 @@ describe "Inspec::Resources::OracledbSession" do resource = quick_resource(:oracledb_session, :windows, user: "USER", password: "password", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "C:/sqlplus.exe") do |cmd| cmd.strip! case cmd - when "@'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\n'@ | C:/sqlplus.exe -S \"USER\"/\"password\"@localhost:1527/ORCL" then + when "@'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\n'@ | C:/sqlplus.exe -S USER/password@localhost:1527/ORCL" then stdout_file "test/fixtures/cmd/oracle-result" else raise cmd.inspect @@ -73,7 +73,7 @@ describe "Inspec::Resources::OracledbSession" do resource = quick_resource(:oracledb_session, :linux, user: "USER", password: "wrongpassword", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "/bin/sqlplus") do |cmd| cmd.strip! case cmd - when "/bin/sqlplus -S \"USER\"/\"wrongpassword\"@localhost:1527/ORCL <<'EOC'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\nEOC" then + when "/bin/sqlplus -S USER/wrongpassword@localhost:1527/ORCL <<'EOC'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\nEOC" then stdout_file "test/fixtures/cmd/oracle-error" else raise cmd.inspect @@ -87,7 +87,7 @@ describe "Inspec::Resources::OracledbSession" do resource = quick_resource(:oracledb_session, :windows, user: "USER", password: "wrongpassword", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "C:/sqlplus.exe") do |cmd| cmd.strip! case cmd - when "@'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\n'@ | C:/sqlplus.exe -S \"USER\"/\"wrongpassword\"@localhost:1527/ORCL" then + when "@'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v$database;\nEXIT\n'@ | C:/sqlplus.exe -S USER/wrongpassword@localhost:1527/ORCL" then stdout_file "test/fixtures/cmd/oracle-error" else raise cmd.inspect From ad60fbe09e7e220e43bc4c7425435179f67e0b27 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 22 Jun 2021 20:06:11 +0000 Subject: [PATCH 256/483] Bump version to 4.38.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2713b497f..9038ab14f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.38.1](https://github.com/inspec/inspec/tree/v4.38.1) (2021-06-17) + +## [v4.38.2](https://github.com/inspec/inspec/tree/v4.38.2) (2021-06-22) #### Merged Pull Requests -- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) +- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) ### Changes since 4.37.30 release #### Merged Pull Requests +- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) - Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) - Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 3d5a181da..e59bab17d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.1 \ No newline at end of file +4.38.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index e71c1a249..4beeb7c6b 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.1".freeze + VERSION = "4.38.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 6ed1858bc..6aae72436 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.1".freeze + VERSION = "4.38.2".freeze end From a008514d571eb22ba973386366e6575389176bbe Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 23 Jun 2021 14:38:08 +0530 Subject: [PATCH 257/483] Add mongodb_session resource and docs. Signed-off-by: Vasu1105 --- Gemfile | 2 + .../content/inspec/resources/mongodb_conf.md | 7 -- .../inspec/resources/mongodb_session.md | 92 +++++++++++++++++++ lib/inspec/resources.rb | 1 + lib/inspec/resources/mongodb_session.rb | 75 +++++++++++++++ 5 files changed, 170 insertions(+), 7 deletions(-) create mode 100644 docs-chef-io/content/inspec/resources/mongodb_session.md create mode 100644 lib/inspec/resources/mongodb_session.rb diff --git a/Gemfile b/Gemfile index 82d4eabb3..59c84ce9b 100644 --- a/Gemfile +++ b/Gemfile @@ -20,6 +20,8 @@ end # but our runtime dep is still 3.9+ gem "rspec", ">= 3.10" +gem "mongo" + def probably_x86? # We don't currently build on ARM windows, so assume x86 there return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/ diff --git a/docs-chef-io/content/inspec/resources/mongodb_conf.md b/docs-chef-io/content/inspec/resources/mongodb_conf.md index 31004df84..de5c2ac0d 100644 --- a/docs-chef-io/content/inspec/resources/mongodb_conf.md +++ b/docs-chef-io/content/inspec/resources/mongodb_conf.md @@ -60,10 +60,3 @@ The following examples show how to use this Chef InSpec audit resource. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). -### setting - -The `setting` matcher tests specific, named settings in the `mongod.conf` file: - - its(['setting') { should eq 'value' } - -Use a `setting` matcher for each setting to be tested. diff --git a/docs-chef-io/content/inspec/resources/mongodb_session.md b/docs-chef-io/content/inspec/resources/mongodb_session.md new file mode 100644 index 000000000..4d5754159 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/mongodb_session.md @@ -0,0 +1,92 @@ ++++ +title = "mongodb_session resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "mongodb_session" + identifier = "inspec/resources/os/mongodb_session.md mongodb_session resource" + parent = "inspec/resources/os" ++++ + +Use the `mongodb_session` Chef InSpec audit resource to run MongoDB command against a MongoDB Database. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `mongodb_session` resource block declares the `user`, `password`, 'database' to use for the session, and then the command to be run: + + describe mongodb_session(user: "username", password: "password").query(key: value) do + its("params") { should match(/expected-result/) } + end + +where + +- `mongodb_session` declares a user and password, connecting locally, with permission to run the query +- `query` contains the query to be run. +- `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test + +### Optional Parameters + +`mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, `auth_mech_properties`. + +In Particular: + +#### `host` + +Defaults to `127.0.0.1` + +#### `port` + +Defaults to `27017` + +#### `auth_mech` + +Defaults to `:scram` + +#### `auth_source` + +Defaults to given database name. + +### MongodDB query reference docs + +This resource is using mongo ruby driver to fetch the data. +[MongoDB Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/) + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test the roles information using rolesInfo command of MongoDB + + describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do + its(["role"]) { should eq "dbAdmin" } + end + +### Test the MongoDB user role. + + describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "foo").params["users"].first["roles"].first do + its(["role"]) { should eq "readWrite" } + end + +### Test the params + + describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do + its("params") { should_not be_empty } + its("params") { should include "roles" } + end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + +### params + +The `params` contains all the query data. diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 1bdf0021d..066cf3191 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -73,6 +73,7 @@ require "inspec/resources/limits_conf" require "inspec/resources/login_defs" require "inspec/resources/mongodb" require "inspec/resources/mongodb_conf" +require "inspec/resources/mongodb_session" require "inspec/resources/mount" require "inspec/resources/mssql_session" require "inspec/resources/mysql" diff --git a/lib/inspec/resources/mongodb_session.rb b/lib/inspec/resources/mongodb_session.rb new file mode 100644 index 000000000..061aca735 --- /dev/null +++ b/lib/inspec/resources/mongodb_session.rb @@ -0,0 +1,75 @@ +require "mongo" + +module Inspec::Resources + class Lines + attr_reader :params + + def initialize(raw, desc) + @params = raw + @desc = desc + end + + def to_s + @desc + end + end + + class MongodbSession < Inspec.resource(1) + name "mongodb_session" + supports platform: "unix" + supports platform: "windows" + + desc "Use the mongodb_session InSpec audit resource to run database commands using MongoDB ruby client against a given database." + + attr_reader :user, :host, :port, :database, :params + + def initialize(opts = {}) + @user = opts[:user] || nil + @password = opts[:password] || nil + @host = opts[:host] || "127.0.0.1" + @port = opts[:port] || "27017" + @database = opts[:database] || nil + @auth_mech = opts[:auth_mech] || :scram + @auth_source = opts[:auth_source] || @database + @ssl = opts[:ssl] || false + @ssl_cert = opts[:ssl_cert] || nil + @ssl_key = opts[:ssl_key] || nil + @ssl_ca_cert = opts[:ssl_ca_cert] || nil + @auth_mech_properties = opts[:auth_mech_properties] || {} + @client = nil + + fail_resource "Can't run MongoDB checks without authentication" unless user && @password + fail_resource "You must provide a database name for the session" unless database + + create_session + end + + def query(command) + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? + Lines.new(@client.command(command).documents.first, "MongoDB query: #{command}") + rescue => e + raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}" + end + + private + + def create_session + options = { user: "#{user}", + password: "#{@password}", + database: "#{database}", + auth_source: "#{@auth_source}", + auth_mech: @auth_mech, + } + options[:auth_mech_properties] = @auth_mech_properties unless @auth_mech_properties.empty? + options[:ssl] = @ssl + opitons[:ssl_key] = @ssl_key unless @ssl_key.nil? + options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil? + options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil? + + @client = Mongo::Client.new([ "#{host}:#{port}" ], options) + + rescue => e + raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}" + end + end +end From 7ec66a0ca95204d31295ae01e48f09a63bd080ed Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 24 Jun 2021 00:13:03 +0530 Subject: [PATCH 258/483] Missing oracle-error file added for testing Signed-off-by: Nikita Mathur --- test/fixtures/cmd/oracle-error | 1 + 1 file changed, 1 insertion(+) create mode 100644 test/fixtures/cmd/oracle-error diff --git a/test/fixtures/cmd/oracle-error b/test/fixtures/cmd/oracle-error new file mode 100644 index 000000000..299937c0f --- /dev/null +++ b/test/fixtures/cmd/oracle-error @@ -0,0 +1 @@ +error: sqlplus: command not found \ No newline at end of file From 71d324f9d9cf925f5612682e678a9548728ed0eb Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 23 Jun 2021 15:37:06 -0400 Subject: [PATCH 259/483] Fix links for Dom and Christoph Signed-off-by: Clinton Wolfe --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8a0343370..9ec47ae3d 100644 --- a/README.md +++ b/README.md @@ -360,7 +360,7 @@ You may also [browse the Supermarket for shared Compliance Profiles](https://sup ## Kudos -Chef InSpec was originally created by Christoph Hartmann (@chris-rock) and Dominik Richter (@arlimus). +Chef InSpec was originally created by Christoph Hartmann ([@chris-rock](https://github.com/chris-rock)) and Dominik Richter ([@arlimus](https://github.com/arlimus)). Chef InSpec is inspired by the wonderful [Serverspec](http://serverspec.org) project. Kudos to [mizzy](https://github.com/mizzy) and [all contributors](https://github.com/mizzy/serverspec/graphs/contributors)! From 583267fb630d59508822ec22a1d2f888dd8d2bcc Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 23 Jun 2021 15:40:11 -0400 Subject: [PATCH 260/483] Docs feedback Signed-off-by: Clinton Wolfe --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9ec47ae3d..724547db6 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec ### Install it via rubygems.org -When installing from source, gem dependencies may require ruby build tools to be installed. (A compiler-free variant is available with reduced functionality; use `inspec-core-bin` and `inspec-core`.) +Installing Chef InSpec from source may require installing ruby build tools to manage gem dependencies. (A compiler-free variant is available with reduced functionality; use `inspec-core-bin` and `inspec-core`.) To install build tools, use your package manager. From f88cde642507f0b5aa63487594792b38114b7a5b Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 23 Jun 2021 21:55:54 +0000 Subject: [PATCH 261/483] Bump version to 4.38.3 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9038ab14f..c8cbd4f6e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.38.2](https://github.com/inspec/inspec/tree/v4.38.2) (2021-06-22) + +## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-06-23) #### Merged Pull Requests -- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) +- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.37.30 release #### Merged Pull Requests +- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) - Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) - Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index e59bab17d..0a91b4d78 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.2 \ No newline at end of file +4.38.3 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 4beeb7c6b..18e14821d 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.2".freeze + VERSION = "4.38.3".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 6aae72436..76afa2e2e 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.2".freeze + VERSION = "4.38.3".freeze end From 7f7cbf0ddb44a704111e45cb5b0e378d4076dea3 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 24 Jun 2021 12:03:53 +0530 Subject: [PATCH 262/483] Add unit test for mongodb_session resource Signed-off-by: Vasu1105 --- lib/inspec/resources/mongodb_session.rb | 9 ++++++--- test/unit/resources/mongodb_session_test.rb | 17 +++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 test/unit/resources/mongodb_session_test.rb diff --git a/lib/inspec/resources/mongodb_session.rb b/lib/inspec/resources/mongodb_session.rb index 061aca735..99ac0c279 100644 --- a/lib/inspec/resources/mongodb_session.rb +++ b/lib/inspec/resources/mongodb_session.rb @@ -38,14 +38,15 @@ module Inspec::Resources @auth_mech_properties = opts[:auth_mech_properties] || {} @client = nil - fail_resource "Can't run MongoDB checks without authentication" unless user && @password - fail_resource "You must provide a database name for the session" unless database + fail_resource "Can't run MongoDB checks without authentication." unless user && @password + fail_resource "You must provide a database name for the session." unless database create_session end def query(command) raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? + Lines.new(@client.command(command).documents.first, "MongoDB query: #{command}") rescue => e raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}" @@ -54,6 +55,8 @@ module Inspec::Resources private def create_session + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? + options = { user: "#{user}", password: "#{@password}", database: "#{database}", @@ -69,7 +72,7 @@ module Inspec::Resources @client = Mongo::Client.new([ "#{host}:#{port}" ], options) rescue => e - raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}" + raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command. Error: #{e.message}" end end end diff --git a/test/unit/resources/mongodb_session_test.rb b/test/unit/resources/mongodb_session_test.rb new file mode 100644 index 000000000..ae43e0aff --- /dev/null +++ b/test/unit/resources/mongodb_session_test.rb @@ -0,0 +1,17 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/mongodb_session" + +describe "Inspec::Resources::MongodbSession" do + it "fails when no user, password" do + resource = load_resource("mongodb_session", host: "localhost", port: 27017, database: "test") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run MongoDB command. Error: Can't run MongoDB checks without authentication." + end + + it "fails when no database name is provided" do + resource = load_resource("mongodb_session", user: "foo", password: "bar", host: "localhost", port: 27017) + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run MongoDB command. Error: You must provide a database name for the session." + end +end From 4c6627fb730a0c2f73436e2b8f13c2b9e692bcde Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 24 Jun 2021 12:42:44 +0530 Subject: [PATCH 263/483] mongodb_session minor doc update Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/mongodb_session.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/mongodb_session.md b/docs-chef-io/content/inspec/resources/mongodb_session.md index 4d5754159..12f73da27 100644 --- a/docs-chef-io/content/inspec/resources/mongodb_session.md +++ b/docs-chef-io/content/inspec/resources/mongodb_session.md @@ -23,13 +23,13 @@ This resource is distributed along with Chef InSpec itself. You can use it autom A `mongodb_session` resource block declares the `user`, `password`, 'database' to use for the session, and then the command to be run: - describe mongodb_session(user: "username", password: "password").query(key: value) do + describe mongodb_session(user: "username", password: "password", database: "test").query(key: value) do its("params") { should match(/expected-result/) } end where -- `mongodb_session` declares a user and password, connecting locally, with permission to run the query +- `mongodb_session` declares a user, password and database, connecting locally, with permission to run the query. - `query` contains the query to be run. - `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test @@ -53,7 +53,7 @@ Defaults to `:scram` #### `auth_source` -Defaults to given database name. +Defaults to given database name. `database` name is mandatory. ### MongodDB query reference docs From 487fb5586c684a6721a0b9faf47c3c55cb3f993d Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 24 Jun 2021 14:44:29 +0530 Subject: [PATCH 264/483] Some minor docs changes Signed-off-by: Vasu1105 --- lib/inspec/resources/mongodb_session.rb | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/inspec/resources/mongodb_session.rb b/lib/inspec/resources/mongodb_session.rb index 99ac0c279..650d9fd8f 100644 --- a/lib/inspec/resources/mongodb_session.rb +++ b/lib/inspec/resources/mongodb_session.rb @@ -19,8 +19,18 @@ module Inspec::Resources supports platform: "unix" supports platform: "windows" - desc "Use the mongodb_session InSpec audit resource to run database commands using MongoDB ruby client against a given database." + desc "Use the mongodb_session InSpec audit resource to run MongoDB command against a MongoDB Database." + example <<~EXAMPLE + # default values: + # host: "127.0.0.1" + # port: "27017" + # auth_source - default to database name + # auth_mech - :scram + describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "ian").params["users"].first["roles"].first do + its(["role"]) { should eq "readWrite" } + end + EXAMPLE attr_reader :user, :host, :port, :database, :params def initialize(opts = {}) From 781ead9257c37af0739ffd1889f0e6fa88312bae Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 24 Jun 2021 16:56:10 +0530 Subject: [PATCH 265/483] Added support for mssql conf resource Signed-off-by: Nikita Mathur --- .../inspec/resources/mssql_sys_conf.md | 60 +++++++++++++++++++ lib/inspec/resources.rb | 1 + lib/inspec/resources/mssql_sys_conf.rb | 50 ++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/mssql_sys_conf.md create mode 100644 lib/inspec/resources/mssql_sys_conf.rb diff --git a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md new file mode 100644 index 000000000..68e8e6f6f --- /dev/null +++ b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md @@ -0,0 +1,60 @@ ++++ +title = "mssql_sys_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "mssql_sys_conf" + identifier = "inspec/resources/os/mssql_sys_conf.md mssql_sys_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `mssql_sys_conf` Chef InSpec audit resource to test configuration of a Mssql database. + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +### Requirements + +You must have access to a database user that has access to the `SA` role. + +## Syntax + +A `mssql_sys_conf` resource block declares the configuration item name, user, and password to use. + + describe mssql_sys_conf("config item", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "value" } + its("value_configured") { should cmp "value" } + end + +where + +- `mssql_sys_conf` declares a config item, user, and password with permission to use `sys.configurations`. +- `its('value_in_use') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value +- `its('value_configured') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value + +### Optional Parameters + +`mssql_sys_conf` is based on `mssql_session`, and accepts all parameters that `mssql_session` accepts. + +#### `username` + +Defaults to `SA`. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test parameters set within the database view + + describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "0" } + its("value_configured") { should cmp "0" } + end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 1bdf0021d..e520d709d 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -75,6 +75,7 @@ require "inspec/resources/mongodb" require "inspec/resources/mongodb_conf" require "inspec/resources/mount" require "inspec/resources/mssql_session" +require "inspec/resources/mssql_sys_conf" require "inspec/resources/mysql" require "inspec/resources/mysql_conf" require "inspec/resources/mysql_session" diff --git a/lib/inspec/resources/mssql_sys_conf.rb b/lib/inspec/resources/mssql_sys_conf.rb new file mode 100644 index 000000000..a3d6a7b0d --- /dev/null +++ b/lib/inspec/resources/mssql_sys_conf.rb @@ -0,0 +1,50 @@ +# copyright: 2015, Vulcano Security GmbH + +require "inspec/resources/mssql_session" + +module Inspec::Resources + class MssqlSysConf < Inspec.resource(1) + name "mssql_sys_conf" + supports platform: "windows" + supports platform: "debian" + supports platform: "redhat" + supports platform: "suse" + + desc "Use the mssql_sys_conf InSpec audit resource to test the database system configurations for Mssql DB" + example <<~EXAMPLE + describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "0" } + its("value_configured") { should cmp "0" } + end + EXAMPLE + + attr_reader :mssql_session, :sql_query + + def initialize(conf_param_name, opts = {}) + opts[:username] ||= "SA" + @mssql_session = inspec.mssql_session(opts) + setting = conf_param_name.to_s.gsub("_", " ").split.map(&:capitalize).join(" ") + determine_system_configurations(setting) + end + + def value_in_use + sql_query.row(0).column("value_in_use").value + end + + def value_configured + sql_query.row(0).column("value_configured").value + end + + def to_s + "MsSql DB Configuration" + end + + private + + def determine_system_configurations(setting) + @sql_query = mssql_session.query("SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = '#{setting}'") + rescue => e + raise Inspec::Exceptions::ResourceFailed, "Errors fetching database system configurations for Mssql database: #{e}" + end + end +end \ No newline at end of file From 3b9a5c8956ace44825586dda42f99e8a53c79548 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 24 Jun 2021 18:51:40 +0530 Subject: [PATCH 266/483] Update postgresql resources to normalize it for platform supports Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres.rb | 32 ++++++++++++++++++++- lib/inspec/resources/postgres_hba_conf.rb | 3 +- lib/inspec/resources/postgres_ident_conf.rb | 3 +- lib/inspec/resources/postgres_session.rb | 9 ++++-- 4 files changed, 42 insertions(+), 5 deletions(-) diff --git a/lib/inspec/resources/postgres.rb b/lib/inspec/resources/postgres.rb index 21955e147..2b56ede3e 100644 --- a/lib/inspec/resources/postgres.rb +++ b/lib/inspec/resources/postgres.rb @@ -4,6 +4,8 @@ module Inspec::Resources class Postgres < Inspec.resource(1) name "postgres" supports platform: "unix" + supports platform: "windows" + desc "The 'postgres' resource is a helper for the 'postgres_conf', 'postgres_hba_conf', 'postgres_ident_conf' & 'postgres_session' resources. Please use those instead." attr_reader :service, :data_dir, :conf_dir, :conf_path, :version, :cluster @@ -43,6 +45,12 @@ module Inspec::Resources @conf_dir = "/etc/postgresql/#{@version}/#{@cluster}" @data_dir = "/var/lib/postgresql/#{@version}/#{@cluster}" end + elsif inspec.os.windows? + dir = "C:\\Program Files\\PostgreSQL" + @version = version_from_dir_windows(dir) + unless @version.to_s.empty? + @data_dir = "#{dir}\\#{@version}\\data\\" + end else @version = version_from_psql if @version.to_s.empty? @@ -84,7 +92,12 @@ module Inspec::Resources def version_from_psql return unless inspec.command("psql").exist? - inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip + version = inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip.split(".") + if version.first.to_i >= 10 + version.first + else + version = "#{version[0]}.#{version[1]}" + end end def locate_data_dir_location_by_version(ver = @version) @@ -125,6 +138,23 @@ module Inspec::Resources end end + def version_from_dir_windows(dir) + dirs = inspec.command("Get-ChildItem -Path \"#{dir}\" -Name").stdout + entries = dirs.lines.count + case entries + when 0 + warn "Could not determine version of installed PostgreSQL by inspecting #{dir}" + nil + when 1 + dir_to_version(dirs) + else + warn "Multiple versions of PostgreSQL installed or incorrect base dir #{dir}" + first = dir_to_version(dirs.lines.first) + warn "Using the first version found: #{first}" + first + end + end + def dir_to_version(dir) dir.chomp.split("/").last end diff --git a/lib/inspec/resources/postgres_hba_conf.rb b/lib/inspec/resources/postgres_hba_conf.rb index 9a395d8a1..fbb5d920d 100644 --- a/lib/inspec/resources/postgres_hba_conf.rb +++ b/lib/inspec/resources/postgres_hba_conf.rb @@ -5,6 +5,7 @@ module Inspec::Resources class PostgresHbaConf < Inspec.resource(1) name "postgres_hba_conf" supports platform: "unix" + supports platform: "windows" desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client authentication data defined in the pg_hba.conf file.' example <<~EXAMPLE @@ -19,7 +20,7 @@ module Inspec::Resources # @todo add checks to ensure that we have data in our file def initialize(hba_conf_path = nil) - @conf_file = hba_conf_path || File.expand_path("pg_hba.conf", inspec.postgres.conf_dir) + @conf_file = hba_conf_path || File.join(inspec.postgres.conf_dir, "pg_hba.conf") @content = "" @params = {} read_content diff --git a/lib/inspec/resources/postgres_ident_conf.rb b/lib/inspec/resources/postgres_ident_conf.rb index db2a6fb77..05d80c8d2 100644 --- a/lib/inspec/resources/postgres_ident_conf.rb +++ b/lib/inspec/resources/postgres_ident_conf.rb @@ -5,6 +5,7 @@ module Inspec::Resources class PostgresIdentConf < Inspec.resource(1) name "postgres_ident_conf" supports platform: "unix" + supports platform: "windows" desc 'Use the postgres_ident_conf InSpec audit resource to test the client authentication data is controlled by a pg_ident.conf file.' example <<~EXAMPLE @@ -18,7 +19,7 @@ module Inspec::Resources attr_reader :params, :conf_file def initialize(ident_conf_path = nil) - @conf_file = ident_conf_path || File.expand_path("pg_ident.conf", inspec.postgres.conf_dir) + @conf_file = ident_conf_path || File.join(inspec.postgres.conf_dir, "pg_ident.conf") @content = nil @params = nil read_content diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 8d122588b..df073451e 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -54,6 +54,7 @@ module Inspec::Resources raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? psql_cmd = create_psql_cmd(query, db) + cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/) out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/ @@ -66,7 +67,7 @@ module Inspec::Resources private def test_connection - query("select now()") + query("select now()\;") end def escaped_query(query) @@ -75,7 +76,11 @@ module Inspec::Resources def create_psql_cmd(query, db = []) dbs = db.map { |x| "-d #{x}" }.join(" ") - "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" + if inspec.os.windows? + "psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c '#{query}'" + else + "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" + end end end end From 74cbcc1c5aa9af401d664dba3aa5d24b7430ed4e Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 25 Jun 2021 13:29:23 +0530 Subject: [PATCH 267/483] Removed password authentication as it breaks for windows and it needs to be handle by user using postgress configuration files Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres_session.rb | 11 ++++++++--- test/unit/resources/postgres_session_test.rb | 5 ----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index df073451e..5f7107292 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -40,12 +40,13 @@ module Inspec::Resources end EXAMPLE - def initialize(user, pass, host = nil, port = nil) + def initialize(user, pass = nil, host = nil, port = nil) @user = user || "postgres" + # passing PGPASSWORD does not work for windows so we are not making password as mandatory. User needs to hand it thorought the .pgpass file or trust authentication + # mechanisum of the PostgreSQL database. @pass = pass @host = host || "localhost" @port = port || 5432 - raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil? test_connection end @@ -79,7 +80,11 @@ module Inspec::Resources if inspec.os.windows? "psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c '#{query}'" else - "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" + if @pass.nil? + "psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" + else + "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" + end end end end diff --git a/test/unit/resources/postgres_session_test.rb b/test/unit/resources/postgres_session_test.rb index 2df7e39b1..9187b1a06 100644 --- a/test/unit/resources/postgres_session_test.rb +++ b/test/unit/resources/postgres_session_test.rb @@ -28,11 +28,6 @@ describe "Inspec::Resources::PostgresSession" do resource = load_resource("postgres_session", "myuser", "mypass") _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h localhost -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" end - it "fails when no user, password" do - resource = load_resource("postgres_session", nil, nil, "localhost", 5432) - _(resource.resource_failed?).must_equal true - _(resource.resource_exception_message).must_equal "Can't run PostgreSQL SQL checks without authentication." - end it "fails when no connection established" do resource = load_resource("postgres_session", "postgres", "postgres", "localhost", 5432) _(resource.resource_failed?).must_equal true From 964a5142f7905e10d15c78b7e6be36c09028373f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 25 Jun 2021 13:59:21 +0530 Subject: [PATCH 268/483] Revert changes for password authentication removal Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres.rb | 11 ++++++++--- lib/inspec/resources/postgres_session.rb | 16 +++++----------- test/unit/resources/postgres_session_test.rb | 19 ++++++++++++------- 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/lib/inspec/resources/postgres.rb b/lib/inspec/resources/postgres.rb index 2b56ede3e..26f0b02db 100644 --- a/lib/inspec/resources/postgres.rb +++ b/lib/inspec/resources/postgres.rb @@ -47,7 +47,7 @@ module Inspec::Resources end elsif inspec.os.windows? dir = "C:\\Program Files\\PostgreSQL" - @version = version_from_dir_windows(dir) + @version = version_from_psql || version_from_dir_windows(dir) unless @version.to_s.empty? @data_dir = "#{dir}\\#{@version}\\data\\" end @@ -92,11 +92,16 @@ module Inspec::Resources def version_from_psql return unless inspec.command("psql").exist? - version = inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip.split(".") + if inspec.os.windows? + version = inspec.command("psql --version | awk '{ print $NF }'").stdout.strip.split(".") + else + version = inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip.split(".") + end + if version.first.to_i >= 10 version.first else - version = "#{version[0]}.#{version[1]}" + "#{version[0]}.#{version[1]}" end end diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 5f7107292..c2a401137 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -42,11 +42,10 @@ module Inspec::Resources def initialize(user, pass = nil, host = nil, port = nil) @user = user || "postgres" - # passing PGPASSWORD does not work for windows so we are not making password as mandatory. User needs to hand it thorought the .pgpass file or trust authentication - # mechanisum of the PostgreSQL database. @pass = pass @host = host || "localhost" @port = port || 5432 + raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil? test_connection end @@ -55,8 +54,7 @@ module Inspec::Resources raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? psql_cmd = create_psql_cmd(query, db) - - cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/) + cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)}) out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}" @@ -76,15 +74,11 @@ module Inspec::Resources end def create_psql_cmd(query, db = []) - dbs = db.map { |x| "-d #{x}" }.join(" ") + dbs = db.map { |x| "#{x}" }.join(" ") if inspec.os.windows? - "psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c '#{query}'" + "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\"" else - if @pass.nil? - "psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" - else - "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" - end + "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}" end end end diff --git a/test/unit/resources/postgres_session_test.rb b/test/unit/resources/postgres_session_test.rb index 9187b1a06..3ce815737 100644 --- a/test/unit/resources/postgres_session_test.rb +++ b/test/unit/resources/postgres_session_test.rb @@ -6,27 +6,32 @@ require "inspec/resources/command" describe "Inspec::Resources::PostgresSession" do it "verify postgres_session create_psql_cmd with a basic query" do resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1", 5432) - _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" end it "verify postgres_session escaped_query with a complex query" do resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1", 5432) - _(resource.send(:create_psql_cmd, "SELECT current_setting('client_min_messages')", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c SELECT\\ current_setting\\(\\'client_min_messages\\'\\)" + _(resource.send(:create_psql_cmd, "SELECT current_setting('client_min_messages')", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c SELECT\\ current_setting\\(\\'client_min_messages\\'\\)" end it "verify postgres_session redacts output" do - cmd = %q{PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c "SELECT current_setting('client_min_messages')"} - options = { redact_regex: /(PGPASSWORD=').+(' psql .*)/ } + cmd = %q{psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c "SELECT current_setting('client_min_messages')"} + options = { redact_regex: %r{(:\/\/[a-z]*:).*(@)} } resource = load_resource("command", cmd, options) - expected_to_s = %q{Command: `PGPASSWORD='REDACTED' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c "SELECT current_setting('client_min_messages')"`} + expected_to_s = %q{Command: `psql -d postgresql://myuser:REDACTED@127.0.0.1:5432/testdb -A -t -w -c "SELECT current_setting('client_min_messages')"`} _(resource.to_s).must_equal(expected_to_s) end it "verify postgres_session works with empty port value" do resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1") - _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" end it "verify postgres_session works with empty host and port value" do resource = load_resource("postgres_session", "myuser", "mypass") - _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h localhost -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@localhost:5432/testdb -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + end + it "fails when no user, password" do + resource = load_resource("postgres_session", nil, nil, "localhost", 5432) + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run PostgreSQL SQL checks without authentication." end it "fails when no connection established" do resource = load_resource("postgres_session", "postgres", "postgres", "localhost", 5432) From 56b8037c14f3c63bfceaf08ed99cfb4078b12c16 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 25 Jun 2021 18:17:01 +0530 Subject: [PATCH 269/483] Access change in doc for mssql Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/resources/mssql_sys_conf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md index 68e8e6f6f..3ecadf9e6 100644 --- a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md +++ b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md @@ -19,7 +19,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ### Requirements -You must have access to a database user that has access to the `SA` role. +You must have database access. ## Syntax From 80b00794d55e03bea4f0e30b2bcf01376169e64a Mon Sep 17 00:00:00 2001 From: Ashish Nepal Date: Sat, 26 Jun 2021 20:30:57 +0100 Subject: [PATCH 270/483] add aliyun3 support --- lib/inspec/resources/service.rb | 6 ++++++ test/helpers/mock_loader.rb | 1 + test/unit/resources/service_test.rb | 13 +++++++++++++ 3 files changed, 20 insertions(+) diff --git a/lib/inspec/resources/service.rb b/lib/inspec/resources/service.rb index f49a72e4f..9edf7ee67 100644 --- a/lib/inspec/resources/service.rb +++ b/lib/inspec/resources/service.rb @@ -152,6 +152,12 @@ module Inspec::Resources else SysV.new(inspec, service_ctl || "/sbin/service") end + when "alibaba" + if os[:release].to_i >= 3 + Systemd.new(inspec, service_ctl) + else + SysV.new(inspec, service_ctl || "/sbin/service") + end when "wrlinux" SysV.new(inspec, service_ctl) when "mac_os_x", "darwin" diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 300540fa4..ca02e3e61 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -34,6 +34,7 @@ class MockLoader aix: { name: "aix", family: "aix", release: "7.2", arch: "powerpc" }, amazon: { name: "amazon", family: "redhat", release: "2015.03", arch: "x86_64" }, amazon2: { name: "amazon", family: "redhat", release: "2", arch: "x86_64" }, + aliyun3: { name: "alibaba", family: "redhat", release: "3", arch: "x86_64" }, yocto: { name: "yocto", family: "yocto", release: "0.0.1", arch: "aarch64" }, undefined: { name: nil, family: nil, release: nil, arch: nil }, } diff --git a/test/unit/resources/service_test.rb b/test/unit/resources/service_test.rb index a7a3ca141..7f0c28e5e 100644 --- a/test/unit/resources/service_test.rb +++ b/test/unit/resources/service_test.rb @@ -152,6 +152,19 @@ describe "Inspec::Resources::Service" do _(resource.params).must_equal params end + # Aliyun Linux 3 (Alibaba) + it "verify aliyun linux 3 service parsing" do + resource = MockLoader.new(:aliyun3).load_resource("service", "sshd") + params = Hashie::Mash.new({ "ActiveState" => "active", "Description" => "OpenSSH server daemon", "Id" => "sshd.service", "LoadState" => "loaded", "Names" => "sshd.service", "SubState" => "running", "UnitFileState" => "enabled" }) + _(resource.type).must_equal "systemd" + _(resource.name).must_equal "sshd.service" + _(resource.description).must_equal "OpenSSH server daemon" + _(resource.installed?).must_equal true + _(resource.enabled?).must_equal true + _(resource.running?).must_equal true + _(resource.params).must_equal params + end + # centos 6 with sysv it "verify centos 6 service parsing" do resource = MockLoader.new(:centos6).load_resource("service", "sshd") From 5528315d28c60c685d77dd3cc4a61a0979e23a9f Mon Sep 17 00:00:00 2001 From: jayashri garud Date: Mon, 28 Jun 2021 15:34:33 +0530 Subject: [PATCH 271/483] Updating expeditor configuration Signed-off-by: jayashri garud --- .expeditor/config.yml | 171 +++++++++++++++++++++--------------------- 1 file changed, 86 insertions(+), 85 deletions(-) diff --git a/.expeditor/config.yml b/.expeditor/config.yml index 8cd71cb6e..93d7ab958 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -70,7 +70,8 @@ github: minor_bump_labels: - "Expeditor: Bump Minor Version" version_tag_format: v{{version}} - release_branch: + +release_branches: - master: version_constraint: 4.* - 1-stable: @@ -90,88 +91,88 @@ changelog: - "Type: Enhancement": "Enhancements" - "Type: Bug": "Bug Fixes" -merge_actions: - - built_in:bump_version: - ignore_labels: - - "Expeditor: Skip All" - - "Expeditor: Skip Version Bump" - only_if_modified: - - .expeditor/* - - docs-chef-io/* - - etc/* - - habitat/* - - inspec-bin/* - - lib/* - - omnibus/* - - support/* - - tasks/* - - test/* - - Gemfile* - - LICENSE - - "*.gemspec" - - "*.md" - - bash:.expeditor/update_version.sh: - only_if: built_in:bump_version - - built_in:update_changelog: - ignore_labels: - - "Expeditor: Skip All" - - "Expeditor: Skip Changelog" - - trigger_pipeline:omnibus/adhoc: - not_if: built_in:bump_version - ignore_labels: - - "Expeditor: Skip Omnibus" - - "Expeditor: Skip All" - - trigger_pipeline:artifact/habitat: - only_if: built_in:bump_version - ignore_labels: - - "Expeditor: Skip Habitat" - - "Expeditor: Skip All" - - trigger_pipeline:omnibus/release: - only_if: built_in:bump_version - ignore_labels: - - "Expeditor: Skip Omnibus" - - "Expeditor: Skip All" - - trigger_pipeline:habitat/build: - only_if: built_in:bump_version - ignore_labels: - - "Expeditor: Skip Habitat" - - "Expeditor: Skip All" - - built_in:build_gem: - only_if: - - built_in:bump_version - subscriptions: - - workload: artifact_published:unstable:inspec:{{version_constraint}} - actions: - - trigger_pipeline:docker/build - - bash:.expeditor/buildkite/wwwrelease.sh: - post_commit: true - - workload: artifact_published:current:inspec:{{version_constraint}} - actions: - - built_in:promote_docker_images - - built_in:promote_habitat_packages - - workload: artifact_published:stable:inspec:{{version_constraint}} - actions: - - bash:.expeditor/update_dockerfile.sh - - built_in:rollover_changelog - - built_in:publish_rubygems - - built_in:create_github_release - - built_in:promote_docker_images - - built_in:promote_habitat_packages - - bash:.expeditor/publish-release-notes.sh: - post_commit: true - - purge_packages_chef_io_fastly:{{target_channel}}/inspec/latest: - post_commit: true - - bash:.expeditor/announce-release.sh: - post_commit: true - - built_in:notify_chefio_slack_channels - - workload: pull_request_opened:{{agent_id}}:* - actions: - - post_github_comment:.expeditor/templates/pull_request.mustache: - ignore_team_members: - - inspec/owners - - inspec/inspec-core-team - - built_in:github_auto_assign_author: - only_if_team_member: - - inspec/owners - - inspec/inspec-core-team + - workload: pull_request_merged:{{github_repo}}:{{release_branch}}:* + actions: + - built_in:bump_version: + ignore_labels: + - "Expeditor: Skip All" + - "Expeditor: Skip Version Bump" + only_if_modified: + - .expeditor/* + - docs-chef-io/* + - etc/* + - habitat/* + - inspec-bin/* + - lib/* + - omnibus/* + - support/* + - tasks/* + - test/* + - Gemfile* + - LICENSE + - "*.gemspec" + - "*.md" + - bash:.expeditor/update_version.sh: + only_if: built_in:bump_version + - built_in:update_changelog: + ignore_labels: + - "Expeditor: Skip All" + - "Expeditor: Skip Changelog" + - trigger_pipeline:omnibus/adhoc: + not_if: built_in:bump_version + ignore_labels: + - "Expeditor: Skip Omnibus" + - "Expeditor: Skip All" + - trigger_pipeline:artifact/habitat: + only_if: built_in:bump_version + ignore_labels: + - "Expeditor: Skip Habitat" + - "Expeditor: Skip All" + - trigger_pipeline:omnibus/release: + only_if: built_in:bump_version + ignore_labels: + - "Expeditor: Skip Omnibus" + - "Expeditor: Skip All" + - trigger_pipeline:habitat/build: + only_if: built_in:bump_version + ignore_labels: + - "Expeditor: Skip Habitat" + - "Expeditor: Skip All" + - built_in:build_gem: + only_if: + - built_in:bump_version + - workload: artifact_published:unstable:inspec:{{version_constraint}} + actions: + - trigger_pipeline:docker/build + - bash:.expeditor/buildkite/wwwrelease.sh: + post_commit: true + - workload: artifact_published:current:inspec:{{version_constraint}} + actions: + - built_in:promote_docker_images + - built_in:promote_habitat_packages + - workload: artifact_published:stable:inspec:{{version_constraint}} + actions: + - bash:.expeditor/update_dockerfile.sh + - built_in:rollover_changelog + - built_in:publish_rubygems + - built_in:create_github_release + - built_in:promote_docker_images + - built_in:promote_habitat_packages + - bash:.expeditor/publish-release-notes.sh: + post_commit: true + - purge_packages_chef_io_fastly:{{target_channel}}/inspec/latest: + post_commit: true + - bash:.expeditor/announce-release.sh: + post_commit: true + - built_in:notify_chefio_slack_channels + - workload: pull_request_opened:{{github_repo}}:{{release_branch}}:* + actions: + - post_github_comment:.expeditor/templates/pull_request.mustache: + ignore_team_members: + - inspec/owners + - inspec/inspec-core-team + - built_in:github_auto_assign_author: + only_if_team_member: + - inspec/owners + - inspec/inspec-core-team \ No newline at end of file From 01baf2f7c0f3ed677ab8ff3a16ef6def4329e150 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 29 Jun 2021 04:48:32 +0000 Subject: [PATCH 272/483] Bump version to 4.38.4 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8cbd4f6e..f9cfc1ce3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-06-23) + +## [v4.38.4](https://github.com/inspec/inspec/tree/v4.38.4) (2021-06-29) #### Merged Pull Requests -- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) ### Changes since 4.37.30 release #### Merged Pull Requests +- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) - Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) - Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) diff --git a/VERSION b/VERSION index 0a91b4d78..098c862af 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.3 \ No newline at end of file +4.38.4 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 18e14821d..99fbf5345 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.3".freeze + VERSION = "4.38.4".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 76afa2e2e..b7ae9a45c 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.3".freeze + VERSION = "4.38.4".freeze end From 89610eb56981e3d0354c1b04ec60b196202d6156 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 29 Jun 2021 12:00:35 +0530 Subject: [PATCH 273/483] Fixed review comments Signed-off-by: Vasu1105 --- Gemfile | 2 -- .../inspec/resources/mongodb_session.md | 22 ++++++++++++++++++- inspec.gemspec | 1 + 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 59c84ce9b..82d4eabb3 100644 --- a/Gemfile +++ b/Gemfile @@ -20,8 +20,6 @@ end # but our runtime dep is still 3.9+ gem "rspec", ">= 3.10" -gem "mongo" - def probably_x86? # We don't currently build on ARM windows, so assume x86 there return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/ diff --git a/docs-chef-io/content/inspec/resources/mongodb_session.md b/docs-chef-io/content/inspec/resources/mongodb_session.md index 12f73da27..2d4e37d66 100644 --- a/docs-chef-io/content/inspec/resources/mongodb_session.md +++ b/docs-chef-io/content/inspec/resources/mongodb_session.md @@ -49,12 +49,32 @@ Defaults to `27017` #### `auth_mech` -Defaults to `:scram` +Defaults to `:scram`. The available opitions are `:scram256`, `:mongodb_x509`, `:aws`. Refer this [docs](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/) for more understanding about these options. #### `auth_source` Defaults to given database name. `database` name is mandatory. +#### `ssl` + +Defaults to false. Set `true ` to use ssl transport. For ssl realted options also refer to this [docs](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/#client-certificate-x-509) for more understanding. + +#### 'ssl_cert' + +Path to ssl certificate file. + +#### `ssl_ca_cert` + +Path to ssl ca cert file. + +#### `ssl_key` + +Path to ssl key file. + +#### `auth_mech_properties` + +This accepts hash of authetication mechanism properties. This option is generally used with `aws` auth mechanism. Example of this is given in this docs [here](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/#aws) + ### MongodDB query reference docs This resource is using mongo ruby driver to fetch the data. diff --git a/inspec.gemspec b/inspec.gemspec index 85d6fd3fc..6ada2c46f 100644 --- a/inspec.gemspec +++ b/inspec.gemspec @@ -33,4 +33,5 @@ Gem::Specification.new do |spec| spec.add_dependency "train-habitat", "~> 0.1" spec.add_dependency "train-aws", "~> 0.1" spec.add_dependency "train-winrm", "~> 0.2" + spec.add_dependency "mongo" end From 948a5c7efd7eeadac6b62ad7d814216edf737706 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 29 Jun 2021 12:05:23 +0530 Subject: [PATCH 274/483] Review changes - Removed copyright line from resource Signed-off-by: Nikita Mathur --- lib/inspec/resources/mssql_sys_conf.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/inspec/resources/mssql_sys_conf.rb b/lib/inspec/resources/mssql_sys_conf.rb index a3d6a7b0d..c1fae8db7 100644 --- a/lib/inspec/resources/mssql_sys_conf.rb +++ b/lib/inspec/resources/mssql_sys_conf.rb @@ -1,5 +1,3 @@ -# copyright: 2015, Vulcano Security GmbH - require "inspec/resources/mssql_session" module Inspec::Resources From f921c25efccf9e2ad9628680d3558f18a102ea8b Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 24 Jun 2021 01:40:50 +0530 Subject: [PATCH 275/483] Oracle_db_conf and oracle_listener_conf changes, test cases and doc added Signed-off-by: Nikita Mathur --- .../inspec/resources/oracle_db_conf.md | 36 ++++++ .../inspec/resources/oracle_listener_conf.md | 36 ++++++ lib/inspec/resources.rb | 3 + lib/inspec/resources/oracle.rb | 58 +++++++++ lib/inspec/resources/oracle_db_conf.rb | 42 +++++++ lib/inspec/resources/oracle_listener_conf.rb | 118 ++++++++++++++++++ .../cmd/fetch-oracle-listener-in-linux | 1 + .../cmd/fetch-oracle-listener-in-windows | 2 + test/fixtures/files/listener.ora | 2 + test/helpers/mock_loader.rb | 4 + .../resources/oracle_listener_conf_test.rb | 17 +++ 11 files changed, 319 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/oracle_db_conf.md create mode 100644 docs-chef-io/content/inspec/resources/oracle_listener_conf.md create mode 100644 lib/inspec/resources/oracle.rb create mode 100644 lib/inspec/resources/oracle_db_conf.rb create mode 100644 lib/inspec/resources/oracle_listener_conf.rb create mode 100644 test/fixtures/cmd/fetch-oracle-listener-in-linux create mode 100644 test/fixtures/cmd/fetch-oracle-listener-in-windows create mode 100644 test/fixtures/files/listener.ora create mode 100644 test/unit/resources/oracle_listener_conf_test.rb diff --git a/docs-chef-io/content/inspec/resources/oracle_db_conf.md b/docs-chef-io/content/inspec/resources/oracle_db_conf.md new file mode 100644 index 000000000..e2b26e623 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/oracle_db_conf.md @@ -0,0 +1,36 @@ ++++ +title = "oracle_db_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "oracle_db_conf" + identifier = "inspec/resources/os/oracle_db_conf.md oracle_db_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `oracle_db_conf` Chef InSpec audit resource to test the database system parameters defined in oracle database view `V$SYSTEM_PARAMETER`. These parameters are accessed through oracle session via SQL query. The permission of this `V$SYSTEM_PARAMETER` view is only limited to the DBA by default. + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `oracle_db_conf` resource block declares system parameters which are defined in `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: + + # Test parameters set within the database view + describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do + its("audit_sys_operations") { should cmp "true" } + its("sql92_security") { should cmp "true" } + end + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). \ No newline at end of file diff --git a/docs-chef-io/content/inspec/resources/oracle_listener_conf.md b/docs-chef-io/content/inspec/resources/oracle_listener_conf.md new file mode 100644 index 000000000..907229600 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/oracle_listener_conf.md @@ -0,0 +1,36 @@ ++++ +title = "oracle_listener_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "oracle_listener_conf" + identifier = "inspec/resources/os/oracle_listener_conf.md oracle_listener_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `oracle_listener_conf` Chef InSpec audit resource to test the listeners settings of Oracle DB, typically located at `$ORACLE_HOME/network/admin/listener.ora` or `$ORACLE_HOME\network\admin\listener.ora` depending upon the platform. + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `oracle_listener_conf` resource block declares oracle listeners settings in the `listener.ora` file, and then compares the listeners settings in file to the value stated in the test: + + # Test parameters set within the listener file + describe oracle_listener_conf do + its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } + its('EM_EXPRESS_PORT') { should eq '5500' } + end + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). \ No newline at end of file diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 1bdf0021d..046e67f85 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -83,6 +83,9 @@ require "inspec/resources/nginx_conf" require "inspec/resources/npm" require "inspec/resources/ntp_conf" require "inspec/resources/oneget" +require "inspec/resources/oracle" +require "inspec/resources/oracle_db_conf" +require "inspec/resources/oracle_listener_conf" require "inspec/resources/oracledb_session" require "inspec/resources/os" require "inspec/resources/os_env" diff --git a/lib/inspec/resources/oracle.rb b/lib/inspec/resources/oracle.rb new file mode 100644 index 000000000..9c39377d4 --- /dev/null +++ b/lib/inspec/resources/oracle.rb @@ -0,0 +1,58 @@ +# copyright: 2015, Vulcano Security GmbH + +require "inspec/resources/powershell" + +module Inspec::Resources + class Oracle < Inspec.resource(1) + name "oracle" + supports platform: "unix" + supports platform: "windows" + + desc "The 'oracle' resource is a helper for the 'oracle_listener_conf'" + + attr_reader :conf_path + + def initialize + case inspec.os[:family] + when "debian", "redhat", "linux", "suse" + determine_conf_dir_and_path_in_linux + when "windows" + determine_conf_dir_and_path_in_windows + end + end + + def to_s + "OracleDB" + end + + private + + def determine_conf_dir_and_path_in_linux + conf_files = inspec.command("sudo find / -type f -wholename '*network/admin/listener.ora'").stdout.lines + if conf_files.empty? + warn "No oracle listener settings found in $ORACLE_HOME/network/admin" + nil + else + first = conf_files.first.chomp + warn "Multiple oracle listener settings found" if conf_files.count > 1 + @conf_path = first + end + rescue => e + fail_resource "Errors reading listener settings: #{e}" + end + + def determine_conf_dir_and_path_in_windows + conf_files = inspec.command("Get-ChildItem C:\\ -Filter *listener.ora -Recurse | % { $_.FullName }").stdout.lines + if conf_files.empty? + warn "No oracle listener settings found in $ORACLE_HOME\\network\\admin" + nil + else + first = conf_files.select { |line| line.include? "network\\admin\\listener.ora" }.first&.chomp + warn "Multiple oracle listener settings found" if conf_files.count > 1 + @conf_path = first + end + rescue => e + fail_resource "Errors reading listener settings: #{e}" + end + end +end diff --git a/lib/inspec/resources/oracle_db_conf.rb b/lib/inspec/resources/oracle_db_conf.rb new file mode 100644 index 000000000..8d059ff1f --- /dev/null +++ b/lib/inspec/resources/oracle_db_conf.rb @@ -0,0 +1,42 @@ +# copyright: 2015, Vulcano Security GmbH + +require "inspec/resources/oracledb_session" + +module Inspec::Resources + class OracleDbConf < Inspec.resource(1) + name "oracle_db_conf" + supports platform: "unix" + supports platform: "windows" + desc "Use the oracle_db_conf InSpec audit resource to test the database settings for Oracle DB" + example <<~EXAMPLE + describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do + its("audit_sys_operations") { should cmp "true" } + its("sql92_security") { should cmp "true" } + end + EXAMPLE + + attr_reader :oracledb_session + + def initialize(opts = {}) + @oracledb_session = inspec.oracledb_session(opts) + end + + def method_missing(name) + setting = name.to_s.upcase + determine_database_setting(setting) + end + + def to_s + "Oracle DB Configuration" + end + + private + + def determine_database_setting(setting) + sql_query = oracledb_session.query("SELECT UPPER(VALUE) AS UPPER_VALUE FROM V$SYSTEM_PARAMETER WHERE UPPER(NAME) = '#{setting}'") + sql_query.row(0).column("UPPER_VALUE").value + rescue => e + raise Inspec::Exceptions::ResourceFailed, "Errors fetching database settings for Oracle database: #{e}" + end + end +end diff --git a/lib/inspec/resources/oracle_listener_conf.rb b/lib/inspec/resources/oracle_listener_conf.rb new file mode 100644 index 000000000..8226dc7d0 --- /dev/null +++ b/lib/inspec/resources/oracle_listener_conf.rb @@ -0,0 +1,118 @@ +# copyright: 2015, Vulcano Security GmbH + +require "inspec/utils/object_traversal" +require "inspec/utils/simpleconfig" +require "inspec/utils/find_files" +require "inspec/utils/file_reader" +require "inspec/resources/oracle" + +module Inspec::Resources + class OracleListenerConf < Inspec.resource(1) + name "oracle_listener_conf" + supports platform: "unix" + supports platform: "windows" + desc "Use the oracle_listener_conf InSpec audit resource to test the listener settings for Oracle DB" + example <<~EXAMPLE + describe oracle_listener_conf do + its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } + end + EXAMPLE + + include FindFiles + include FileReader + include ObjectTraverser + + def initialize(conf_path = nil) + @conf_path = conf_path || inspec.oracle.conf_path + if inspec.oracle.resource_failed? + raise inspec.oracle.resource_exception_message + elsif @conf_path.nil? + return skip_resource "Oracle Listener conf path is not set" + end + + @conf_dir = File.expand_path(File.dirname(@conf_path)) + @files_contents = {} + @content = nil + @params = nil + read_content + end + + def content + @content ||= read_content + end + + def params(*opts) + @params || read_content + res = @params + opts.each do |opt| + res = res[opt] unless res.nil? + end + res + end + + def value(key) + extract_value(key, @params) + end + + def method_missing(*keys) + keys.shift if keys.is_a?(Array) && keys[0] == :[] + param = value(keys) + return nil if param.nil? + # extract first value if we have only one value in array + return param[0] if param.length == 1 + + param + end + + def to_s + "Oracle Listener Configuration" + end + + private + + def read_content + @content = "" + @params = {} + + to_read = [@conf_path] + until to_read.empty? + base_dir = File.dirname(to_read[0]) + raw_conf = read_file(to_read[0]) + @content += raw_conf + + opts = { + assignment_regex: /^\s*([^=]*?)\s*=\s*[']?\s*(.*?)\s*[']?\s*$/, + } + params = SimpleConfig.new(raw_conf, opts).params + @params.merge!(params) + + to_read = to_read.drop(1) + # see if there is more config files to include + + to_read += include_files(params, base_dir).find_all do |fp| + not @files_contents.key? fp + end + end + @content + end + + def include_files(params, base_dir) + include_files = Array(params["include"]) || [] + include_files += Array(params["include_if_exists"]) || [] + include_files.map! do |f| + Pathname.new(f).absolute? ? f : File.join(base_dir, f) + end + + dirs = Array(params["include_dir"]) || [] + dirs.each do |dir| + dir = File.join(base_dir, dir) if dir[0] != "/" + include_files += find_files(dir, depth: 1, type: "file") + end + include_files + end + + def read_file(path) + @files_contents[path] ||= read_file_content(path) + end + end +end diff --git a/test/fixtures/cmd/fetch-oracle-listener-in-linux b/test/fixtures/cmd/fetch-oracle-listener-in-linux new file mode 100644 index 000000000..a10d27868 --- /dev/null +++ b/test/fixtures/cmd/fetch-oracle-listener-in-linux @@ -0,0 +1 @@ +/opt/oracle/product/18c/dbhomeXE/network/admin/listener.ora \ No newline at end of file diff --git a/test/fixtures/cmd/fetch-oracle-listener-in-windows b/test/fixtures/cmd/fetch-oracle-listener-in-windows new file mode 100644 index 000000000..4f9195b79 --- /dev/null +++ b/test/fixtures/cmd/fetch-oracle-listener-in-windows @@ -0,0 +1,2 @@ +C:\app\Administrator\product\18.0.0\dbhomeXE\network\admin\listener.ora +C:\app\Administrator\product\18.0.0\dbhomeXE\network\admin\sample\listener.ora \ No newline at end of file diff --git a/test/fixtures/files/listener.ora b/test/fixtures/files/listener.ora new file mode 100644 index 000000000..1fe2562cc --- /dev/null +++ b/test/fixtures/files/listener.ora @@ -0,0 +1,2 @@ +EM_EXPRESS_PORT = 5500 +DEFAULT_SERVICE_LISTENER = XE \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 300540fa4..c2662a724 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -111,6 +111,8 @@ class MockLoader "/etc/mysql/my.cnf" => mockfile.call("mysql.conf"), "/etc/mysql/mysql2.conf" => mockfile.call("mysql2.conf"), "/etc/mongod.conf" => mockfile.call("mongod.conf"), + "network/admin/listener.ora" => mockfile.call("listener.ora"), + "network\\admin\\listener.ora" => mockfile.call("listener.ora"), "/etc/rabbitmq/rabbitmq.config" => mockfile.call("rabbitmq.config"), "kitchen.yml" => mockfile.call("kitchen.yml"), "example.csv" => mockfile.call("example.csv"), @@ -483,6 +485,8 @@ class MockLoader # oracle "sh -c 'type \"sqlplus\"'" => cmd.call("oracle-cmd"), "1998da5bc0f09bd5258fad51f45447556572b747f631661831d6fcb49269a448" => cmd.call("oracle-result"), + "sudo find / -type f -wholename '*network/admin/listener.ora'" => cmd.call("fetch-oracle-listener-in-linux"), + "Get-ChildItem C:\\ -Filter *listener.ora -Recurse | % { $_.FullName }" => cmd.call("fetch-oracle-listener-in-windows"), # nginx mock cmd %{nginx -V 2>&1} => cmd.call("nginx-v"), %{/usr/sbin/nginx -V 2>&1} => cmd.call("nginx-v"), diff --git a/test/unit/resources/oracle_listener_conf_test.rb b/test/unit/resources/oracle_listener_conf_test.rb new file mode 100644 index 000000000..ab02ccc5d --- /dev/null +++ b/test/unit/resources/oracle_listener_conf_test.rb @@ -0,0 +1,17 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/oracle_listener_conf" + +describe "Inspec::Resources::OracleListenerConf" do + it "verify listener settings of oracle DB in linux" do + resource = MockLoader.new(:centos7).load_resource("oracle_listener_conf", "network/admin/listener.ora") + _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" + _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" + end + + it "verify listener settings of oracle DB in windows" do + resource = MockLoader.new(:windows).load_resource("oracle_listener_conf", "network\\admin\\listener.ora") + _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" + _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" + end +end From ffc4ebdbf57934025597c158f1f1c62705f14e9d Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 24 Jun 2021 16:41:20 +0530 Subject: [PATCH 276/483] Docs additional edits for oracle conf Signed-off-by: Nikita Mathur --- .../inspec/resources/oracle_db_conf.md | 27 ++++++++++++++----- .../inspec/resources/oracle_listener_conf.md | 21 ++++++++++----- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/oracle_db_conf.md b/docs-chef-io/content/inspec/resources/oracle_db_conf.md index e2b26e623..5635ab710 100644 --- a/docs-chef-io/content/inspec/resources/oracle_db_conf.md +++ b/docs-chef-io/content/inspec/resources/oracle_db_conf.md @@ -11,26 +11,39 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `oracle_db_conf` Chef InSpec audit resource to test the database system parameters defined in oracle database view `V$SYSTEM_PARAMETER`. These parameters are accessed through oracle session via SQL query. The permission of this `V$SYSTEM_PARAMETER` view is only limited to the DBA by default. +Use the `oracle_db_conf` Chef InSpec audit resource to test the system parameters of Oracle. ### Installation This resource is distributed along with Chef InSpec itself. You can use it automatically. +### Requirements + +You must have access to a database user that has access to the `DBA` role. + ## Syntax -A `oracle_db_conf` resource block declares system parameters which are defined in `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: +A `oracle_db_conf` resource block declares user and password to use. It fetches system parameters which are defined in `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: - # Test parameters set within the database view - describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do - its("audit_sys_operations") { should cmp "true" } - its("sql92_security") { should cmp "true" } - end + describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do + its("config item") { should cmp "value" } + end + +### Optional Parameters + +`oracle_db_conf` is based on `oracle_session`, and accepts all parameters that `oracle_session` accepts. ## Examples The following examples show how to use this Chef InSpec audit resource. +### Test parameters set within the database view + + describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do + its("audit_sys_operations") { should cmp "true" } + its("sql92_security") { should cmp "true" } + end + ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). \ No newline at end of file diff --git a/docs-chef-io/content/inspec/resources/oracle_listener_conf.md b/docs-chef-io/content/inspec/resources/oracle_listener_conf.md index 907229600..8cac793b2 100644 --- a/docs-chef-io/content/inspec/resources/oracle_listener_conf.md +++ b/docs-chef-io/content/inspec/resources/oracle_listener_conf.md @@ -17,20 +17,29 @@ Use the `oracle_listener_conf` Chef InSpec audit resource to test the listeners This resource is distributed along with Chef InSpec itself. You can use it automatically. +### Requirements + +You must have sufficient permission to access listener settings defined in `listener.ora` file. + ## Syntax -A `oracle_listener_conf` resource block declares oracle listeners settings in the `listener.ora` file, and then compares the listeners settings in file to the value stated in the test: +A `oracle_listener_conf` resource block fetches listeners settings in the `listener.ora` file, and then compares them with the value stated in the test: - # Test parameters set within the listener file - describe oracle_listener_conf do - its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } - its('EM_EXPRESS_PORT') { should eq '5500' } - end + describe oracle_listener_conf do + its('config item') { should eq 'value' } + end ## Examples The following examples show how to use this Chef InSpec audit resource. +### Test parameters set within the listener file + + describe oracle_listener_conf do + its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } + its('EM_EXPRESS_PORT') { should eq '5500' } + end + ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). \ No newline at end of file From 534f601f52e0e6dc1f72a192d7a0d7403b509511 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 24 Jun 2021 17:57:31 +0530 Subject: [PATCH 277/483] Some optimisations in function calls to reduce redundancy Signed-off-by: Nikita Mathur --- lib/inspec/resources/oracle.rb | 13 ++++++++++--- lib/inspec/resources/oracle_listener_conf.rb | 7 ++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/lib/inspec/resources/oracle.rb b/lib/inspec/resources/oracle.rb index 9c39377d4..5b7d316d7 100644 --- a/lib/inspec/resources/oracle.rb +++ b/lib/inspec/resources/oracle.rb @@ -34,7 +34,10 @@ module Inspec::Resources nil else first = conf_files.first.chomp - warn "Multiple oracle listener settings found" if conf_files.count > 1 + if conf_files.count > 1 + warn "Multiple oracle listener settings found" + warn "Using first: #{first}" + end @conf_path = first end rescue => e @@ -47,8 +50,12 @@ module Inspec::Resources warn "No oracle listener settings found in $ORACLE_HOME\\network\\admin" nil else - first = conf_files.select { |line| line.include? "network\\admin\\listener.ora" }.first&.chomp - warn "Multiple oracle listener settings found" if conf_files.count > 1 + filtered_conf_files = conf_files.select { |line| line.include? "network\\admin\\listener.ora" } + first = filtered_conf_files.first&.chomp + if filtered_conf_files.count > 1 + warn "Multiple oracle listener settings found" + warn "Using first: #{first}" + end @conf_path = first end rescue => e diff --git a/lib/inspec/resources/oracle_listener_conf.rb b/lib/inspec/resources/oracle_listener_conf.rb index 8226dc7d0..6f512d924 100644 --- a/lib/inspec/resources/oracle_listener_conf.rb +++ b/lib/inspec/resources/oracle_listener_conf.rb @@ -23,9 +23,10 @@ module Inspec::Resources include ObjectTraverser def initialize(conf_path = nil) - @conf_path = conf_path || inspec.oracle.conf_path - if inspec.oracle.resource_failed? - raise inspec.oracle.resource_exception_message + oracle = inspec.oracle + @conf_path = conf_path || oracle.conf_path + if oracle.resource_failed? + raise oracle.resource_exception_message elsif @conf_path.nil? return skip_resource "Oracle Listener conf path is not set" end From 6ea20239226b7a0b2e4536606071b4fc85f7e94c Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 29 Jun 2021 12:25:03 +0530 Subject: [PATCH 278/483] Review changes - File renames and copy right line removed from resources for oracle conf resources Signed-off-by: Nikita Mathur --- .../{oracle_db_conf.md => oracledb_conf.md} | 16 ++++++++-------- ...istener_conf.md => oracledb_listener_conf.md} | 14 +++++++------- lib/inspec/resources.rb | 4 ++-- lib/inspec/resources/oracle.rb | 4 +--- .../{oracle_db_conf.rb => oracledb_conf.rb} | 10 ++++------ ...istener_conf.rb => oracledb_listener_conf.rb} | 10 ++++------ test/unit/resources/oracle_listener_conf_test.rb | 6 +++--- 7 files changed, 29 insertions(+), 35 deletions(-) rename docs-chef-io/content/inspec/resources/{oracle_db_conf.md => oracledb_conf.md} (50%) rename docs-chef-io/content/inspec/resources/{oracle_listener_conf.md => oracledb_listener_conf.md} (52%) rename lib/inspec/resources/{oracle_db_conf.rb => oracledb_conf.rb} (77%) rename lib/inspec/resources/{oracle_listener_conf.rb => oracledb_listener_conf.rb} (91%) diff --git a/docs-chef-io/content/inspec/resources/oracle_db_conf.md b/docs-chef-io/content/inspec/resources/oracledb_conf.md similarity index 50% rename from docs-chef-io/content/inspec/resources/oracle_db_conf.md rename to docs-chef-io/content/inspec/resources/oracledb_conf.md index 5635ab710..9af8b52ed 100644 --- a/docs-chef-io/content/inspec/resources/oracle_db_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_conf.md @@ -1,17 +1,17 @@ +++ -title = "oracle_db_conf resource" +title = "oracledb_conf resource" draft = false gh_repo = "inspec" platform = "os" [menu] [menu.inspec] - title = "oracle_db_conf" - identifier = "inspec/resources/os/oracle_db_conf.md oracle_db_conf resource" + title = "oracledb_conf" + identifier = "inspec/resources/os/oracledb_conf.md oracledb_conf resource" parent = "inspec/resources/os" +++ -Use the `oracle_db_conf` Chef InSpec audit resource to test the system parameters of Oracle. +Use the `oracledb_conf` Chef InSpec audit resource to test the system parameters of Oracle. ### Installation @@ -23,15 +23,15 @@ You must have access to a database user that has access to the `DBA` role. ## Syntax -A `oracle_db_conf` resource block declares user and password to use. It fetches system parameters which are defined in `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: +A `oracledb_conf` resource block declares user and password to use. It fetches system parameters which are defined in `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: - describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do + describe oracledb_conf(user: 'USER', password: 'PASSWORD') do its("config item") { should cmp "value" } end ### Optional Parameters -`oracle_db_conf` is based on `oracle_session`, and accepts all parameters that `oracle_session` accepts. +`oracledb_conf` is based on `oracledb_session`, and accepts all parameters that `oracledb_session` accepts. ## Examples @@ -39,7 +39,7 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the database view - describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do + describe oracledb_conf(user: 'USER', password: 'PASSWORD') do its("audit_sys_operations") { should cmp "true" } its("sql92_security") { should cmp "true" } end diff --git a/docs-chef-io/content/inspec/resources/oracle_listener_conf.md b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md similarity index 52% rename from docs-chef-io/content/inspec/resources/oracle_listener_conf.md rename to docs-chef-io/content/inspec/resources/oracledb_listener_conf.md index 8cac793b2..f59e2625d 100644 --- a/docs-chef-io/content/inspec/resources/oracle_listener_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md @@ -1,17 +1,17 @@ +++ -title = "oracle_listener_conf resource" +title = "oracledb_listener_conf resource" draft = false gh_repo = "inspec" platform = "os" [menu] [menu.inspec] - title = "oracle_listener_conf" - identifier = "inspec/resources/os/oracle_listener_conf.md oracle_listener_conf resource" + title = "oracledb_listener_conf" + identifier = "inspec/resources/os/oracledb_listener_conf.md oracledb_listener_conf resource" parent = "inspec/resources/os" +++ -Use the `oracle_listener_conf` Chef InSpec audit resource to test the listeners settings of Oracle DB, typically located at `$ORACLE_HOME/network/admin/listener.ora` or `$ORACLE_HOME\network\admin\listener.ora` depending upon the platform. +Use the `oracledb_listener_conf` Chef InSpec audit resource to test the listeners settings of Oracle DB, typically located at `$ORACLE_HOME/network/admin/listener.ora` or `$ORACLE_HOME\network\admin\listener.ora` depending upon the platform. ### Installation @@ -23,9 +23,9 @@ You must have sufficient permission to access listener settings defined in `list ## Syntax -A `oracle_listener_conf` resource block fetches listeners settings in the `listener.ora` file, and then compares them with the value stated in the test: +A `oracledb_listener_conf` resource block fetches listeners settings in the `listener.ora` file, and then compares them with the value stated in the test: - describe oracle_listener_conf do + describe oracledb_listener_conf do its('config item') { should eq 'value' } end @@ -35,7 +35,7 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the listener file - describe oracle_listener_conf do + describe oracledb_listener_conf do its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } its('EM_EXPRESS_PORT') { should eq '5500' } end diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 046e67f85..77009485f 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -84,8 +84,8 @@ require "inspec/resources/npm" require "inspec/resources/ntp_conf" require "inspec/resources/oneget" require "inspec/resources/oracle" -require "inspec/resources/oracle_db_conf" -require "inspec/resources/oracle_listener_conf" +require "inspec/resources/oracledb_conf" +require "inspec/resources/oracledb_listener_conf" require "inspec/resources/oracledb_session" require "inspec/resources/os" require "inspec/resources/os_env" diff --git a/lib/inspec/resources/oracle.rb b/lib/inspec/resources/oracle.rb index 5b7d316d7..8b4f6758d 100644 --- a/lib/inspec/resources/oracle.rb +++ b/lib/inspec/resources/oracle.rb @@ -1,5 +1,3 @@ -# copyright: 2015, Vulcano Security GmbH - require "inspec/resources/powershell" module Inspec::Resources @@ -8,7 +6,7 @@ module Inspec::Resources supports platform: "unix" supports platform: "windows" - desc "The 'oracle' resource is a helper for the 'oracle_listener_conf'" + desc "The 'oracle' resource is a helper for the 'oracledb_listener_conf'" attr_reader :conf_path diff --git a/lib/inspec/resources/oracle_db_conf.rb b/lib/inspec/resources/oracledb_conf.rb similarity index 77% rename from lib/inspec/resources/oracle_db_conf.rb rename to lib/inspec/resources/oracledb_conf.rb index 8d059ff1f..f4f6caaa2 100644 --- a/lib/inspec/resources/oracle_db_conf.rb +++ b/lib/inspec/resources/oracledb_conf.rb @@ -1,15 +1,13 @@ -# copyright: 2015, Vulcano Security GmbH - require "inspec/resources/oracledb_session" module Inspec::Resources - class OracleDbConf < Inspec.resource(1) - name "oracle_db_conf" + class OracledbConf < Inspec.resource(1) + name "oracledb_conf" supports platform: "unix" supports platform: "windows" - desc "Use the oracle_db_conf InSpec audit resource to test the database settings for Oracle DB" + desc "Use the oracledb_conf InSpec audit resource to test the database settings for Oracle DB" example <<~EXAMPLE - describe oracle_db_conf(user: 'USER', password: 'PASSWORD') do + describe oracledb_conf(user: 'USER', password: 'PASSWORD') do its("audit_sys_operations") { should cmp "true" } its("sql92_security") { should cmp "true" } end diff --git a/lib/inspec/resources/oracle_listener_conf.rb b/lib/inspec/resources/oracledb_listener_conf.rb similarity index 91% rename from lib/inspec/resources/oracle_listener_conf.rb rename to lib/inspec/resources/oracledb_listener_conf.rb index 6f512d924..645be83ed 100644 --- a/lib/inspec/resources/oracle_listener_conf.rb +++ b/lib/inspec/resources/oracledb_listener_conf.rb @@ -1,5 +1,3 @@ -# copyright: 2015, Vulcano Security GmbH - require "inspec/utils/object_traversal" require "inspec/utils/simpleconfig" require "inspec/utils/find_files" @@ -7,13 +5,13 @@ require "inspec/utils/file_reader" require "inspec/resources/oracle" module Inspec::Resources - class OracleListenerConf < Inspec.resource(1) - name "oracle_listener_conf" + class OracledbListenerConf < Inspec.resource(1) + name "oracledb_listener_conf" supports platform: "unix" supports platform: "windows" - desc "Use the oracle_listener_conf InSpec audit resource to test the listener settings for Oracle DB" + desc "Use the oracledb_listener_conf InSpec audit resource to test the listener settings for Oracle DB" example <<~EXAMPLE - describe oracle_listener_conf do + describe oracledb_listener_conf do its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } end EXAMPLE diff --git a/test/unit/resources/oracle_listener_conf_test.rb b/test/unit/resources/oracle_listener_conf_test.rb index ab02ccc5d..3e66b63aa 100644 --- a/test/unit/resources/oracle_listener_conf_test.rb +++ b/test/unit/resources/oracle_listener_conf_test.rb @@ -1,16 +1,16 @@ require "helper" require "inspec/resource" -require "inspec/resources/oracle_listener_conf" +require "inspec/resources/oracledb_listener_conf" describe "Inspec::Resources::OracleListenerConf" do it "verify listener settings of oracle DB in linux" do - resource = MockLoader.new(:centos7).load_resource("oracle_listener_conf", "network/admin/listener.ora") + resource = MockLoader.new(:centos7).load_resource("oracledb_listener_conf", "network/admin/listener.ora") _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" end it "verify listener settings of oracle DB in windows" do - resource = MockLoader.new(:windows).load_resource("oracle_listener_conf", "network\\admin\\listener.ora") + resource = MockLoader.new(:windows).load_resource("oracledb_listener_conf", "network\\admin\\listener.ora") _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" end From cb31cefaa2b4bc271e005e86e516d6687fd11cf3 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 29 Jun 2021 14:43:55 +0530 Subject: [PATCH 279/483] Review changes - Fetching listener file using env variable Signed-off-by: Nikita Mathur --- .../resources/oracledb_listener_conf.md | 3 ++- lib/inspec/resources/oracle.rb | 27 ++++++------------- .../cmd/fetch-oracle-listener-in-linux | 2 +- .../cmd/fetch-oracle-listener-in-windows | 3 +-- test/helpers/mock_loader.rb | 8 +++--- ...test.rb => oracledb_listener_conf_test.rb} | 6 ++--- 6 files changed, 19 insertions(+), 30 deletions(-) rename test/unit/resources/{oracle_listener_conf_test.rb => oracledb_listener_conf_test.rb} (77%) diff --git a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md index f59e2625d..07ec23557 100644 --- a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md @@ -19,7 +19,8 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ### Requirements -You must have sufficient permission to access listener settings defined in `listener.ora` file. +- You must have sufficient permission to access listener settings defined in `listener.ora` file. +- Value for environment variable `$ORACLE_HOME` should be set in the system. ## Syntax diff --git a/lib/inspec/resources/oracle.rb b/lib/inspec/resources/oracle.rb index 8b4f6758d..ab83e9bdb 100644 --- a/lib/inspec/resources/oracle.rb +++ b/lib/inspec/resources/oracle.rb @@ -26,35 +26,24 @@ module Inspec::Resources private def determine_conf_dir_and_path_in_linux - conf_files = inspec.command("sudo find / -type f -wholename '*network/admin/listener.ora'").stdout.lines - if conf_files.empty? - warn "No oracle listener settings found in $ORACLE_HOME/network/admin" + oracle_home = inspec.command("echo $ORACLE_HOME").stdout&.chomp + if oracle_home.empty? + warn "No oracle listener settings found in $ORACLE_HOME/network/admin directory" nil else - first = conf_files.first.chomp - if conf_files.count > 1 - warn "Multiple oracle listener settings found" - warn "Using first: #{first}" - end - @conf_path = first + @conf_path = oracle_home + "/network/admin/listener.ora" end rescue => e fail_resource "Errors reading listener settings: #{e}" end def determine_conf_dir_and_path_in_windows - conf_files = inspec.command("Get-ChildItem C:\\ -Filter *listener.ora -Recurse | % { $_.FullName }").stdout.lines - if conf_files.empty? - warn "No oracle listener settings found in $ORACLE_HOME\\network\\admin" + oracle_home = inspec.powershell("echo $Env:ORACLE_HOME").stdout&.chomp + if oracle_home.empty? + warn "No oracle listener settings found in $ORACLE_HOME\\network\\admin directory" nil else - filtered_conf_files = conf_files.select { |line| line.include? "network\\admin\\listener.ora" } - first = filtered_conf_files.first&.chomp - if filtered_conf_files.count > 1 - warn "Multiple oracle listener settings found" - warn "Using first: #{first}" - end - @conf_path = first + @conf_path = oracle_home + "\\network\\admin\\listener.ora" end rescue => e fail_resource "Errors reading listener settings: #{e}" diff --git a/test/fixtures/cmd/fetch-oracle-listener-in-linux b/test/fixtures/cmd/fetch-oracle-listener-in-linux index a10d27868..90d166693 100644 --- a/test/fixtures/cmd/fetch-oracle-listener-in-linux +++ b/test/fixtures/cmd/fetch-oracle-listener-in-linux @@ -1 +1 @@ -/opt/oracle/product/18c/dbhomeXE/network/admin/listener.ora \ No newline at end of file +/opt/oracle/product/18c/dbhomeXE \ No newline at end of file diff --git a/test/fixtures/cmd/fetch-oracle-listener-in-windows b/test/fixtures/cmd/fetch-oracle-listener-in-windows index 4f9195b79..d69edb30f 100644 --- a/test/fixtures/cmd/fetch-oracle-listener-in-windows +++ b/test/fixtures/cmd/fetch-oracle-listener-in-windows @@ -1,2 +1 @@ -C:\app\Administrator\product\18.0.0\dbhomeXE\network\admin\listener.ora -C:\app\Administrator\product\18.0.0\dbhomeXE\network\admin\sample\listener.ora \ No newline at end of file +C:\app\Administrator\product\18.0.0\dbhomeXE \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index c2662a724..a8b231f67 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -111,8 +111,8 @@ class MockLoader "/etc/mysql/my.cnf" => mockfile.call("mysql.conf"), "/etc/mysql/mysql2.conf" => mockfile.call("mysql2.conf"), "/etc/mongod.conf" => mockfile.call("mongod.conf"), - "network/admin/listener.ora" => mockfile.call("listener.ora"), - "network\\admin\\listener.ora" => mockfile.call("listener.ora"), + "$ORACLE_HOME/network/admin/listener.ora" => mockfile.call("listener.ora"), + "$ORACLE_HOME\\network\\admin\\listener.ora" => mockfile.call("listener.ora"), "/etc/rabbitmq/rabbitmq.config" => mockfile.call("rabbitmq.config"), "kitchen.yml" => mockfile.call("kitchen.yml"), "example.csv" => mockfile.call("example.csv"), @@ -485,8 +485,8 @@ class MockLoader # oracle "sh -c 'type \"sqlplus\"'" => cmd.call("oracle-cmd"), "1998da5bc0f09bd5258fad51f45447556572b747f631661831d6fcb49269a448" => cmd.call("oracle-result"), - "sudo find / -type f -wholename '*network/admin/listener.ora'" => cmd.call("fetch-oracle-listener-in-linux"), - "Get-ChildItem C:\\ -Filter *listener.ora -Recurse | % { $_.FullName }" => cmd.call("fetch-oracle-listener-in-windows"), + "echo $ORACLE_HOME" => cmd.call("fetch-oracle-listener-in-linux"), + "echo $Env:ORACLE_HOME" => cmd.call("fetch-oracle-listener-in-windows"), # nginx mock cmd %{nginx -V 2>&1} => cmd.call("nginx-v"), %{/usr/sbin/nginx -V 2>&1} => cmd.call("nginx-v"), diff --git a/test/unit/resources/oracle_listener_conf_test.rb b/test/unit/resources/oracledb_listener_conf_test.rb similarity index 77% rename from test/unit/resources/oracle_listener_conf_test.rb rename to test/unit/resources/oracledb_listener_conf_test.rb index 3e66b63aa..1c1654988 100644 --- a/test/unit/resources/oracle_listener_conf_test.rb +++ b/test/unit/resources/oracledb_listener_conf_test.rb @@ -2,15 +2,15 @@ require "helper" require "inspec/resource" require "inspec/resources/oracledb_listener_conf" -describe "Inspec::Resources::OracleListenerConf" do +describe "Inspec::Resources::OracledbListenerConf" do it "verify listener settings of oracle DB in linux" do - resource = MockLoader.new(:centos7).load_resource("oracledb_listener_conf", "network/admin/listener.ora") + resource = MockLoader.new(:centos7).load_resource("oracledb_listener_conf", "$ORACLE_HOME/network/admin/listener.ora") _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" end it "verify listener settings of oracle DB in windows" do - resource = MockLoader.new(:windows).load_resource("oracledb_listener_conf", "network\\admin\\listener.ora") + resource = MockLoader.new(:windows).load_resource("oracledb_listener_conf", "$ORACLE_HOME\\network\\admin\\listener.ora") _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" end From 180ebf0590f044ac2aa388f8683002da88a241bc Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 30 Jun 2021 13:10:46 +0530 Subject: [PATCH 280/483] Fixed review comments: Added attr_accessor for required parameters and removed pass to accept nil Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres_conf.rb | 2 ++ lib/inspec/resources/postgres_session.rb | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/inspec/resources/postgres_conf.rb b/lib/inspec/resources/postgres_conf.rb index 6b9b66ad3..b74799108 100644 --- a/lib/inspec/resources/postgres_conf.rb +++ b/lib/inspec/resources/postgres_conf.rb @@ -22,6 +22,8 @@ module Inspec::Resources include FileReader include ObjectTraverser + attr_accessor :conf_path + def initialize(conf_path = nil) @conf_path = conf_path || inspec.postgres.conf_path if @conf_path.nil? diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index c2a401137..328cf0631 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -12,7 +12,7 @@ module Inspec::Resources end def lines - output.split("\n") + output.split("\n").map(&:strip) end def to_s @@ -40,7 +40,7 @@ module Inspec::Resources end EXAMPLE - def initialize(user, pass = nil, host = nil, port = nil) + def initialize(user, pass, host = nil, port = nil) @user = user || "postgres" @pass = pass @host = host || "localhost" From 46328b48125472f97e0d2346fe9b4cd225ab2a17 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 30 Jun 2021 17:19:18 +0530 Subject: [PATCH 281/483] Removed default port option to enable using named instances with no port option Signed-off-by: Nikita Mathur --- lib/inspec/resources/mssql_session.rb | 6 +----- test/unit/resources/mssql_session_test.rb | 5 +---- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/lib/inspec/resources/mssql_session.rb b/lib/inspec/resources/mssql_session.rb index 14abf4e86..d5fe502d7 100644 --- a/lib/inspec/resources/mssql_session.rb +++ b/lib/inspec/resources/mssql_session.rb @@ -42,11 +42,7 @@ module Inspec::Resources @local_mode = opts[:local_mode] unless local_mode? @host = opts[:host] || "localhost" - if opts.key?(:port) - @port = opts[:port] - else - @port = "1433" - end + @port = opts[:port] end @instance = opts[:instance] @db_name = opts[:db_name] diff --git a/test/unit/resources/mssql_session_test.rb b/test/unit/resources/mssql_session_test.rb index f3e0d1d16..9059184ab 100644 --- a/test/unit/resources/mssql_session_test.rb +++ b/test/unit/resources/mssql_session_test.rb @@ -8,7 +8,6 @@ describe "Inspec::Resources::MssqlSession" do _(resource.user).must_equal "sa" _(resource.password).must_equal "yourStrong(!)Password" _(resource.host).must_equal "localhost" - _(resource.port).must_equal "1433" end it "verify mssql_session configuration with custom hostname" do @@ -16,7 +15,6 @@ describe "Inspec::Resources::MssqlSession" do _(resource.user).must_equal "sa" _(resource.password).must_equal "yourStrong(!)Password" _(resource.host).must_equal "inspec.domain.tld" - _(resource.port).must_equal "1433" end it "verify mssql_session configuration with custom instance" do @@ -24,7 +22,6 @@ describe "Inspec::Resources::MssqlSession" do _(resource.user).must_equal "sa" _(resource.password).must_equal "yourStrong(!)Password" _(resource.host).must_equal "localhost" - _(resource.port).must_equal "1433" _(resource.instance).must_equal "SQL2012INSPEC" end @@ -63,7 +60,7 @@ describe "Inspec::Resources::MssqlSession" do end it "run a SQL query" do - resource = load_resource("mssql_session", user: "sa", password: "yourStrong(!)Password", host: "localhost") + resource = load_resource("mssql_session", user: "sa", password: "yourStrong(!)Password", host: "localhost", port: "1433") query = resource.query("SELECT SERVERPROPERTY('ProductVersion') as result") _(query.size).must_equal 1 _(query.row(0).column("result").value).must_equal "14.0.600.250" From 471b7b4550fb07485da349d52b361d55ee2b1e70 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 1 Jul 2021 13:18:23 +0530 Subject: [PATCH 282/483] Fixed command for windows and replaced warn with Inspec::Log.warn Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres.rb | 44 +++++++++++++++----------------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/lib/inspec/resources/postgres.rb b/lib/inspec/resources/postgres.rb index 26f0b02db..d9fad2a1a 100644 --- a/lib/inspec/resources/postgres.rb +++ b/lib/inspec/resources/postgres.rb @@ -55,7 +55,7 @@ module Inspec::Resources @version = version_from_psql if @version.to_s.empty? if inspec.directory("/var/lib/pgsql/data").exist? - warn "Unable to determine PostgreSQL version: psql did not return" \ + Inspec::Log.warn "Unable to determine PostgreSQL version: psql did not return" \ "a version number and unversioned data directories were found." else @version = version_from_dir("/var/lib/pgsql") @@ -77,13 +77,13 @@ module Inspec::Resources def verify_dirs unless inspec.directory(@conf_dir).exist? - warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \ + Inspec::Log.warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \ "Postgresql may not be installed or we've misidentified the configuration " \ "directory." end unless inspec.directory(@data_dir).exist? - warn "Default postgresql data directory: #{@data_dir} does not exist. " \ + Inspec::Log.warn "Default postgresql data directory: #{@data_dir} does not exist. " \ "Postgresql may not be installed or we've misidentified the data " \ "directory." end @@ -92,16 +92,14 @@ module Inspec::Resources def version_from_psql return unless inspec.command("psql").exist? - if inspec.os.windows? - version = inspec.command("psql --version | awk '{ print $NF }'").stdout.strip.split(".") - else - version = inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip.split(".") - end + version = inspec.command("psql --version").stdout.strip.split(" ")[2].split(".") - if version.first.to_i >= 10 - version.first - else - "#{version[0]}.#{version[1]}" + unless version.empty? + if version.first.to_i >= 10 + version.first + else + "#{version[0]}.#{version[1]}" + end end end @@ -118,7 +116,7 @@ module Inspec::Resources data_dir_loc = dir_list.detect { |i| inspec.directory(i).exist? } if data_dir_loc.nil? - warn 'Unable to find the PostgreSQL data_dir in expected location(s), please + Inspec::Log.warn 'Unable to find the PostgreSQL data_dir in expected location(s), please execute "psql -t -A -p -h -c "show hba_file";" as the PostgreSQL DBA to find the non-standard data_dir location.' end @@ -130,15 +128,15 @@ module Inspec::Resources entries = dirs.lines.count case entries when 0 - warn "Could not determine version of installed postgresql by inspecting #{dir}" + Inspec::Log.warn "Could not determine version of installed postgresql by inspecting #{dir}" nil when 1 - warn "Using #{dirs}: #{dir_to_version(dirs)}" + Inspec::Log.warn "Using #{dirs}: #{dir_to_version(dirs)}" dir_to_version(dirs) else - warn "Multiple versions of postgresql installed or incorrect base dir #{dir}" + Inspec::Log.warn "Multiple versions of postgresql installed or incorrect base dir #{dir}" first = dir_to_version(dirs.lines.first) - warn "Using the first version found: #{first}" + Inspec::Log.warn "Using the first version found: #{first}" first end end @@ -148,14 +146,14 @@ module Inspec::Resources entries = dirs.lines.count case entries when 0 - warn "Could not determine version of installed PostgreSQL by inspecting #{dir}" + Inspec::Log.warn "Could not determine version of installed PostgreSQL by inspecting #{dir}" nil when 1 dir_to_version(dirs) else - warn "Multiple versions of PostgreSQL installed or incorrect base dir #{dir}" + Inspec::Log.warn "Multiple versions of PostgreSQL installed or incorrect base dir #{dir}" first = dir_to_version(dirs.lines.first) - warn "Using the first version found: #{first}" + Inspec::Log.warn "Using the first version found: #{first}" first end end @@ -172,13 +170,13 @@ module Inspec::Resources else dirs = inspec.command("ls -d #{dir}/*/").stdout.lines if dirs.empty? - warn "No postgresql clusters configured or incorrect base dir #{dir}" + Inspec::Log.warn "No postgresql clusters configured or incorrect base dir #{dir}" return nil end first = dirs.first.chomp.split("/").last if dirs.count > 1 - warn "Multiple postgresql clusters configured or incorrect base dir #{dir}" - warn "Using the first directory found: #{first}" + Inspec::Log.warn "Multiple postgresql clusters configured or incorrect base dir #{dir}" + Inspec::Log.warn "Using the first directory found: #{first}" end first end From 6bfc2fad2f07f432f1e93d16464b973a18910338 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 1 Jul 2021 15:28:58 +0530 Subject: [PATCH 283/483] Fixed failing specs Signed-off-by: Vasu1105 --- test/helpers/mock_loader.rb | 2 +- test/unit/resources/postgres_ident_conf_test.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 300540fa4..4ed1805f2 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -153,7 +153,7 @@ class MockLoader "database.xml" => mockfile.call("database.xml"), "/test/path/to/postgres/pg_hba.conf" => mockfile.call("pg_hba.conf"), "/etc/postgresql/9.5/main/pg_ident.conf" => mockfile.call("pg_ident.conf"), - "C:/etc/postgresql/9.5/main/pg_ident.conf" => mockfile.call("pg_ident.conf"), + "C:/Program Files/PostgreSQL/9.5/main/pg_ident.conf" => mockfile.call("pg_ident.conf"), "/etc/postgresql/9.5/main" => mockfile.call("9.5.main"), "/var/lib/postgresql/9.5/main" => mockfile.call("var.9.5.main"), "/etc/hosts" => mockfile.call("hosts"), diff --git a/test/unit/resources/postgres_ident_conf_test.rb b/test/unit/resources/postgres_ident_conf_test.rb index 2d8a6ef18..859d9b3b9 100644 --- a/test/unit/resources/postgres_ident_conf_test.rb +++ b/test/unit/resources/postgres_ident_conf_test.rb @@ -5,7 +5,7 @@ require "inspec/resources/directory" describe "Inspec::Resources::PGIdentConf" do describe "PGIdentConf Paramaters" do - resource = load_resource("postgres_ident_conf") + resource = load_resource("postgres_ident_conf", "C:/Program Files/PostgreSQL/9.5/main/pg_ident.conf") it "Verify postgres_ident_conf filtering by `system_username`" do entries = resource.where { system_username == "bryanh" } _(entries.map_name).must_equal ["omicron"] From 39dbb6819e6a1626d3ab531aa6a9763a97fd1bdc Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 2 Jul 2021 00:51:40 +0530 Subject: [PATCH 284/483] Fix for expiry time parsing when in string format Signed-off-by: Nikita Mathur --- lib/inspec/rule.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/rule.rb b/lib/inspec/rule.rb index e0a083e90..9c20b2119 100644 --- a/lib/inspec/rule.rb +++ b/lib/inspec/rule.rb @@ -360,7 +360,7 @@ module Inspec # A string that does not represent a valid time results in the date 0000-01-01. if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0) expiry = expiry.to_time if expiry.is_a? Date - expiry = Time.new(expiry) if expiry.is_a? String + expiry = Time.parse(expiry) if expiry.is_a? String if expiry < Time.now # If the waiver expired, return - no skip applied __waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally" return From f3633aa0963fca6265788613376179e46980a9b5 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 2 Jul 2021 15:15:18 +0530 Subject: [PATCH 285/483] File existence check and other null checks Signed-off-by: Nikita Mathur --- .../resources/oracledb_listener_conf.md | 2 +- lib/inspec/resources/oracle.rb | 29 ++++++++++++++----- test/helpers/mock_loader.rb | 2 +- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md index 07ec23557..7e01b3633 100644 --- a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md @@ -20,7 +20,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ### Requirements - You must have sufficient permission to access listener settings defined in `listener.ora` file. -- Value for environment variable `$ORACLE_HOME` should be set in the system. +- Value for environment variable `ORACLE_HOME` should be set in the system. ## Syntax diff --git a/lib/inspec/resources/oracle.rb b/lib/inspec/resources/oracle.rb index ab83e9bdb..1e05fd2c8 100644 --- a/lib/inspec/resources/oracle.rb +++ b/lib/inspec/resources/oracle.rb @@ -26,24 +26,37 @@ module Inspec::Resources private def determine_conf_dir_and_path_in_linux - oracle_home = inspec.command("echo $ORACLE_HOME").stdout&.chomp - if oracle_home.empty? - warn "No oracle listener settings found in $ORACLE_HOME/network/admin directory" + oracle_home = inspec.command("echo $ORACLE_HOME").stdout.lines.first&.chomp + if oracle_home.nil? || oracle_home.empty? + warn "$ORACLE_HOME env value not set in the system" nil else - @conf_path = oracle_home + "/network/admin/listener.ora" + conf_path = "#{oracle_home}/network/admin/listener.ora" + if !inspec.file(conf_path).exist? + warn "No oracle listener settings found in $ORACLE_HOME/network/admin directory" + nil + else + @conf_path = conf_path + end end rescue => e fail_resource "Errors reading listener settings: #{e}" end def determine_conf_dir_and_path_in_windows - oracle_home = inspec.powershell("echo $Env:ORACLE_HOME").stdout&.chomp - if oracle_home.empty? - warn "No oracle listener settings found in $ORACLE_HOME\\network\\admin directory" + oracle_home = inspec.powershell("$Env:ORACLE_HOME").stdout.lines.first&.chomp + + if oracle_home.nil? || oracle_home.empty? + warn "ORACLE_HOME env value not set in the system" nil else - @conf_path = oracle_home + "\\network\\admin\\listener.ora" + conf_path = "#{oracle_home}\\network\\admin\\listener.ora" + if !inspec.file(conf_path).exist? + warn "No oracle listener settings found in ORACLE_HOME\\network\\admin directory" + nil + else + @conf_path = conf_path + end end rescue => e fail_resource "Errors reading listener settings: #{e}" diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index a8b231f67..7440d708f 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -486,7 +486,7 @@ class MockLoader "sh -c 'type \"sqlplus\"'" => cmd.call("oracle-cmd"), "1998da5bc0f09bd5258fad51f45447556572b747f631661831d6fcb49269a448" => cmd.call("oracle-result"), "echo $ORACLE_HOME" => cmd.call("fetch-oracle-listener-in-linux"), - "echo $Env:ORACLE_HOME" => cmd.call("fetch-oracle-listener-in-windows"), + "$Env:ORACLE_HOME" => cmd.call("fetch-oracle-listener-in-windows"), # nginx mock cmd %{nginx -V 2>&1} => cmd.call("nginx-v"), %{/usr/sbin/nginx -V 2>&1} => cmd.call("nginx-v"), From bb1eb194406b567d4ab011ab6d10b85e7d478060 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 2 Jul 2021 20:57:23 +0000 Subject: [PATCH 286/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 18 +++++++++++------- Dockerfile | 2 +- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9cfc1ce3..19ae893ca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,18 +7,23 @@ - Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) - -### Changes since 4.37.30 release + +### Changes since 4.38.3 release #### Merged Pull Requests - Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) -- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) -- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) -- Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) +## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-07-02) + +#### Merged Pull Requests +- Add support for mongodb_conf resource in InSpec [#5562](https://github.com/inspec/inspec/pull/5562) ([Vasu1105](https://github.com/Vasu1105)) +- Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) +- Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) +- Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe)) + + ## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16) #### Bug Fixes @@ -29,7 +34,6 @@ - Fix mysql_session resource to raise exception if there is a error in connection or in query [#5551](https://github.com/inspec/inspec/pull/5551) ([Vasu1105](https://github.com/Vasu1105)) - Fix postgres_session resource to raise exception if there is a error in connection or in query [#5553](https://github.com/inspec/inspec/pull/5553) ([Vasu1105](https://github.com/Vasu1105)) - Restrict x25519 gem to x86 architectures [#5564](https://github.com/inspec/inspec/pull/5564) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.37.25](https://github.com/inspec/inspec/tree/v4.37.25) (2021-06-10) diff --git a/Dockerfile b/Dockerfile index 7e1661e88..3245f8205 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.37.30 +ARG VERSION=4.38.3 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 06eb9b9a84898baf92940dfae9a1ee33c052e473 Mon Sep 17 00:00:00 2001 From: Collin McNeese Date: Tue, 6 Jul 2021 10:46:47 -0500 Subject: [PATCH 287/483] adds chrony_conf InSpec resource Signed-off-by: Collin McNeese --- .../content/inspec/resources/chrony_conf.md | 72 +++++++++++++++++++ lib/inspec/resources/chrony_conf.rb | 55 ++++++++++++++ test/fixtures/files/chrony.conf | 41 +++++++++++ test/helpers/mock_loader.rb | 1 + test/unit/resources/chrony_conf_test.rb | 18 +++++ 5 files changed, 187 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/chrony_conf.md create mode 100644 lib/inspec/resources/chrony_conf.rb create mode 100644 test/fixtures/files/chrony.conf create mode 100644 test/unit/resources/chrony_conf_test.rb diff --git a/docs-chef-io/content/inspec/resources/chrony_conf.md b/docs-chef-io/content/inspec/resources/chrony_conf.md new file mode 100644 index 000000000..8cb4fcd26 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/chrony_conf.md @@ -0,0 +1,72 @@ ++++ +title = "chrony_conf resource" +draft = false +gh_repo = "inspec" +platform = "linux" + +[menu] + [menu.inspec] + title = "chrony_conf" + identifier = "inspec/resources/os/chrony_conf.md chrony_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `chrony_conf` Chef InSpec audit resource to test the synchronization settings defined in the `chrony.conf` file. This file is typically located at `/etc/chrony.conf`. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +### Version + +This resource first became available in v1.0.0 of InSpec. + +## Syntax + +An `chrony_conf` resource block declares the synchronization settings that should be tested: + + describe chrony_conf('path') do + its('setting_name') { should eq 'value' } + end + +where + +- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file +- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`) +- `{ should eq 'value' }` is the value that is expected + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test for clock drift against named servers + + describe chrony_conf do + its('driftfile') { should cmp '/var/lib/chrony/drift' } + its('server') do + should cmp [ + '0.ubuntu.pool.ntp.org', + '1.ubuntu.pool.ntp.org', + '2.ubuntu.pool.ntp.org' + ] + end + end + +## Matchers + +This resource matches any service that is listed in the `chrony.conf` file. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + + its('server') { should_not eq nil } + +or: + + its('allow') { should include '192.168.0.0/16'} + +For example: + + describe chrony_conf do + its('server') { should_not eq nil } + its('allow') { should include '192.168.0.0/16'} + end diff --git a/lib/inspec/resources/chrony_conf.rb b/lib/inspec/resources/chrony_conf.rb new file mode 100644 index 000000000..469236e4b --- /dev/null +++ b/lib/inspec/resources/chrony_conf.rb @@ -0,0 +1,55 @@ +# chrony_conf + +require "inspec/utils/simpleconfig" +require "inspec/utils/file_reader" + +module Inspec::Resources + class ChronyConf < Inspec.resource(1) + name "chrony_conf" + supports platform: "unix" + desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/ntp.conf." + example <<~EXAMPLE + describe chrony_conf do + its('server') { should_not cmp nil } + its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery' } + its('pool') { should include 'pool.ntp.org iburst' } + its('driftfile') { should cmp '/var/lib/ntp/drift' } + its('allow') { should cmp nil } + its('keyfile') { should cmp '/etc/chrony.keys' } + end + EXAMPLE + + include FileReader + + def initialize(path = nil) + @conf_path = path || "/etc/chrony.conf" + @content = read_file_content(@conf_path) + end + + def method_missing(name) + param = read_params[name.to_s] + # extract first value if we have only one value in array + return param[0] if param.is_a?(Array) && (param.length == 1) + + param + end + + def to_s + "chrony.conf" + end + + private + + def read_params + return @params if defined?(@params) + + # parse the file + conf = SimpleConfig.new( + @content, + assignment_regex: /^\s*(\S+)\s+(.*)\s*$/, + multiple_values: true + ) + @params = conf.params + end + end +end diff --git a/test/fixtures/files/chrony.conf b/test/fixtures/files/chrony.conf new file mode 100644 index 000000000..f53da80b4 --- /dev/null +++ b/test/fixtures/files/chrony.conf @@ -0,0 +1,41 @@ +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). +pool 0.ubuntu.pool.ntp.org iburst +pool 1.ubuntu.pool.ntp.org iburst +server 127.127.1.0 +server 127.127.1.1 + +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift + +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep 1.0 3 + +# Enable kernel synchronization of the real-time clock (RTC). +rtcsync + +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * + +# Increase the minimum number of selectable sources required to adjust +# the system clock. +#minsources 2 + +# Allow NTP client access from local network. +#allow 192.168.0.0/16 + +# Serve time even if not synchronized to a time source. +#local stratum 10 + +# Specify file containing keys for NTP authentication. +keyfile /etc/chrony.keys + +# Get TAI-UTC offset and leap seconds from the system tz database. +leapsectz right/UTC + +# Specify directory for log files. +logdir /var/log/chrony + +# Select which information is logged. +#log measurements statistics tracking diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 300540fa4..8fb5314ca 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -97,6 +97,7 @@ class MockLoader "/etc/passwd" => mockfile.call("passwd"), "/etc/shadow" => mockfile.call("shadow"), "/etc/ntp.conf" => mockfile.call("ntp.conf"), + "/etc/chrony.conf" => mockfile.call("chrony.conf"), "/etc/login.defs" => mockfile.call("login.defs"), "/etc/security/limits.conf" => mockfile.call("limits.conf"), "/etc/inetd.conf" => mockfile.call("inetd.conf"), diff --git a/test/unit/resources/chrony_conf_test.rb b/test/unit/resources/chrony_conf_test.rb new file mode 100644 index 000000000..eabe58647 --- /dev/null +++ b/test/unit/resources/chrony_conf_test.rb @@ -0,0 +1,18 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/chrony_conf" + +describe "Inspec::Resources::ChronyConf" do + it "verify chrony config parsing" do + resource = load_resource("chrony_conf") + _(resource.driftfile).must_equal "/var/lib/chrony/drift" + _(resource.pool).must_equal [ + "0.ubuntu.pool.ntp.org iburst", + "1.ubuntu.pool.ntp.org iburst", + ] + _(resource.server).must_equal %w{ + 127.127.1.0 127.127.1.1 + } + assert_nil resource.allow + end +end From dc5cdc23212b838d2d2003886ed3ec2f22ebdae0 Mon Sep 17 00:00:00 2001 From: Collin McNeese Date: Tue, 6 Jul 2021 11:43:43 -0500 Subject: [PATCH 288/483] updates chrony_conf doc page to remove availability version number until ready for release Signed-off-by: Collin McNeese --- docs-chef-io/content/inspec/resources/chrony_conf.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/chrony_conf.md b/docs-chef-io/content/inspec/resources/chrony_conf.md index 8cb4fcd26..ed4f22920 100644 --- a/docs-chef-io/content/inspec/resources/chrony_conf.md +++ b/docs-chef-io/content/inspec/resources/chrony_conf.md @@ -19,9 +19,10 @@ Use the `chrony_conf` Chef InSpec audit resource to test the synchronization set This resource is distributed along with Chef InSpec itself. You can use it automatically. -### Version + + ## Syntax From 4e779ddf6b60a80472fe3792e4bf9aa0783f8fdc Mon Sep 17 00:00:00 2001 From: Collin McNeese Date: Wed, 7 Jul 2021 11:38:21 -0500 Subject: [PATCH 289/483] fixes typo in resource description. Signed-off-by: Collin McNeese --- lib/inspec/resources/chrony_conf.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/chrony_conf.rb b/lib/inspec/resources/chrony_conf.rb index 469236e4b..ba710dc8d 100644 --- a/lib/inspec/resources/chrony_conf.rb +++ b/lib/inspec/resources/chrony_conf.rb @@ -7,7 +7,7 @@ module Inspec::Resources class ChronyConf < Inspec.resource(1) name "chrony_conf" supports platform: "unix" - desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/ntp.conf." + desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/chrony.conf." example <<~EXAMPLE describe chrony_conf do its('server') { should_not cmp nil } From a292d27557ad4f0039601293997a651621ffd682 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 8 Jul 2021 11:19:53 +0530 Subject: [PATCH 290/483] Need to backout this gem as its causing issues for ssh Signed-off-by: Vasu1105 --- Gemfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Gemfile b/Gemfile index 82d4eabb3..7ef15b437 100644 --- a/Gemfile +++ b/Gemfile @@ -33,9 +33,6 @@ group :omnibus do gem "appbundler" gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec - if probably_x86? - gem "x25519" # ed25519 KEX module, not supported on ARM - end end group :test do From 9b691b32ac8153e8e538947c158972bee9733430 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 7 Jul 2021 14:54:55 +0530 Subject: [PATCH 291/483] Add support for OPA: add resource opa_cli and opa_api Signed-off-by: Vasu1105 --- lib/inspec/resources.rb | 2 ++ lib/inspec/resources/opa.rb | 22 +++++++++++++++++ lib/inspec/resources/opa_api.rb | 41 ++++++++++++++++++++++++++++++++ lib/inspec/resources/opa_cli.rb | 42 +++++++++++++++++++++++++++++++++ 4 files changed, 107 insertions(+) create mode 100644 lib/inspec/resources/opa.rb create mode 100644 lib/inspec/resources/opa_api.rb create mode 100644 lib/inspec/resources/opa_cli.rb diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 1bdf0021d..8db4de0c1 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -83,6 +83,8 @@ require "inspec/resources/nginx_conf" require "inspec/resources/npm" require "inspec/resources/ntp_conf" require "inspec/resources/oneget" +require "inspec/resources/opa_cli" +require "inspec/resources/opa_api" require "inspec/resources/oracledb_session" require "inspec/resources/os" require "inspec/resources/os_env" diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb new file mode 100644 index 000000000..228527b04 --- /dev/null +++ b/lib/inspec/resources/opa.rb @@ -0,0 +1,22 @@ +require "inspec/resources/json" + +module Inspec::Resources + class Opa < JsonConfig + name "opa" + supports platform: "unix" + supports platform: "windows" + + def initialize(content) + @content = content + super({content: @content}) + end + + private + + def parse(content) + @content = YAML.load(content) + rescue => e + raise Inspec::Exceptions::ResourceFailed, "Unable to parse OPA query output: #{e.message}" + end + end +end diff --git a/lib/inspec/resources/opa_api.rb b/lib/inspec/resources/opa_api.rb new file mode 100644 index 000000000..c72c3b106 --- /dev/null +++ b/lib/inspec/resources/opa_api.rb @@ -0,0 +1,41 @@ +require "inspec/resources/opa" + +module Inspec::Resources + class OpaApi < Opa + name "opa_api" + supports platform: "unix" + supports platform: "windows" + + attr_reader :allow + + def initialize(opts={}) + @url = opts[:url] + @data = opts[:data] + fail_resource "policy and data are the mandatory for executing OPA." if @url.nil? && @data.nil? + @content = load_result + super(@content) + end + + def allow + @content["result"] + end + + def to_s + "OPA api" + end + + private + + def load_result + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? + + result = inspec.command("curl -X POST #{@url} -d @#{@data} -H 'Content-Type: application/json'") + if result.exit_status == 0 + result.stdout.gsub("\n", "") + else + error = result.stdout + "\n" + result.stderr + raise Inspec::Exceptions::ResourceFailed, "Error while executing OPA query: #{error}" + end + end + end +end diff --git a/lib/inspec/resources/opa_cli.rb b/lib/inspec/resources/opa_cli.rb new file mode 100644 index 000000000..2417c2617 --- /dev/null +++ b/lib/inspec/resources/opa_cli.rb @@ -0,0 +1,42 @@ +require "inspec/resources/opa" + +module Inspec::Resources + class OpaCli < Opa + name "opa_cli" + supports platform: "unix" + supports platform: "windows" + + attr_reader :allow + + def initialize(opts = {}) + @policy = opts[:policy] || nil + @data = opts[:data] || nil + @query = opts[:query] || nil + fail_resource "policy and data are the mandatory for executing OPA." if @policy.nil? && @data.nil? + @content = load_result + super(@content) + end + + def allow + @content["result"][0]["expressions"][0]["value"] if @content["result"][0]["expressions"][0]["text"].include?("allow") + end + + def to_s + "OPA cli" + end + + private + + def load_result + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? + + result = inspec.command("opa eval -i '#{@data}' -d '#{@policy}' '#{@query}'") + if result.exit_status == 0 + result.stdout.gsub("\n", "") + else + error = result.stdout + "\n" + result.stderr + raise Inspec::Exceptions::ResourceFailed, "Error while executing OPA query: #{error}" + end + end + end +end From 05cbca239b858c975da84d68fe083d23691e9cd6 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 8 Jul 2021 23:36:40 +0000 Subject: [PATCH 292/483] Bump version to 4.38.5 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19ae893ca..29d23a385 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.38.4](https://github.com/inspec/inspec/tree/v4.38.4) (2021-06-29) + +## [v4.38.5](https://github.com/inspec/inspec/tree/v4.38.5) (2021-07-08) #### Merged Pull Requests -- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) +- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) ### Changes since 4.38.3 release #### Merged Pull Requests +- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) - Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 098c862af..8b42f5478 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.4 \ No newline at end of file +4.38.5 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 99fbf5345..9afc00d48 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.4".freeze + VERSION = "4.38.5".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index b7ae9a45c..deb5516d5 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.4".freeze + VERSION = "4.38.5".freeze end From e1fd1b12ea615a440e00ac169ce5be9a4aa130fd Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 8 Jul 2021 23:41:02 +0000 Subject: [PATCH 293/483] Bump version to 4.38.6 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29d23a385..6514a0064 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.38.5](https://github.com/inspec/inspec/tree/v4.38.5) (2021-07-08) + +## [v4.38.6](https://github.com/inspec/inspec/tree/v4.38.6) (2021-07-08) -#### Merged Pull Requests -- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) +#### Enhancements +- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) ### Changes since 4.38.3 release +#### Enhancements +- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) + #### Merged Pull Requests - Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) - Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 8b42f5478..5b2561b7e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.5 \ No newline at end of file +4.38.6 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 9afc00d48..9b1437c27 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.5".freeze + VERSION = "4.38.6".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index deb5516d5..3da4138d5 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.5".freeze + VERSION = "4.38.6".freeze end From ec76259eb12779f679335dff95f9996280ff4cce Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 8 Jul 2021 23:49:34 +0000 Subject: [PATCH 294/483] Bump version to 4.38.7 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6514a0064..3b7a29d43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.38.6](https://github.com/inspec/inspec/tree/v4.38.6) (2021-07-08) + +## [v4.38.7](https://github.com/inspec/inspec/tree/v4.38.7) (2021-07-08) #### Enhancements -- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) +- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.38.3 release #### Enhancements +- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105)) - Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests diff --git a/VERSION b/VERSION index 5b2561b7e..5a0594a2d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.6 \ No newline at end of file +4.38.7 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 9b1437c27..af714a9c4 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.6".freeze + VERSION = "4.38.7".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 3da4138d5..26e48758f 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.6".freeze + VERSION = "4.38.7".freeze end From 47020370b8bf88a4c07296d020649cf01741df3a Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Jul 2021 10:48:36 +0530 Subject: [PATCH 295/483] Remove def for probably_x86 Signed-off-by: Vasu1105 --- Gemfile | 8 -------- 1 file changed, 8 deletions(-) diff --git a/Gemfile b/Gemfile index 7ef15b437..f0f052e40 100644 --- a/Gemfile +++ b/Gemfile @@ -20,14 +20,6 @@ end # but our runtime dep is still 3.9+ gem "rspec", ">= 3.10" -def probably_x86? - # We don't currently build on ARM windows, so assume x86 there - return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/ - - # Otherwise rely on uname -m - `uname -m`.match?(/^(x86_64|i\d86)/) -end - group :omnibus do gem "rb-readline" gem "appbundler" From b2e680f17ba28ed467dfae76eeb32306573fdbee Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Jul 2021 15:50:35 +0530 Subject: [PATCH 296/483] Fixed review comments. And added docs for opa_cli and opa_api resource. Signed-off-by: Vasu1105 --- .../content/inspec/resources/opa_api.md | 69 ++++++++++++++++ .../content/inspec/resources/opa_cli.md | 78 +++++++++++++++++++ lib/inspec/resources/opa.rb | 1 + lib/inspec/resources/opa_api.rb | 6 +- lib/inspec/resources/opa_cli.rb | 5 +- 5 files changed, 154 insertions(+), 5 deletions(-) create mode 100644 docs-chef-io/content/inspec/resources/opa_api.md create mode 100644 docs-chef-io/content/inspec/resources/opa_cli.md diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md new file mode 100644 index 000000000..ba0d5fa0d --- /dev/null +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -0,0 +1,69 @@ ++++ +title = "opa_api resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "opa_api" + identifier = "inspec/resources/os/opa_api.md mongodb_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `opa_api` Chef InSpec audit resource to query the OPA using the OPA url and data. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `opa_api` resource + + describe opa_api(url: "localhost:8181/v1/data/example/violation", data: "input.json") do + its(["result"]) { should eq 'value' } + end + +where + +- `'url'` specifies the url of the OPA server on which OPA is running. +- `'data'` specifies the json formatted data or json file. +- `its(["result"]) { should eq 'value' }` compares the results of the query against the expected result in the test + +## parameters + +`opa_api` resource InSpec resource accepts `url` and `data` + +### `url` _(required)_ + +URL of the OPA API server. + +### `data` _(required)_ + +This accepts input.json file or input data in json format. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test the key management configuration options + + describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do + its(["result"]) { should eq true } + its("allow") { should eq "true" } + end + +Above example shows how `allow` value can be fetched in 2 ways. + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + +### allow + +The `allow` matcher checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. + + its('allow') { should eq 'value' } diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md new file mode 100644 index 000000000..957de4a35 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -0,0 +1,78 @@ ++++ +title = "opa_cli resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "opa_cli" + identifier = "inspec/resources/os/opa_cli.md opa_cli resource" + parent = "inspec/resources/os" ++++ + +Use the `opa_cli` Chef InSpec audit resource to query the OPA using the OPA policy file, data file and query. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `opa_cli` resource + + describe opa_cli(policy: "example.rego", data: "input.json", query: "data.example.allow") do + its(["result"]) { should eq "value" } + end + +where + +- `data` specifies the json formatted input data or file path. +- `policy` the path to policy file. +- `query` specifies the query to be run. +- `its(["result"]) { should eq "value" }` compares the results of the query against the expected result in the test + +## parameters + +`opa_cli` resource InSpec resource accepts `policy`, `data`, `query` and `opa_executable_path` + +### `policy` _(required)_ + +Path to the OPA policy file. + +### `data` _(required)_ + +This accepts input.json file or input data in json format. + +### `query` _(required)_ + +Query input required to be evaluated against policy and input data. + +### `opa_executable_path` + +This is the full path to the OPA bindary or exe file used for running opa cli or opa commands. Default it will consider that the path is added in PATH variable. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test the key management configuration options + + describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do + its(["result", 0, "expressions", 0, "value"]) { should eq true } + its("allow") { should eq "true" } + end + +Above example shows how `allow` value can be fetched in 2 ways. + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). + +### allow + +The `allow` matcher checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. + + its('allow') { should eq 'value' } diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb index 228527b04..a27bf5da7 100644 --- a/lib/inspec/resources/opa.rb +++ b/lib/inspec/resources/opa.rb @@ -6,6 +6,7 @@ module Inspec::Resources supports platform: "unix" supports platform: "windows" + attr_reader :result def initialize(content) @content = content super({content: @content}) diff --git a/lib/inspec/resources/opa_api.rb b/lib/inspec/resources/opa_api.rb index c72c3b106..49f4eb751 100644 --- a/lib/inspec/resources/opa_api.rb +++ b/lib/inspec/resources/opa_api.rb @@ -9,9 +9,9 @@ module Inspec::Resources attr_reader :allow def initialize(opts={}) - @url = opts[:url] - @data = opts[:data] - fail_resource "policy and data are the mandatory for executing OPA." if @url.nil? && @data.nil? + @url = opts[:url] || nil + @data = opts[:data] || nil + fail_resource "OPA url and data are mandatory." if @url.nil? || @data.nil? @content = load_result super(@content) end diff --git a/lib/inspec/resources/opa_cli.rb b/lib/inspec/resources/opa_cli.rb index 2417c2617..ba5d16aa6 100644 --- a/lib/inspec/resources/opa_cli.rb +++ b/lib/inspec/resources/opa_cli.rb @@ -9,10 +9,11 @@ module Inspec::Resources attr_reader :allow def initialize(opts = {}) + @opa_executable_path = opts[:opa_executable_path] || "opa" #if this path is not provided then we will assume that it's been set in the ENV PATH @policy = opts[:policy] || nil @data = opts[:data] || nil @query = opts[:query] || nil - fail_resource "policy and data are the mandatory for executing OPA." if @policy.nil? && @data.nil? + fail_resource "OPA policy, data and query are mandatory." if @policy.nil? || @data.nil? || @query.nil? @content = load_result super(@content) end @@ -30,7 +31,7 @@ module Inspec::Resources def load_result raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? - result = inspec.command("opa eval -i '#{@data}' -d '#{@policy}' '#{@query}'") + result = inspec.command("#{@opa_executable_path} eval -i '#{@data}' -d '#{@policy}' '#{@query}'") if result.exit_status == 0 result.stdout.gsub("\n", "") else From 7d33d203953447ba381ef8cef95ba3937739663f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Jul 2021 16:17:12 +0530 Subject: [PATCH 297/483] Removed unwated content from docs Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/opa_api.md | 2 -- docs-chef-io/content/inspec/resources/opa_cli.md | 2 -- 2 files changed, 4 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index ba0d5fa0d..b45541699 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -49,8 +49,6 @@ This accepts input.json file or input data in json format. The following examples show how to use this Chef InSpec audit resource. -### Test the key management configuration options - describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do its(["result"]) { should eq true } its("allow") { should eq "true" } diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md index 957de4a35..e95175fa7 100644 --- a/docs-chef-io/content/inspec/resources/opa_cli.md +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -58,8 +58,6 @@ This is the full path to the OPA bindary or exe file used for running opa cli or The following examples show how to use this Chef InSpec audit resource. -### Test the key management configuration options - describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do its(["result", 0, "expressions", 0, "value"]) { should eq true } its("allow") { should eq "true" } From e6d0277593960bf14fa50ec5fcb5bc5310ca703f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 9 Jul 2021 16:26:21 +0530 Subject: [PATCH 298/483] Few minor changes in the docs Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/opa_api.md | 4 +++- docs-chef-io/content/inspec/resources/opa_cli.md | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index b45541699..274a8e31b 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -60,8 +60,10 @@ Above example shows how `allow` value can be fetched in 2 ways. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). +## Properties + ### allow -The `allow` matcher checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. +The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. its('allow') { should eq 'value' } diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md index e95175fa7..8e6dc62f6 100644 --- a/docs-chef-io/content/inspec/resources/opa_cli.md +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -69,8 +69,11 @@ Above example shows how `allow` value can be fetched in 2 ways. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). +## Properties + ### allow -The `allow` matcher checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. +The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. its('allow') { should eq 'value' } + From 89b0f95c75d9f2803f35e9d562f90ea72bccc4a4 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 9 Jul 2021 16:31:39 +0530 Subject: [PATCH 299/483] Using os_env resource to read ORACLE_HOME env in oracle listener conf resource Signed-off-by: Nikita Mathur --- lib/inspec/resources/oracle.rb | 5 +++-- .../resources/oracledb_listener_conf.rb | 12 ++++++++--- test/fixtures/cmd/env | 1 + .../cmd/fetch-oracle-listener-in-linux | 1 - test/helpers/mock_loader.rb | 7 +++---- test/unit/resources/command_test.rb | 2 +- .../resources/oracledb_listener_conf_test.rb | 20 +++++++++++++++---- 7 files changed, 33 insertions(+), 15 deletions(-) delete mode 100644 test/fixtures/cmd/fetch-oracle-listener-in-linux diff --git a/lib/inspec/resources/oracle.rb b/lib/inspec/resources/oracle.rb index 1e05fd2c8..6425e87c0 100644 --- a/lib/inspec/resources/oracle.rb +++ b/lib/inspec/resources/oracle.rb @@ -26,7 +26,8 @@ module Inspec::Resources private def determine_conf_dir_and_path_in_linux - oracle_home = inspec.command("echo $ORACLE_HOME").stdout.lines.first&.chomp + oracle_home = inspec.os_env("ORACLE_HOME").content + if oracle_home.nil? || oracle_home.empty? warn "$ORACLE_HOME env value not set in the system" nil @@ -44,7 +45,7 @@ module Inspec::Resources end def determine_conf_dir_and_path_in_windows - oracle_home = inspec.powershell("$Env:ORACLE_HOME").stdout.lines.first&.chomp + oracle_home = inspec.os_env("ORACLE_HOME").content if oracle_home.nil? || oracle_home.empty? warn "ORACLE_HOME env value not set in the system" diff --git a/lib/inspec/resources/oracledb_listener_conf.rb b/lib/inspec/resources/oracledb_listener_conf.rb index 645be83ed..25f10faf2 100644 --- a/lib/inspec/resources/oracledb_listener_conf.rb +++ b/lib/inspec/resources/oracledb_listener_conf.rb @@ -21,9 +21,15 @@ module Inspec::Resources include ObjectTraverser def initialize(conf_path = nil) - oracle = inspec.oracle - @conf_path = conf_path || oracle.conf_path - if oracle.resource_failed? + oracle = nil + if conf_path.nil? + oracle = inspec.oracle + @conf_path = oracle.conf_path + else + @conf_path = conf_path + end + + if oracle && oracle.resource_failed? raise oracle.resource_exception_message elsif @conf_path.nil? return skip_resource "Oracle Listener conf path is not set" diff --git a/test/fixtures/cmd/env b/test/fixtures/cmd/env index 6540f0235..bf82033b2 100644 --- a/test/fixtures/cmd/env +++ b/test/fixtures/cmd/env @@ -1 +1,2 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ORACLE_HOME=/opt/oracle/product/18c/dbhomeXE diff --git a/test/fixtures/cmd/fetch-oracle-listener-in-linux b/test/fixtures/cmd/fetch-oracle-listener-in-linux deleted file mode 100644 index 90d166693..000000000 --- a/test/fixtures/cmd/fetch-oracle-listener-in-linux +++ /dev/null @@ -1 +0,0 @@ -/opt/oracle/product/18c/dbhomeXE \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 7440d708f..3abe0eb13 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -111,8 +111,8 @@ class MockLoader "/etc/mysql/my.cnf" => mockfile.call("mysql.conf"), "/etc/mysql/mysql2.conf" => mockfile.call("mysql2.conf"), "/etc/mongod.conf" => mockfile.call("mongod.conf"), - "$ORACLE_HOME/network/admin/listener.ora" => mockfile.call("listener.ora"), - "$ORACLE_HOME\\network\\admin\\listener.ora" => mockfile.call("listener.ora"), + "/opt/oracle/product/18c/dbhomeXE/network/admin/listener.ora" => mockfile.call("listener.ora"), + "C:\\app\\Administrator\\product\\18.0.0\\dbhomeXE\\network\\admin\\listener.ora" => mockfile.call("listener.ora"), "/etc/rabbitmq/rabbitmq.config" => mockfile.call("rabbitmq.config"), "kitchen.yml" => mockfile.call("kitchen.yml"), "example.csv" => mockfile.call("example.csv"), @@ -485,8 +485,7 @@ class MockLoader # oracle "sh -c 'type \"sqlplus\"'" => cmd.call("oracle-cmd"), "1998da5bc0f09bd5258fad51f45447556572b747f631661831d6fcb49269a448" => cmd.call("oracle-result"), - "echo $ORACLE_HOME" => cmd.call("fetch-oracle-listener-in-linux"), - "$Env:ORACLE_HOME" => cmd.call("fetch-oracle-listener-in-windows"), + "${Env:ORACLE_HOME}" => cmd.call("fetch-oracle-listener-in-windows"), # nginx mock cmd %{nginx -V 2>&1} => cmd.call("nginx-v"), %{/usr/sbin/nginx -V 2>&1} => cmd.call("nginx-v"), diff --git a/test/unit/resources/command_test.rb b/test/unit/resources/command_test.rb index 822867d22..a69097607 100644 --- a/test/unit/resources/command_test.rb +++ b/test/unit/resources/command_test.rb @@ -15,7 +15,7 @@ describe Inspec::Resources::Cmd do it "runs a valid mocked command" do _(resource("env").result).wont_be_nil - _(resource("env").stdout).must_equal "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n" + _(resource("env").stdout).must_include "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\n" _(resource("env").stderr).must_equal "" _(resource("env").exit_status).must_equal 0 end diff --git a/test/unit/resources/oracledb_listener_conf_test.rb b/test/unit/resources/oracledb_listener_conf_test.rb index 1c1654988..ce83ca9d3 100644 --- a/test/unit/resources/oracledb_listener_conf_test.rb +++ b/test/unit/resources/oracledb_listener_conf_test.rb @@ -3,14 +3,26 @@ require "inspec/resource" require "inspec/resources/oracledb_listener_conf" describe "Inspec::Resources::OracledbListenerConf" do - it "verify listener settings of oracle DB in linux" do - resource = MockLoader.new(:centos7).load_resource("oracledb_listener_conf", "$ORACLE_HOME/network/admin/listener.ora") + it "verify listener settings of oracle DB in linux when listener conf path is passed" do + resource = MockLoader.new(:centos7).load_resource("oracledb_listener_conf", "/opt/oracle/product/18c/dbhomeXE/network/admin/listener.ora") _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" end - it "verify listener settings of oracle DB in windows" do - resource = MockLoader.new(:windows).load_resource("oracledb_listener_conf", "$ORACLE_HOME\\network\\admin\\listener.ora") + it "verify listener settings of oracle DB in windows when listener conf path is passed" do + resource = MockLoader.new(:windows).load_resource("oracledb_listener_conf", "C:\\app\\Administrator\\product\\18.0.0\\dbhomeXE\\network\\admin\\listener.ora") + _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" + _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" + end + + it "verify listener settings of oracle DB in linux when listener conf path is not passed" do + resource = MockLoader.new(:centos7).load_resource("oracledb_listener_conf", nil) + _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" + _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" + end + + it "verify listener settings of oracle DB in windows when listener conf path is not passed" do + resource = MockLoader.new(:windows).load_resource("oracledb_listener_conf", nil) _(resource.params["DEFAULT_SERVICE_LISTENER"]).must_equal "XE" _(resource.params["EM_EXPRESS_PORT"]).must_equal "5500" end From a16e9fcf45192c124a50204bf0b3cf411f87dca9 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 9 Jul 2021 19:03:14 +0530 Subject: [PATCH 300/483] Tag based filtering for controls - initial commit Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/cli.md | 4 ++ lib/inspec/base_cli.rb | 2 + lib/inspec/cli.rb | 2 + lib/inspec/control_eval_context.rb | 45 ++++++++++++++++++- lib/inspec/profile.rb | 27 ++++++++++- lib/inspec/runner.rb | 2 + .../profiles/control-tags/controls/example.rb | 29 ++++++++++++ .../fixtures/profiles/control-tags/inspec.yml | 7 +++ test/functional/inspec_exec_test.rb | 45 +++++++++++++++++++ 9 files changed, 160 insertions(+), 3 deletions(-) create mode 100644 test/fixtures/profiles/control-tags/controls/example.rb create mode 100644 test/fixtures/profiles/control-tags/inspec.yml diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index ca822c988..a8c8fe08e 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -272,6 +272,8 @@ This subcommand has additional options: Read configuration from JSON file (`-` reads from stdin). * ``--controls=one two three`` A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests. +* ``--tags=one two three`` + A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests. And when tag on the control is a hashmap, it only uses values of hashmap for filtering controls. * ``--create-lockfile``, ``--no-create-lockfile`` Write out a lockfile based on this execution (unless one already exists) * ``--distinct-exit``, ``--no-distinct-exit`` @@ -379,6 +381,8 @@ This subcommand has additional options: * ``--controls=one two three`` A list of controls to include. Ignore all other tests. +* ``--tags=one two three`` + A list of tags to filter controls and include only those. Ignore all other tests. * ``-o``, ``--output=OUTPUT`` Save the created profile to a path * ``--profiles-path=PROFILES_PATH`` diff --git a/lib/inspec/base_cli.rb b/lib/inspec/base_cli.rb index 337c6930f..46ecc61f1 100644 --- a/lib/inspec/base_cli.rb +++ b/lib/inspec/base_cli.rb @@ -136,6 +136,8 @@ module Inspec profile_options option :controls, type: :array, desc: "A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests." + option :tags, type: :array, + desc: "A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests." option :reporter, type: :array, banner: "one two:/output/file/path", desc: "Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml" diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 5f4a97e8c..5ed5baa91 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -65,6 +65,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI desc: "Save the created profile to a path" option :controls, type: :array, desc: "A list of controls to include. Ignore all other tests." + option :tags, type: :array, + desc: "A list of tags to filter controls and include only those. Ignore all other tests." profile_options def json(target) require "json" unless defined?(JSON) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index fd38d7d4f..019ad0b2a 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -53,12 +53,23 @@ module Inspec def control(id, opts = {}, &block) opts[:skip_only_if_eval] = @skip_only_if_eval - if control_exist_in_controls_list?(id) || controls_list_empty? + tag_ids = control_tags(&block) + if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) || tag_exist_in_control_tags?(tag_ids) register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)) end end + alias rule control + def control_tags(&block) + tag_source = block.source.split("\n").select { |src| src.split.first.eql?("tag") } + tag_source = tag_source.map { |src| src.sub("tag", "").strip }.map { |src| src.split(",").map { |final_src| final_src.gsub(/([^:]*):/, "") } }.flatten + output = tag_source.map { |src| src.gsub(/\[|\]/, "") }.map { |src| instance_eval(src) } + output.compact.uniq + rescue => e + raise "Unable to fetch control tags: #{e.class} -- #{e.message}" + end + # Describe allows users to write rspec-like bare describe # blocks without declaring an inclosing control. Here, we # generate a control for them automatically and then execute @@ -74,7 +85,9 @@ module Inspec res = describe(*args, &block) end - if control_exist_in_controls_list?(id) || controls_list_empty? + tag_ids = control_tags(&block) + + if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) || tag_exist_in_control_tags?(tag_ids) register_control(rule, &block) end @@ -187,11 +200,19 @@ module Inspec !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty? end + def profile_tag_config_exist? + !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty? + end + # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included def controls_list_empty? !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty? end + def tags_list_empty? + !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty? + end + # Check if the given control exist in the --controls option def control_exist_in_controls_list?(id) id_exist_in_list = false @@ -203,5 +224,25 @@ module Inspec end id_exist_in_list end + + # Check if the given control exist in the --tags option + def tag_exist_in_control_tags?(tag_ids) + tag_option_matches_with_list = false + if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist? + tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty? + unless tag_option_matches_with_list + @conf["profile"].include_tags_list.any? do |inclusion| + # Try to see if the inclusion is a regex, and if it matches + if inclusion.is_a?(Regexp) + tag_ids.each do |id| + tag_option_matches_with_list = (inclusion =~ id) + break if tag_option_matches_with_list + end + end + end + end + end + tag_option_matches_with_list + end end end diff --git a/lib/inspec/profile.rb b/lib/inspec/profile.rb index d6ef8736f..5444e3f11 100644 --- a/lib/inspec/profile.rb +++ b/lib/inspec/profile.rb @@ -87,6 +87,7 @@ module Inspec @logger = options[:logger] || Logger.new(nil) @locked_dependencies = options[:dependencies] @controls = options[:controls] || [] + @tags = options[:tags] || [] @writable = options[:writable] || false @profile_id = options[:id] @profile_name = options[:profile_name] @@ -206,7 +207,7 @@ module Inspec @params ||= load_params end - def collect_tests(include_list = @controls) + def collect_tests unless @tests_collected || failed? return unless supports_platform? @@ -253,6 +254,30 @@ module Inspec included_controls end + # This creates the list of controls to be filtered by tag values provided in the --tags options + def include_tags_list + return [] if @tags.nil? || @tags.empty? + + included_tags = @tags + # Check for anything that might be a regex in the list, and make it official + included_tags.each_with_index do |inclusion, index| + next if inclusion.is_a?(Regexp) + # Insist the user wrap the regex in slashes to demarcate it as a regex + next unless inclusion.start_with?("/") && inclusion.end_with?("/") + + inclusion = inclusion[1..-2] # Trim slashes + begin + re = Regexp.new(inclusion) + included_tags[index] = re + rescue RegexpError => e + warn "Ignoring unparseable regex '/#{inclusion}/' in --control CLI option: #{e.message}" + included_tags[index] = nil + end + end + included_tags.compact! + included_tags + end + def load_libraries return @runner_context if @libraries_loaded diff --git a/lib/inspec/runner.rb b/lib/inspec/runner.rb index 7ba10bcc0..0dd48fdfc 100644 --- a/lib/inspec/runner.rb +++ b/lib/inspec/runner.rb @@ -50,6 +50,7 @@ module Inspec @conf[:logger] ||= Logger.new(nil) @target_profiles = [] @controls = @conf[:controls] || [] + @tags = @conf[:tags] || [] @depends = @conf[:depends] || [] @create_lockfile = @conf[:create_lockfile] @cache = Inspec::Cache.new(@conf[:vendor_cache]) @@ -199,6 +200,7 @@ module Inspec vendor_cache: @cache, backend: @backend, controls: @controls, + tags: @tags, runner_conf: @conf) raise "Could not resolve #{target} to valid input." if profile.nil? diff --git a/test/fixtures/profiles/control-tags/controls/example.rb b/test/fixtures/profiles/control-tags/controls/example.rb new file mode 100644 index 000000000..b96cfdc2b --- /dev/null +++ b/test/fixtures/profiles/control-tags/controls/example.rb @@ -0,0 +1,29 @@ +control "basic" do + tag "tag1" + tag severity: nil + tag data: "tag2" + tag data_arr: ["tag3", "tag4"] + describe(true) { it { should eq true } } +end + +control "tag keyword used in control name and tag value" do + tag "tag5" + describe(true) { it { should eq true } } +end + +control "multiple tags in one line" do + tag "tag6", "tag7", "tagname with space" + tag data1: "tag8", data2: "tag9" + tag data_arr1: ["tag10", "tag11"], data_arr2: ["tag12", "tag13"] + describe(true) { it { should eq true } } +end + +control "all different formats of tags in one line" do + tag "tag14", data: "tag15", data_arr: ["tag16", "tag17"] + describe(true) { it { should eq true } } +end + +control "failure control" do + tag "tag18" + describe(true) { it { should eq false } } +end \ No newline at end of file diff --git a/test/fixtures/profiles/control-tags/inspec.yml b/test/fixtures/profiles/control-tags/inspec.yml new file mode 100644 index 000000000..3f6f25a6b --- /dev/null +++ b/test/fixtures/profiles/control-tags/inspec.yml @@ -0,0 +1,7 @@ +name: control-tags +title: InSpec Profile for testing filtering on controls using tags +license: Apache-2.0 +summary: An InSpec Compliance Profile for testing filtering on controls using tags +version: 0.1.0 +supports: + platform: os \ No newline at end of file diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index b4410ca26..b64fac272 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -237,6 +237,51 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 100, out end + it "executes only specified controls when selecting the controls by literal single tag name" do + inspec("exec " + File.join(profile_path, "control-tags") + " --no-create-lockfile --tags tag1") + _(stdout).must_include "true is expected to eq true\n" + _(stdout).must_include "Test Summary: 1 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + it "executes only specified controls when selecting the controls by literal multiple tag names" do + inspec("exec " + File.join(profile_path, "control-tags") + " --no-create-lockfile --tags tag1 tag5 tag6 tag17 'tagname with space'") + _(stdout).must_include "true is expected to eq true\n" + _(stdout).must_include "Test Summary: 4 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + it "executes only specified controls when selecting the controls by using regex on tags" do + inspec("exec " + File.join(profile_path, "control-tags") + " --no-create-lockfile --tags '/\s+/'") + _(stdout).must_include "true is expected to eq true\n" + _(stdout).must_include "Test Summary: 1 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + it "executes only specified controls when selecting failing controls by using literal name of tag" do + inspec("exec " + File.join(profile_path, "control-tags") + " --no-create-lockfile --tags tag18") + _(stdout).must_include "true is expected to eq false\n" + _(stdout).must_include "Test Summary: 0 successful, 1 failure, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 100, out + end + + it "executes only specified controls when selecting failing controls by using regex on tags" do + inspec("exec " + File.join(profile_path, "control-tags") + " --no-create-lockfile --tags '/(18)/'") + _(stdout).must_include "true is expected to eq false\n" + _(stdout).must_include "Test Summary: 0 successful, 1 failure, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 100, out + end + it "reports whan a profile cannot be loaded" do inspec("exec " + File.join(profile_path, "raise_outside_control") + " --no-create-lockfile") _(stdout).must_match(/Profile:[\W]+InSpec Profile \(raise_outside_control\)/) From 69b15b6e64cc09e82a1b6099811f437912fa8c6f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 14 Jul 2021 14:27:01 +0530 Subject: [PATCH 301/483] Fix range usage in filter table Signed-off-by: Nikita Mathur --- lib/inspec/utils/filter.rb | 2 +- test/unit/utils/filter_table_test.rb | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/lib/inspec/utils/filter.rb b/lib/inspec/utils/filter.rb index e08550425..435732dda 100644 --- a/lib/inspec/utils/filter.rb +++ b/lib/inspec/utils/filter.rb @@ -256,7 +256,7 @@ module FilterTable end def matches(x, y) - x === y # rubocop:disable Style/CaseEquality + y === x # rubocop:disable Style/CaseEquality end def filter_raw_data(current_raw_data, field, desired_value) diff --git a/test/unit/utils/filter_table_test.rb b/test/unit/utils/filter_table_test.rb index 681cf90c6..7f1238bd1 100644 --- a/test/unit/utils/filter_table_test.rb +++ b/test/unit/utils/filter_table_test.rb @@ -35,6 +35,11 @@ describe FilterTable do _(resource.new(nil).where { false }.params).must_equal [] end + it "supports range" do + factory.add_accessor(:where).connect(resource, :data) + _(instance.where({ foo: (3..5) }).params).must_equal [data[0]] + end + it "retrieves the resource from all entries" do factory.add_accessor(:where) .add(:baz?) { |x| x.resource } # rubocop: disable Style/SymbolProc @@ -181,4 +186,16 @@ describe FilterTable do _(instance.baz(/zzz/).params).must_equal [] end end + + describe "with a range filter" do + before { factory.add(:foo).connect(resource, :data) } + + it "filter and retrieves data with matching range" do + _(instance.foo((3..5)).params).must_equal [data[0]] + end + + it "filter and retrieves empty result if no data in matching range" do + _(instance.foo((4..5)).params).must_equal [] + end + end end From b4ad811f059969bee5380390359938f823f8ae42 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 15 Jul 2021 17:43:11 +0530 Subject: [PATCH 302/483] Fix for null insecure option Signed-off-by: Nikita Mathur --- lib/inspec/cached_fetcher.rb | 4 ++-- lib/inspec/fetcher.rb | 6 +++--- lib/inspec/plugin/v1/registry.rb | 8 ++++++-- lib/inspec/profile.rb | 10 +++++++--- 4 files changed, 18 insertions(+), 10 deletions(-) diff --git a/lib/inspec/cached_fetcher.rb b/lib/inspec/cached_fetcher.rb index 3cc91617a..4b5823168 100644 --- a/lib/inspec/cached_fetcher.rb +++ b/lib/inspec/cached_fetcher.rb @@ -6,9 +6,9 @@ module Inspec extend Forwardable attr_reader :cache, :target, :fetcher - def initialize(target, cache) + def initialize(target, cache, opts = {}) @target = target - @fetcher = Inspec::Fetcher::Registry.resolve(target) + @fetcher = Inspec::Fetcher::Registry.resolve(target, opts) if @fetcher.nil? raise("Could not fetch inspec profile in #{target.inspect}.") diff --git a/lib/inspec/fetcher.rb b/lib/inspec/fetcher.rb index c3f49d779..a29d7f460 100644 --- a/lib/inspec/fetcher.rb +++ b/lib/inspec/fetcher.rb @@ -2,12 +2,12 @@ require "inspec/plugin/v1" module Inspec class FetcherRegistry < PluginRegistry - def resolve(target) + def resolve(target, opts = {}) if fetcher_specified?(target) - super(target) + super(target, opts) else Inspec::Log.debug("Assuming default supermarket source for #{target}") - super(with_default_fetcher(target)) + super(with_default_fetcher(target), opts) end end diff --git a/lib/inspec/plugin/v1/registry.rb b/lib/inspec/plugin/v1/registry.rb index 42b39818d..28f632f0b 100644 --- a/lib/inspec/plugin/v1/registry.rb +++ b/lib/inspec/plugin/v1/registry.rb @@ -9,9 +9,13 @@ class PluginRegistry # # @param [String] target to resolve # @return [Plugin] plugin instance if it can be resolved, nil otherwise - def resolve(target) + def resolve(target, opts = {}) modules.each do |m| - res = m.resolve(target) + res = if [Inspec::Fetcher::Url, Inspec::Fetcher::Git, Supermarket::Fetcher].include? m + m.resolve(target, opts) + else + m.resolve(target) + end return res unless res.nil? end nil diff --git a/lib/inspec/profile.rb b/lib/inspec/profile.rb index d6ef8736f..b21ae7309 100644 --- a/lib/inspec/profile.rb +++ b/lib/inspec/profile.rb @@ -18,9 +18,9 @@ module Inspec class Profile extend Forwardable - def self.resolve_target(target, cache) + def self.resolve_target(target, cache, opts = {}) Inspec::Log.debug "Resolve #{target} into cache #{cache.path}" - Inspec::CachedFetcher.new(target, cache) + Inspec::CachedFetcher.new(target, cache, opts) end # Check if the profile contains a vendored cache, move content into global cache @@ -70,7 +70,11 @@ module Inspec def self.for_target(target, opts = {}) opts[:vendor_cache] ||= Cache.new - fetcher = resolve_target(target, opts[:vendor_cache]) + config = {} + unless opts[:runner_conf].nil? || opts[:runner_conf].empty? + config = opts[:runner_conf].respond_to?(:final_options) ? opts[:runner_conf].final_options : opts[:runner_conf] + end + fetcher = resolve_target(target, opts[:vendor_cache], config) for_fetcher(fetcher, opts) end From 8e755063c5bf71b089e710e1a3cae466e6534a1b Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 16 Jul 2021 14:09:33 +0530 Subject: [PATCH 303/483] Doc review changes for --tags option Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/cli.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index a8c8fe08e..43bfe77eb 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -272,8 +272,6 @@ This subcommand has additional options: Read configuration from JSON file (`-` reads from stdin). * ``--controls=one two three`` A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests. -* ``--tags=one two three`` - A list of tags names that are part of controls to filter and run controls, or a list of /regexes/ to match against tags names of controls. Ignore all other tests. And when tag on the control is a hashmap, it only uses values of hashmap for filtering controls. * ``--create-lockfile``, ``--no-create-lockfile`` Write out a lockfile based on this execution (unless one already exists) * ``--distinct-exit``, ``--no-distinct-exit`` @@ -338,6 +336,8 @@ This subcommand has additional options: Simple targeting option using URIs, e.g. ssh://user:pass@host:port * ``--target-id=TARGET_ID`` Provide a ID which will be included on reports +* ``--tags=one two three`` + A list of tags, a list of regular expressions that match tags, or a hash map where each value is a tag. `exec` will run controls referenced by the listed or matching tags. * ``--user=USER`` The login user for a remote scan. * ``--vendor-cache=VENDOR_CACHE`` @@ -381,12 +381,12 @@ This subcommand has additional options: * ``--controls=one two three`` A list of controls to include. Ignore all other tests. -* ``--tags=one two three`` - A list of tags to filter controls and include only those. Ignore all other tests. * ``-o``, ``--output=OUTPUT`` Save the created profile to a path * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. +* ``--tags=one two three`` + A list of tags that reference certain controls. Other controls are ignored. * ``--vendor-cache=VENDOR_CACHE`` Use the given path for caching dependencies. (default: ~/.inspec/cache) From bc429a27f1fd1dd45b2c2e1caa6fac3f24ae988f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 19 Jul 2021 13:46:54 +0530 Subject: [PATCH 304/483] Fixed issue for apache conf when serverRoot is not configured Signed-off-by: Nikita Mathur --- lib/inspec/resources/apache_conf.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/inspec/resources/apache_conf.rb b/lib/inspec/resources/apache_conf.rb index 31ac74932..8b34075ae 100644 --- a/lib/inspec/resources/apache_conf.rb +++ b/lib/inspec/resources/apache_conf.rb @@ -101,12 +101,14 @@ module Inspec::Resources include_files_optional = params["IncludeOptional"] || [] includes = [] - (include_files + include_files_optional).each do |f| - id = Pathname.new(f).absolute? ? f : File.join(conf_dir, f) - files = find_files(id, depth: 1, type: "file") - files += find_files(id, depth: 1, type: "link") + unless conf_dir.nil? + (include_files + include_files_optional).each do |f| + id = Pathname.new(f).absolute? ? f : File.join(conf_dir, f) + files = find_files(id, depth: 1, type: "file") + files += find_files(id, depth: 1, type: "link") - includes.push(files) if files + includes.push(files) if files + end end # [].flatten! == nil From 1e8363587ed98a476831883f5aa960126f5ac6ce Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 19 Jul 2021 14:39:25 +0530 Subject: [PATCH 305/483] Test case to test apache_conf when server root is not configured Signed-off-by: Nikita Mathur --- .../fixtures/files/apache2_server_root_void.conf | 4 ++++ test/helpers/mock_loader.rb | 16 ++++++++++++++-- test/unit/resources/apache_conf_test.rb | 9 +++++++++ 3 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 test/fixtures/files/apache2_server_root_void.conf diff --git a/test/fixtures/files/apache2_server_root_void.conf b/test/fixtures/files/apache2_server_root_void.conf new file mode 100644 index 000000000..fa03b6c57 --- /dev/null +++ b/test/fixtures/files/apache2_server_root_void.conf @@ -0,0 +1,4 @@ +# This is the modified Apache server configuration file. It contains comments. +# ServerRoot "/etc/apache2" --> This is commented to test non configuration of serverRoot. +ServerAlias inspec.test www.inspec.test io.inspec.test +Include ports.conf \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 4ed1805f2..b243053ca 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -88,7 +88,7 @@ class MockLoader mockfile.call("emptyfile") } - mock.files = { + mock_files = { "/proc/net/bonding/bond0" => mockfile.call("bond0"), "/etc/ssh/ssh_config" => mockfile.call("ssh_config"), "/etc/ssh/sshd_config" => mockfile.call("sshd_config"), @@ -118,7 +118,6 @@ class MockLoader "nonexistent.json" => mockfile.call("nonexistent.json"), "/sys/class/net/br0/bridge" => mockdir.call(true), "rootwrap.conf" => mockfile.call("rootwrap.conf"), - "/etc/apache2/apache2.conf" => mockfile.call("apache2.conf"), "/etc/apache2/ports.conf" => mockfile.call("ports.conf"), "/etc/httpd/conf/httpd.conf" => mockfile.call("httpd.conf"), "/etc/httpd/conf.d/ssl.conf" => mockfile.call("ssl.conf"), @@ -175,6 +174,19 @@ class MockLoader "/etc/selinux/selinux_conf" => mockfile.call("selinux_conf"), } + if @platform[:name] == "ubuntu" && @platform[:release] == "14.04" + mock_files.merge!( + "/etc/apache2/apache2.conf" => mockfile.call("apache2.conf") + ) + elsif @platform[:name] == "ubuntu" && @platform[:release] == "15.04" + # using this ubuntu version to test apache_conf with non configured server root in conf file + mock_files.merge!( + "/etc/apache2/apache2.conf" => mockfile.call("apache2_server_root_void.conf") + ) + end + + mock.files = mock_files + # create all mock commands cmd = lambda { |x| stdout = ::File.read(::File.join(scriptpath, "/fixtures/cmd/" + x)) diff --git a/test/unit/resources/apache_conf_test.rb b/test/unit/resources/apache_conf_test.rb index f5e5ef0d3..c15e302bd 100644 --- a/test/unit/resources/apache_conf_test.rb +++ b/test/unit/resources/apache_conf_test.rb @@ -21,6 +21,15 @@ describe "Inspec::Resources::ApacheConf" do ENABLE_USR_LIB_CGI_BIN} end + it "reads values successfully from apache2.conf and ignores Include, IncludeOptional params when server root is not configured" do + resource = MockLoader.new(:ubuntu1504).load_resource("apache_conf", "/etc/apache2/apache2.conf") + _(resource.params).must_be_kind_of Hash + _(resource.content).must_be_kind_of String + _(resource.params("ServerAlias")).must_equal ["inspec.test www.inspec.test io.inspec.test"] + assert_nil(resource.params("ServerRoot")) + assert_nil(resource.params("Listen")) + end + # non debian style httpd it "reads values in httpd.conf and from Include, IncludeOptional params" do resource = MockLoader.new(:centos6).load_resource("apache_conf", From f0ca02a1c56c74ad5a69411dbb5d93d081f769a3 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 19 Jul 2021 14:43:56 +0530 Subject: [PATCH 306/483] Adds unit test for opa_api and opa_cli resource Signed-off-by: Vasu1105 --- lib/inspec/resources/opa_api.rb | 2 +- lib/inspec/resources/opa_cli.rb | 4 +++- test/fixtures/cmd/opa-api-result | 1 + test/fixtures/cmd/opa-result | 16 ++++++++++++++++ test/helpers/mock_loader.rb | 2 ++ test/unit/resources/opa_api_test.rb | 23 +++++++++++++++++++++++ test/unit/resources/opa_cli_test.rb | 23 +++++++++++++++++++++++ 7 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 test/fixtures/cmd/opa-api-result create mode 100644 test/fixtures/cmd/opa-result create mode 100644 test/unit/resources/opa_api_test.rb create mode 100644 test/unit/resources/opa_cli_test.rb diff --git a/lib/inspec/resources/opa_api.rb b/lib/inspec/resources/opa_api.rb index 49f4eb751..d179215ef 100644 --- a/lib/inspec/resources/opa_api.rb +++ b/lib/inspec/resources/opa_api.rb @@ -11,7 +11,7 @@ module Inspec::Resources def initialize(opts={}) @url = opts[:url] || nil @data = opts[:data] || nil - fail_resource "OPA url and data are mandatory." if @url.nil? || @data.nil? + fail_resource "OPA url and data are mandatory." if @url.nil? || @url.empty? || @data.nil? || @data.empty? @content = load_result super(@content) end diff --git a/lib/inspec/resources/opa_cli.rb b/lib/inspec/resources/opa_cli.rb index ba5d16aa6..3dd56b871 100644 --- a/lib/inspec/resources/opa_cli.rb +++ b/lib/inspec/resources/opa_cli.rb @@ -13,7 +13,9 @@ module Inspec::Resources @policy = opts[:policy] || nil @data = opts[:data] || nil @query = opts[:query] || nil - fail_resource "OPA policy, data and query are mandatory." if @policy.nil? || @data.nil? || @query.nil? + if (@policy.nil? || @policy.empty?) || (@data.nil? || @data.empty?) || (@query.nil? || @query.empty?) + fail_resource "OPA policy, data and query are mandatory." + end @content = load_result super(@content) end diff --git a/test/fixtures/cmd/opa-api-result b/test/fixtures/cmd/opa-api-result new file mode 100644 index 000000000..94c35ef2a --- /dev/null +++ b/test/fixtures/cmd/opa-api-result @@ -0,0 +1 @@ +{"result":["ci","busybox"]} diff --git a/test/fixtures/cmd/opa-result b/test/fixtures/cmd/opa-result new file mode 100644 index 000000000..ae6ca515c --- /dev/null +++ b/test/fixtures/cmd/opa-result @@ -0,0 +1,16 @@ +{ + "result": [ + { + "expressions": [ + { + "value": false, + "text": "data.example.allow", + "location": { + "row": 1, + "col": 1 + } + } + ] + } + ] +} diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 300540fa4..bafbd01c1 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -566,6 +566,8 @@ class MockLoader "semodule -lfull" => cmd.call("semodule-lfull"), "semanage boolean -l -n" => cmd.call("semanage-boolean"), "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"), + "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"), + "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result") } if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") diff --git a/test/unit/resources/opa_api_test.rb b/test/unit/resources/opa_api_test.rb new file mode 100644 index 000000000..bb24a9d90 --- /dev/null +++ b/test/unit/resources/opa_api_test.rb @@ -0,0 +1,23 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/opa_api" + +describe "Inspec::Resources::OpaApi" do + it "verify opa api query result parsing" do + resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input.json") + _(resource.params["result"]).must_equal ["ci", "busybox"] + _(resource.params["result"]).must_include "ci" + end + + it "fails when url or data is nil." do + resource = load_resource("opa_api") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "OPA url and data are mandatory." + end + + it "fails when url or data is empty." do + resource = load_resource("opa_api", url: "", data: "") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "OPA url and data are mandatory." + end +end diff --git a/test/unit/resources/opa_cli_test.rb b/test/unit/resources/opa_cli_test.rb new file mode 100644 index 000000000..7d7df9f33 --- /dev/null +++ b/test/unit/resources/opa_cli_test.rb @@ -0,0 +1,23 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/opa_cli" + +describe "Inspec::Resources::OpaCli" do + it "verify opa eval query result parsing" do + resource = load_resource("opa_cli", policy: "example.rego", data: "input.json", query: "data.example.allow") + _(resource.params["result"][0]["expressions"][0]["value"]).must_equal false + _(resource.allow).must_equal false + end + + it "fails when policy, data or query is nil." do + resource = load_resource("opa_cli") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "OPA policy, data and query are mandatory." + end + + it "fails when empty string passed for options policy, data or query." do + resource = load_resource("opa_cli", policy: "", data: "", query: "") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "OPA policy, data and query are mandatory." + end +end From 6ed14dc7de1efd92b9fde53e60ce2841b7b45db7 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 19 Jul 2021 15:01:31 +0530 Subject: [PATCH 307/483] Fix lint Signed-off-by: Vasu1105 --- lib/inspec/resources/opa.rb | 2 +- lib/inspec/resources/opa_api.rb | 4 +--- lib/inspec/resources/opa_cli.rb | 4 +--- test/helpers/mock_loader.rb | 2 +- test/unit/resources/opa_api_test.rb | 2 +- 5 files changed, 5 insertions(+), 9 deletions(-) diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb index a27bf5da7..c8e4cfe34 100644 --- a/lib/inspec/resources/opa.rb +++ b/lib/inspec/resources/opa.rb @@ -9,7 +9,7 @@ module Inspec::Resources attr_reader :result def initialize(content) @content = content - super({content: @content}) + super({ content: @content }) end private diff --git a/lib/inspec/resources/opa_api.rb b/lib/inspec/resources/opa_api.rb index d179215ef..d54b9a18f 100644 --- a/lib/inspec/resources/opa_api.rb +++ b/lib/inspec/resources/opa_api.rb @@ -6,9 +6,7 @@ module Inspec::Resources supports platform: "unix" supports platform: "windows" - attr_reader :allow - - def initialize(opts={}) + def initialize(opts = {}) @url = opts[:url] || nil @data = opts[:data] || nil fail_resource "OPA url and data are mandatory." if @url.nil? || @url.empty? || @data.nil? || @data.empty? diff --git a/lib/inspec/resources/opa_cli.rb b/lib/inspec/resources/opa_cli.rb index 3dd56b871..7fb92dc36 100644 --- a/lib/inspec/resources/opa_cli.rb +++ b/lib/inspec/resources/opa_cli.rb @@ -6,10 +6,8 @@ module Inspec::Resources supports platform: "unix" supports platform: "windows" - attr_reader :allow - def initialize(opts = {}) - @opa_executable_path = opts[:opa_executable_path] || "opa" #if this path is not provided then we will assume that it's been set in the ENV PATH + @opa_executable_path = opts[:opa_executable_path] || "opa" # if this path is not provided then we will assume that it's been set in the ENV PATH @policy = opts[:policy] || nil @data = opts[:data] || nil @query = opts[:query] || nil diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index bafbd01c1..9055327c5 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -567,7 +567,7 @@ class MockLoader "semanage boolean -l -n" => cmd.call("semanage-boolean"), "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"), "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"), - "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result") + "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"), } if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") diff --git a/test/unit/resources/opa_api_test.rb b/test/unit/resources/opa_api_test.rb index bb24a9d90..f404e8876 100644 --- a/test/unit/resources/opa_api_test.rb +++ b/test/unit/resources/opa_api_test.rb @@ -5,7 +5,7 @@ require "inspec/resources/opa_api" describe "Inspec::Resources::OpaApi" do it "verify opa api query result parsing" do resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input.json") - _(resource.params["result"]).must_equal ["ci", "busybox"] + _(resource.params["result"]).must_equal %w{ ci busybox } _(resource.params["result"]).must_include "ci" end From 82db157c0686966c8b934a0abf0b0aedb95ceb50 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 19 Jul 2021 17:56:12 +0530 Subject: [PATCH 308/483] Apache conf doc changes for server root requirement and review changes Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/resources/apache_conf.md | 4 ++++ test/helpers/mock_loader.rb | 2 +- test/unit/resources/apache_conf_test.rb | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/apache_conf.md b/docs-chef-io/content/inspec/resources/apache_conf.md index 2a2b2fff8..44d1d3653 100644 --- a/docs-chef-io/content/inspec/resources/apache_conf.md +++ b/docs-chef-io/content/inspec/resources/apache_conf.md @@ -19,6 +19,10 @@ Use the `apache_conf` Chef InSpec audit resource to test the configuration setti This resource is distributed along with Chef InSpec itself. You can use it automatically. +### Requirements + +`ServerRoot` should be included in a apache conf file. If not present the included configs will not be accessible to the resource. + ### Version This resource first became available in v1.0.0 of InSpec. diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index b243053ca..53539b19d 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -174,7 +174,7 @@ class MockLoader "/etc/selinux/selinux_conf" => mockfile.call("selinux_conf"), } - if @platform[:name] == "ubuntu" && @platform[:release] == "14.04" + if @platform[:name] == "ubuntu" && @platform[:release] == "18.04" mock_files.merge!( "/etc/apache2/apache2.conf" => mockfile.call("apache2.conf") ) diff --git a/test/unit/resources/apache_conf_test.rb b/test/unit/resources/apache_conf_test.rb index c15e302bd..1b9e99417 100644 --- a/test/unit/resources/apache_conf_test.rb +++ b/test/unit/resources/apache_conf_test.rb @@ -6,7 +6,7 @@ require "hashie" describe "Inspec::Resources::ApacheConf" do # debian style apache2 it "reads values in apache2.conf and from Include, IncludeOptional params" do - resource = MockLoader.new(:ubuntu1404).load_resource("apache_conf", + resource = MockLoader.new(:ubuntu1804).load_resource("apache_conf", "/etc/apache2/apache2.conf") _(resource.params).must_be_kind_of Hash _(resource.content).must_be_kind_of String From 88d5614aaa97e35a827d0eaed487c05d23fb470f Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 20 Jul 2021 17:15:14 +0000 Subject: [PATCH 309/483] Bump version to 4.38.8 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b7a29d43..5349cbbc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.38.7](https://github.com/inspec/inspec/tree/v4.38.7) (2021-07-08) + +## [v4.38.8](https://github.com/inspec/inspec/tree/v4.38.8) (2021-07-20) -#### Enhancements -- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105)) +#### Merged Pull Requests +- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) @@ -15,6 +15,7 @@ - Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) - Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) - Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 5a0594a2d..a3133ecde 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.7 \ No newline at end of file +4.38.8 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index af714a9c4..a28d578c8 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.7".freeze + VERSION = "4.38.8".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 26e48758f..812ce7e2e 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.7".freeze + VERSION = "4.38.8".freeze end From 8763b6e2ea7f39aeedd96b934efb0c2bd7516f0e Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 21 Jul 2021 20:47:14 -0400 Subject: [PATCH 310/483] Use ruby 2.7.4 Signed-off-by: Clinton Wolfe --- omnibus_overrides.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/omnibus_overrides.rb b/omnibus_overrides.rb index 90b88d19a..953cf2b04 100644 --- a/omnibus_overrides.rb +++ b/omnibus_overrides.rb @@ -3,7 +3,7 @@ # grab the current train release from rubygems.org train_stable = /^train \((.*)\)/.match(`gem list ^train$ --remote`)[1] override "train", version: "v#{train_stable}" -override "ruby", version: "2.7.3" +override "ruby", version: "2.7.4" # Mac m1 override "openssl", version: "1.1.1k" if mac_os_x? From e222bda96dd53221a308d5f1b614831d23ea80b1 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 22 Jul 2021 00:51:44 +0000 Subject: [PATCH 311/483] Update CHANGELOG.md with details from pull request #5602 Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5349cbbc7..eb821102a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.38.8](https://github.com/inspec/inspec/tree/v4.38.8) (2021-07-20) + +## Unreleased #### Merged Pull Requests -- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) +- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) @@ -15,6 +15,7 @@ - Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) - Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) - Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) From c9810bec9e481152b2b33bf2b6dbf31f24436128 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Thu, 22 Jul 2021 01:03:49 -0400 Subject: [PATCH 312/483] Remove mention of AWS test from README Signed-off-by: Clinton Wolfe --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 724547db6..e33eee626 100644 --- a/README.md +++ b/README.md @@ -384,11 +384,10 @@ As a reminder, all participants are expected to follow the [Code of Conduct](htt ## Testing Chef InSpec -We offer `unit`, `integration`, and `aws` tests. +We offer `unit` and `integration` tests. - `unit` tests ensure the intended behaviour of the implementation - `integration` tests run against Docker-based VMs via test-kitchen and [kitchen-inspec](https://github.com/chef/kitchen-inspec) -- `aws` tests exercise the AWS resources against real AWS accounts ### Unit tests From c22f609443eff74c4099b2af0b7f6c2a17a91045 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 22 Jul 2021 05:09:17 +0000 Subject: [PATCH 313/483] Bump version to 4.38.9 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 6 ++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb821102a..9538b4421 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,10 @@ # Change Log - -## Unreleased + +## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22) #### Merged Pull Requests +- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) @@ -15,6 +16,7 @@ - Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) - Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index a3133ecde..5511d2722 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.8 \ No newline at end of file +4.38.9 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index a28d578c8..8ee135428 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.8".freeze + VERSION = "4.38.9".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 812ce7e2e..373ec6d07 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.8".freeze + VERSION = "4.38.9".freeze end From aa888cf909babaec2e0015dd797883aa742bc202 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 22 Jul 2021 13:32:21 +0530 Subject: [PATCH 314/483] Build fix - virtulization test was failing Signed-off-by: Nikita Mathur --- test/helpers/mock_loader.rb | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 53539b19d..28aa57001 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -174,15 +174,17 @@ class MockLoader "/etc/selinux/selinux_conf" => mockfile.call("selinux_conf"), } - if @platform[:name] == "ubuntu" && @platform[:release] == "18.04" - mock_files.merge!( - "/etc/apache2/apache2.conf" => mockfile.call("apache2.conf") - ) - elsif @platform[:name] == "ubuntu" && @platform[:release] == "15.04" - # using this ubuntu version to test apache_conf with non configured server root in conf file - mock_files.merge!( - "/etc/apache2/apache2.conf" => mockfile.call("apache2_server_root_void.conf") - ) + if @platform + if @platform[:name] == "ubuntu" && @platform[:release] == "18.04" + mock_files.merge!( + "/etc/apache2/apache2.conf" => mockfile.call("apache2.conf") + ) + elsif @platform[:name] == "ubuntu" && @platform[:release] == "15.04" + # using this ubuntu version to test apache_conf with non configured server root in conf file + mock_files.merge!( + "/etc/apache2/apache2.conf" => mockfile.call("apache2_server_root_void.conf") + ) + end end mock.files = mock_files From 239d14f716062e2501ed4e0dd52838b78aaeb4f7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 22 Jul 2021 09:25:32 +0000 Subject: [PATCH 315/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 36 ++++++++++++++++-------------------- Dockerfile | 2 +- 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9538b4421..77d7eadaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,29 +1,26 @@ # Change Log - -## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22) - -#### Merged Pull Requests -- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) + - -### Changes since 4.38.3 release - -#### Enhancements -- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105)) -- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) - -#### Merged Pull Requests -- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) -- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) -- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) + +## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22) + +#### Enhancements +- Remove default port for mssql_session, allowing named connections [#5584](https://github.com/inspec/inspec/pull/5584) ([Nik08](https://github.com/Nik08)) +- Update postgresql resources to normalize it for platform supports [#5576](https://github.com/inspec/inspec/pull/5576) ([Vasu1105](https://github.com/Vasu1105)) + +#### Merged Pull Requests +- Oracle Session Exception Handling [#5567](https://github.com/inspec/inspec/pull/5567) ([Nik08](https://github.com/Nik08)) +- Waiver file expiration dates misinterpretation fix [#5586](https://github.com/inspec/inspec/pull/5586) ([Nik08](https://github.com/Nik08)) +- Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) +- Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe)) + + ## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-07-02) #### Merged Pull Requests @@ -31,7 +28,6 @@ - Fix AWS secret key environment variable name in docs [#5566](https://github.com/inspec/inspec/pull/5566) ([sandratiffin](https://github.com/sandratiffin)) - Fix relative links [#5556](https://github.com/inspec/inspec/pull/5556) ([IanMadd](https://github.com/IanMadd)) - Misc updates to the README [#5526](https://github.com/inspec/inspec/pull/5526) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.37.30](https://github.com/inspec/inspec/tree/v4.37.30) (2021-06-16) diff --git a/Dockerfile b/Dockerfile index 3245f8205..ecb4216fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.38.3 +ARG VERSION=4.38.9 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 625fa744422b1c84f8b76d45d59369f5db567659 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 22 Jul 2021 17:31:13 +0530 Subject: [PATCH 316/483] Build fix Signed-off-by: Nikita Mathur --- lib/inspec/plugin/v1/registry.rb | 2 +- lib/inspec/profile.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/inspec/plugin/v1/registry.rb b/lib/inspec/plugin/v1/registry.rb index 28f632f0b..47b81144f 100644 --- a/lib/inspec/plugin/v1/registry.rb +++ b/lib/inspec/plugin/v1/registry.rb @@ -11,7 +11,7 @@ class PluginRegistry # @return [Plugin] plugin instance if it can be resolved, nil otherwise def resolve(target, opts = {}) modules.each do |m| - res = if [Inspec::Fetcher::Url, Inspec::Fetcher::Git, Supermarket::Fetcher].include? m + res = if Inspec::Fetcher::Url == m m.resolve(target, opts) else m.resolve(target) diff --git a/lib/inspec/profile.rb b/lib/inspec/profile.rb index b21ae7309..57beaf929 100644 --- a/lib/inspec/profile.rb +++ b/lib/inspec/profile.rb @@ -71,7 +71,7 @@ module Inspec def self.for_target(target, opts = {}) opts[:vendor_cache] ||= Cache.new config = {} - unless opts[:runner_conf].nil? || opts[:runner_conf].empty? + unless opts[:runner_conf].nil? config = opts[:runner_conf].respond_to?(:final_options) ? opts[:runner_conf].final_options : opts[:runner_conf] end fetcher = resolve_target(target, opts[:vendor_cache], config) From aeed833f2f85124a744ddee4d3848255b5edb00f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 26 Jul 2021 12:51:35 +0530 Subject: [PATCH 317/483] Build fix Signed-off-by: Nikita Mathur --- lib/inspec/control_eval_context.rb | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index 019ad0b2a..a062d84a5 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -63,11 +63,11 @@ module Inspec def control_tags(&block) tag_source = block.source.split("\n").select { |src| src.split.first.eql?("tag") } - tag_source = tag_source.map { |src| src.sub("tag", "").strip }.map { |src| src.split(",").map { |final_src| final_src.gsub(/([^:]*):/, "") } }.flatten - output = tag_source.map { |src| src.gsub(/\[|\]/, "") }.map { |src| instance_eval(src) } + tag_source = tag_source.map { |src| src.sub("tag", "").strip }.map { |src| src.split(",").map { |final_src| final_src.sub(/([^:]*):/, "") } }.flatten + output = tag_source.map { |src| src.sub(/\[|\]/, "") }.map { |src| instance_eval(src) } output.compact.uniq - rescue => e - raise "Unable to fetch control tags: #{e.class} -- #{e.message}" + rescue + [] end # Describe allows users to write rspec-like bare describe @@ -85,9 +85,7 @@ module Inspec res = describe(*args, &block) end - tag_ids = control_tags(&block) - - if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) || tag_exist_in_control_tags?(tag_ids) + if controls_list_empty? || control_exist_in_controls_list?(id) register_control(rule, &block) end From 77de1f023e3224b6d1b121322b46a7936d8a6dbe Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 27 Jul 2021 11:41:10 +0530 Subject: [PATCH 318/483] Fix documentation review comments. Signed-off-by: Vasu1105 --- .../inspec/resources/mongodb_session.md | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/mongodb_session.md b/docs-chef-io/content/inspec/resources/mongodb_session.md index 2d4e37d66..12c96b944 100644 --- a/docs-chef-io/content/inspec/resources/mongodb_session.md +++ b/docs-chef-io/content/inspec/resources/mongodb_session.md @@ -21,7 +21,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ## Syntax -A `mongodb_session` resource block declares the `user`, `password`, 'database' to use for the session, and then the command to be run: +A `mongodb_session` resource block declares the `user`, `password`, and `database` to use for the session and then the command to be run: describe mongodb_session(user: "username", password: "password", database: "test").query(key: value) do its("params") { should match(/expected-result/) } @@ -29,62 +29,63 @@ A `mongodb_session` resource block declares the `user`, `password`, 'database' t where -- `mongodb_session` declares a user, password and database, connecting locally, with permission to run the query. +- `mongodb_session` declares a user, password, and database, connecting locally, with permission to run the query. - `query` contains the query to be run. - `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test ### Optional Parameters -`mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, `auth_mech_properties`. +The `mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, and `auth_mech_properties` parameters. In Particular: #### `host` -Defaults to `127.0.0.1` +The server host IP address. Default value: `127.0.0.1`. #### `port` -Defaults to `27017` +The server port. Default value: `27017`. #### `auth_mech` -Defaults to `:scram`. The available opitions are `:scram256`, `:mongodb_x509`, `:aws`. Refer this [docs](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/) for more understanding about these options. +The authentication mechanism. The available options are: `:scram`, `:scram256`, `:mongodb_x509`, and `:aws`. Default value: `:scram`. + +See the MongoDB documentation on [Ruby driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) for more information. #### `auth_source` -Defaults to given database name. `database` name is mandatory. +The database where the user’s authentication credentials are stored. The default value is the database name that is passed as a parameter to the resource. #### `ssl` -Defaults to false. Set `true ` to use ssl transport. For ssl realted options also refer to this [docs](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/#client-certificate-x-509) for more understanding. +Whether to use the SSL security protocol or not. Set to `true` to use SSL transport, default value: `false`. See the MongoDB documentation on [Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#client-certificate-x-509) for more information. #### 'ssl_cert' -Path to ssl certificate file. +Path to the SSL certificate file. #### `ssl_ca_cert` -Path to ssl ca cert file. +Path to the SSL Certificate Authority (CA) certificate file. #### `ssl_key` -Path to ssl key file. +Path to SSL key file. #### `auth_mech_properties` -This accepts hash of authetication mechanism properties. This option is generally used with `aws` auth mechanism. Example of this is given in this docs [here](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/#aws) +A hash of the authentication mechanism properties. This option is generally used with the AWS authentication mechanism. See the MongoDB documentation on [Ruby Driver authentication using AWS](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#aws) for more information. -### MongodDB query reference docs +### MongodDB Query Reference Documentation -This resource is using mongo ruby driver to fetch the data. -[MongoDB Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/master/tutorials/ruby-driver-authentication/) +This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) to fetch the data. ## Examples The following examples show how to use this Chef InSpec audit resource. -### Test the roles information using rolesInfo command of MongoDB +### Test the roles information using the `rolesInfo` command in MongoDB. describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do its(["role"]) { should eq "dbAdmin" } @@ -96,7 +97,7 @@ The following examples show how to use this Chef InSpec audit resource. its(["role"]) { should eq "readWrite" } end -### Test the params +### Test the database parameters. describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do its("params") { should_not be_empty } From da9693a4ff515f256385e9deb1ee6a83492e45c0 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 27 Jul 2021 12:15:46 +0530 Subject: [PATCH 319/483] Fix documentation review comments. Signed-off-by: Vasu1105 --- .../content/inspec/resources/opa_api.md | 14 +++++++------- .../content/inspec/resources/opa_cli.md | 19 +++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index 274a8e31b..23a4f0619 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `opa_api` Chef InSpec audit resource to query the OPA using the OPA url and data. +Use the `opa_api` Chef InSpec audit resource to query Open Policy Agent (OPA) using the OPA URL and data. ## Availability @@ -21,7 +21,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ## Syntax -A `opa_api` resource +An `opa_api` resource block declares OPA policy configurations that can be tested. describe opa_api(url: "localhost:8181/v1/data/example/violation", data: "input.json") do its(["result"]) { should eq 'value' } @@ -31,19 +31,19 @@ where - `'url'` specifies the url of the OPA server on which OPA is running. - `'data'` specifies the json formatted data or json file. -- `its(["result"]) { should eq 'value' }` compares the results of the query against the expected result in the test +- `its(["returned_result"]) { should eq 'expected_result' }` compares the results of the query against the expected result in the test. ## parameters -`opa_api` resource InSpec resource accepts `url` and `data` +The `opa_api` resource InSpec resource requires a `url` and `data` as a JSON file or a string in JSON format. ### `url` _(required)_ -URL of the OPA API server. +The URL of the OPA API server. ### `data` _(required)_ -This accepts input.json file or input data in json format. +An OPA query as a JSON data file or a string in JSON format. ## Examples @@ -54,7 +54,7 @@ The following examples show how to use this Chef InSpec audit resource. its("allow") { should eq "true" } end -Above example shows how `allow` value can be fetched in 2 ways. +The above example shows how the `allow` value can be fetched in two ways. ## Matchers diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md index 8e6dc62f6..ee1bebdc4 100644 --- a/docs-chef-io/content/inspec/resources/opa_cli.md +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `opa_cli` Chef InSpec audit resource to query the OPA using the OPA policy file, data file and query. +Use the `opa_cli` Chef InSpec audit resource to query Open Policy Agent (OPA) using an OPA policy file, a data file, and a query. ## Availability @@ -21,7 +21,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ## Syntax -A `opa_cli` resource +An `opa_cli` resource block declares OPA policy configurations that can be tested. describe opa_cli(policy: "example.rego", data: "input.json", query: "data.example.allow") do its(["result"]) { should eq "value" } @@ -36,34 +36,34 @@ where ## parameters -`opa_cli` resource InSpec resource accepts `policy`, `data`, `query` and `opa_executable_path` +The `opa_cli` resource InSpec resource accepts `policy`, `data`, `query`, and `opa_executable_path` as parameters. ### `policy` _(required)_ -Path to the OPA policy file. +The path to the OPA policy file. ### `data` _(required)_ -This accepts input.json file or input data in json format. +An OPA query as a JSON data file or a string in JSON format. ### `query` _(required)_ -Query input required to be evaluated against policy and input data. +The query to be evaluated against policy and input data. ### `opa_executable_path` -This is the full path to the OPA bindary or exe file used for running opa cli or opa commands. Default it will consider that the path is added in PATH variable. +This is the full path to the OPA binary or EXE file used for running the OPA CLI or OPA commands. By default it will consider that the path is added in PATH variable. ## Examples -The following examples show how to use this Chef InSpec audit resource. +The following examples show how to use this Chef InSpec audit resource: describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do its(["result", 0, "expressions", 0, "value"]) { should eq true } its("allow") { should eq "true" } end -Above example shows how `allow` value can be fetched in 2 ways. +The above example shows how the `allow` value can be fetched in two ways. ## Matchers @@ -76,4 +76,3 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. its('allow') { should eq 'value' } - From 2d5a53cbb56dd73066564fe378890bddbdb041a7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 28 Jul 2021 02:49:00 +0000 Subject: [PATCH 320/483] Bump version to 4.39.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 77d7eadaa..1e9f11b03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.39.0](https://github.com/inspec/inspec/tree/v4.39.0) (2021-07-28) + +#### New Features +- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105)) - + +### Changes since 4.38.9 release + +#### New Features +- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 5511d2722..e9a25b934 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.38.9 \ No newline at end of file +4.39.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 8ee135428..2cdc25042 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.38.9".freeze + VERSION = "4.39.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 373ec6d07..032cea78b 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.38.9".freeze + VERSION = "4.39.0".freeze end From b8c75ea967ada003e54bcca438a1d856359df05c Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 28 Jul 2021 02:56:24 +0000 Subject: [PATCH 321/483] Bump version to 4.40.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e9f11b03..940d4eb66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.39.0](https://github.com/inspec/inspec/tree/v4.39.0) (2021-07-28) + +## [v4.40.0](https://github.com/inspec/inspec/tree/v4.40.0) (2021-07-28) -#### New Features -- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105)) +#### Merged Pull Requests +- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.38.9 release +#### Merged Pull Requests +- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) + #### New Features - Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index e9a25b934..0d31afb82 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.39.0 \ No newline at end of file +4.40.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 2cdc25042..7df82f1af 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.39.0".freeze + VERSION = "4.40.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 032cea78b..9a6f6ad17 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.39.0".freeze + VERSION = "4.40.0".freeze end From 1e380c1f43ec305aada87b7e78ccffb953c7d153 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 28 Jul 2021 03:16:20 +0000 Subject: [PATCH 322/483] Bump version to 4.41.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 940d4eb66..cf1113a40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.40.0](https://github.com/inspec/inspec/tree/v4.40.0) (2021-07-28) + +## [v4.41.0](https://github.com/inspec/inspec/tree/v4.41.0) (2021-07-28) #### Merged Pull Requests -- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) +- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) ### Changes since 4.38.9 release #### Merged Pull Requests +- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) - Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) #### New Features diff --git a/VERSION b/VERSION index 0d31afb82..c846d802e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.40.0 \ No newline at end of file +4.41.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 7df82f1af..8a2fbab91 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.40.0".freeze + VERSION = "4.41.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 9a6f6ad17..e6a8c1a20 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.40.0".freeze + VERSION = "4.41.0".freeze end From d6eaf54d0095be7871aeea7cd7cd54adcf0c14a1 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 28 Jul 2021 10:34:14 +0530 Subject: [PATCH 323/483] Fix the typo in documentation file Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/opa_api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index 23a4f0619..97d0192dc 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -7,7 +7,7 @@ platform = "os" [menu] [menu.inspec] title = "opa_api" - identifier = "inspec/resources/os/opa_api.md mongodb_conf resource" + identifier = "inspec/resources/os/opa_api.md opa_api resource" parent = "inspec/resources/os" +++ From 856ef4e31bca64008c6bfeac3537be978f3d8b0b Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 28 Jul 2021 12:47:48 +0530 Subject: [PATCH 324/483] Chef license accept fix to show license accepted message and quit when no other option/command passed Signed-off-by: Nikita Mathur --- lib/inspec/base_cli.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/inspec/base_cli.rb b/lib/inspec/base_cli.rb index 337c6930f..77b32a931 100644 --- a/lib/inspec/base_cli.rb +++ b/lib/inspec/base_cli.rb @@ -43,11 +43,15 @@ module Inspec begin if (allowed_commands & ARGV.map(&:downcase)).empty? && # Did they use a non-exempt command? !ARGV.empty? # Did they supply at least one command? - LicenseAcceptance::Acceptor.check_and_persist( + license_acceptor_output = LicenseAcceptance::Acceptor.check_and_persist( Inspec::Dist::EXEC_NAME, Inspec::VERSION, logger: Inspec::Log ) + if license_acceptor_output && ARGV.count == 1 && (ARGV.first.include? "--chef-license") + Inspec::UI.new.exit + end + license_acceptor_output end rescue LicenseAcceptance::LicenseNotAcceptedError Inspec::Log.error "#{Inspec::Dist::PRODUCT_NAME} cannot execute without accepting the license" From 16455e978f27b0168dd60ac31d2140e5ffb63121 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 29 Jul 2021 17:50:50 +0530 Subject: [PATCH 325/483] Build fix - Html proofer version fixed for ruby version 2.5 Signed-off-by: Nikita Mathur --- Gemfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index f0f052e40..0122a3001 100644 --- a/Gemfile +++ b/Gemfile @@ -30,7 +30,11 @@ end group :test do gem "chefstyle", "~> 2.0.3" gem "concurrent-ruby", "~> 1.0" - gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows + if Gem.ruby_version.to_s.start_with?("2.5") + gem "html-proofer", "= 3.19.1" , platforms: :ruby # do not attempt to run proofer on windows + else + gem "html-proofer", platforms: :ruby # do not attempt to run proofer on windows + end gem "json_schemer", ">= 0.2.1", "< 0.2.19" gem "m" gem "minitest-sprint", "~> 1.0" From 4cf34764bc3c7c6ffa693061c2ca73ff23410a56 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Wed, 11 Aug 2021 13:12:44 -0400 Subject: [PATCH 326/483] Pin mongo gem to 2.13.2 to avoid broken symlink Signed-off-by: Clinton Wolfe --- inspec.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec.gemspec b/inspec.gemspec index 6ada2c46f..34a0a64f9 100644 --- a/inspec.gemspec +++ b/inspec.gemspec @@ -33,5 +33,5 @@ Gem::Specification.new do |spec| spec.add_dependency "train-habitat", "~> 0.1" spec.add_dependency "train-aws", "~> 0.1" spec.add_dependency "train-winrm", "~> 0.2" - spec.add_dependency "mongo" + spec.add_dependency "mongo", "= 2.13.2" # 2.14 introduces a broken symlink in mongo-2.14.0/spec/support/ocsp end From d17025d28fbae2b95c742a179745ba776c0b2893 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 11 Aug 2021 17:53:54 +0000 Subject: [PATCH 327/483] Bump version to 4.41.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf1113a40..6d53cf485 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.41.0](https://github.com/inspec/inspec/tree/v4.41.0) (2021-07-28) + +## [v4.41.1](https://github.com/inspec/inspec/tree/v4.41.1) (2021-08-11) -#### Merged Pull Requests -- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) +#### Bug Fixes +- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.38.9 release +#### Bug Fixes +- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe)) + #### Merged Pull Requests - Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) - Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index c846d802e..0045a4272 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.0 \ No newline at end of file +4.41.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 8a2fbab91..f127341f9 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.0".freeze + VERSION = "4.41.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index e6a8c1a20..8c01aa58d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.0".freeze + VERSION = "4.41.1".freeze end From bf02e12b0fa2b027b00f7f80493cb2abbda4e93c Mon Sep 17 00:00:00 2001 From: Tom Duffield Date: Fri, 13 Aug 2021 09:29:10 -0500 Subject: [PATCH 328/483] Remove empty .gitmodules file Signed-off-by: Tom Duffield --- .gitmodules | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .gitmodules diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index e69de29bb..000000000 From 8b5e752ba3dfc016161b09129e6a93f45dc68de1 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 13 Aug 2021 22:42:10 +0000 Subject: [PATCH 329/483] Update CHANGELOG.md with details from pull request #5616 Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d53cf485..4233d3471 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.41.1](https://github.com/inspec/inspec/tree/v4.41.1) (2021-08-11) + +## Unreleased -#### Bug Fixes -- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe)) +#### Merged Pull Requests +- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) @@ -14,6 +14,7 @@ - Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) - Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) - Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) From 185ae692fb7e737bad08ab53b8db8afadbb84ce6 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 13 Aug 2021 23:57:34 +0000 Subject: [PATCH 330/483] Bump version to 4.41.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 6 ++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4233d3471..13ca2e96f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,10 @@ # Change Log - -## Unreleased + +## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-13) #### Merged Pull Requests +- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105)) - Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) @@ -14,6 +15,7 @@ - Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105)) - Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) - Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) - Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 0045a4272..0290066b0 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.1 \ No newline at end of file +4.41.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index f127341f9..2e9d07003 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.1".freeze + VERSION = "4.41.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8c01aa58d..1eb89022e 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.1".freeze + VERSION = "4.41.2".freeze end From 433909874fa515dfebde7c4fabf894bddb88ed06 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 16 Aug 2021 19:57:05 +0000 Subject: [PATCH 331/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 38 +++++++++++++++++--------------------- Dockerfile | 2 +- 2 files changed, 18 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13ca2e96f..fc3f3098c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,30 +1,27 @@ # Change Log - -## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-13) - -#### Merged Pull Requests -- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105)) -- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) + - -### Changes since 4.38.9 release - -#### Bug Fixes -- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe)) - -#### Merged Pull Requests -- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105)) -- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) -- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) -- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) - -#### New Features -- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105)) + +## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-16) + +#### New Features +- Add support for OPA: add resource opa_cli and opa_api [#5592](https://github.com/inspec/inspec/pull/5592) ([Vasu1105](https://github.com/Vasu1105)) + +#### Bug Fixes +- Pin mongo gem to 2.13.2 to avoid broken symlink [#5615](https://github.com/inspec/inspec/pull/5615) ([clintoncwolfe](https://github.com/clintoncwolfe)) + +#### Merged Pull Requests +- Add mongodb_session resource and docs. [#5572](https://github.com/inspec/inspec/pull/5572) ([Vasu1105](https://github.com/Vasu1105)) +- Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) +- Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) +- Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105)) + + ## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22) #### Enhancements @@ -37,7 +34,6 @@ - Need to back out x25519 gem as its causing issues for ssh [#5590](https://github.com/inspec/inspec/pull/5590) ([Vasu1105](https://github.com/Vasu1105)) - Use ruby 2.7.4 [#5602](https://github.com/inspec/inspec/pull/5602) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Remove mention of AWS tests from README [#5603](https://github.com/inspec/inspec/pull/5603) ([clintoncwolfe](https://github.com/clintoncwolfe)) - ## [v4.38.3](https://github.com/inspec/inspec/tree/v4.38.3) (2021-07-02) diff --git a/Dockerfile b/Dockerfile index ecb4216fe..a827507f9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.38.9 +ARG VERSION=4.41.2 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From 7d585646d0e95c1e01b8328f3c71923a16d19c4c Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 18 Aug 2021 00:50:15 +0000 Subject: [PATCH 332/483] Bump version to 4.41.3 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc3f3098c..81868b95d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.41.3](https://github.com/inspec/inspec/tree/v4.41.3) (2021-08-18) + +#### Merged Pull Requests +- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) - + +### Changes since 4.41.2 release + +#### Merged Pull Requests +- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 0290066b0..2099ebf49 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.2 \ No newline at end of file +4.41.3 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 2e9d07003..7a323fe39 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.2".freeze + VERSION = "4.41.3".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 1eb89022e..3ebae4c78 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.2".freeze + VERSION = "4.41.3".freeze end From 1bb29048a27e5d70147fe9abcc34eaedec891811 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 18 Aug 2021 00:52:57 +0000 Subject: [PATCH 333/483] Bump version to 4.41.4 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 81868b95d..2ec8e733f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.3](https://github.com/inspec/inspec/tree/v4.41.3) (2021-08-18) + +## [v4.41.4](https://github.com/inspec/inspec/tree/v4.41.4) (2021-08-18) #### Merged Pull Requests -- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) +- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) - Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 2099ebf49..4f174738d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.3 \ No newline at end of file +4.41.4 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 7a323fe39..6fa4cb4ef 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.3".freeze + VERSION = "4.41.4".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 3ebae4c78..e2a457cbd 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.3".freeze + VERSION = "4.41.4".freeze end From 53f5890c622222300fd27bd7f78e6afffafc205f Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 18 Aug 2021 01:02:14 +0000 Subject: [PATCH 334/483] Bump version to 4.41.5 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ec8e733f..b3361a7d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.4](https://github.com/inspec/inspec/tree/v4.41.4) (2021-08-18) + +## [v4.41.5](https://github.com/inspec/inspec/tree/v4.41.5) (2021-08-18) #### Merged Pull Requests -- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) +- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) - Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) - Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 4f174738d..886f76f37 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.4 \ No newline at end of file +4.41.5 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 6fa4cb4ef..5e886b72a 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.4".freeze + VERSION = "4.41.5".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index e2a457cbd..a4a5b6868 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.4".freeze + VERSION = "4.41.5".freeze end From c4eac8ce5a7dba17665126b38f827ac81e835cb8 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 18 Aug 2021 01:05:06 +0000 Subject: [PATCH 335/483] Bump version to 4.41.6 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b3361a7d3..187f59b40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.5](https://github.com/inspec/inspec/tree/v4.41.5) (2021-08-18) + +## [v4.41.6](https://github.com/inspec/inspec/tree/v4.41.6) (2021-08-18) #### Merged Pull Requests -- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) +- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) - Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) - Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) - Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 886f76f37..0ffefc76d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.5 \ No newline at end of file +4.41.6 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 5e886b72a..6f96f73ac 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.5".freeze + VERSION = "4.41.6".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index a4a5b6868..a71daba33 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.5".freeze + VERSION = "4.41.6".freeze end From d85bdbc4e1b66a2041b4727f6ae081f8aace5a06 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 18 Aug 2021 01:07:52 +0000 Subject: [PATCH 336/483] Bump version to 4.41.7 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 187f59b40..fb56a6069 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.6](https://github.com/inspec/inspec/tree/v4.41.6) (2021-08-18) + +## [v4.41.7](https://github.com/inspec/inspec/tree/v4.41.7) (2021-08-18) #### Merged Pull Requests -- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) +- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) - Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) - Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) - Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 0ffefc76d..740a444e9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.6 \ No newline at end of file +4.41.7 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 6f96f73ac..fcb6e61a1 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.6".freeze + VERSION = "4.41.7".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index a71daba33..5df266741 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.6".freeze + VERSION = "4.41.7".freeze end From 2f44f7bd0522646a1992c25bb06fa03f2f3b6a22 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 16 Aug 2021 13:47:26 +0530 Subject: [PATCH 337/483] Update inspec check docs for --format option Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/cli.md | 2 +- lib/inspec/cli.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 43bfe77eb..0a0d7fb35 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -64,7 +64,7 @@ inspec check PATH This subcommand has additional options: * ``--format=FORMAT`` - + The output format to use doc (default), json. If valid format is not provided then it will use the default. * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--vendor-cache=VENDOR_CACHE`` diff --git a/lib/inspec/cli.rb b/lib/inspec/cli.rb index 5ed5baa91..0073d3a8a 100644 --- a/lib/inspec/cli.rb +++ b/lib/inspec/cli.rb @@ -93,7 +93,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI end desc "check PATH", "verify all tests at the specified PATH" - option :format, type: :string + option :format, type: :string, + desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default." profile_options def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength o = config From d1bc86a21434f86b7a5a1a264f98b555e401cfdf Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 17 Aug 2021 16:29:49 +0530 Subject: [PATCH 338/483] Fix postgres_session error Unable to connect to database Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres_session.rb | 6 ------ test/unit/resources/postgres_session_test.rb | 3 +-- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 328cf0631..37b8e3242 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -46,8 +46,6 @@ module Inspec::Resources @host = host || "localhost" @port = port || 5432 raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil? - - test_connection end def query(query, db = []) @@ -65,10 +63,6 @@ module Inspec::Resources private - def test_connection - query("select now()\;") - end - def escaped_query(query) Shellwords.escape(query) end diff --git a/test/unit/resources/postgres_session_test.rb b/test/unit/resources/postgres_session_test.rb index 3ce815737..bcf69ad2f 100644 --- a/test/unit/resources/postgres_session_test.rb +++ b/test/unit/resources/postgres_session_test.rb @@ -35,7 +35,6 @@ describe "Inspec::Resources::PostgresSession" do end it "fails when no connection established" do resource = load_resource("postgres_session", "postgres", "postgres", "localhost", 5432) - _(resource.resource_failed?).must_equal true - _(resource.resource_exception_message).must_include "PostgreSQL query with errors" + _(proc { resource.send(:query, "Select 5;", ["mydatabase"]) }).must_raise Inspec::Exceptions::ResourceFailed end end From e6d4cedbd24543f88f3f275eff0a2dba1e97fa1c Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 20 Aug 2021 14:26:10 +0530 Subject: [PATCH 339/483] Fix merging of included conf and main conf params in apache conf resource Signed-off-by: Nikita Mathur --- lib/inspec/resources/apache_conf.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/apache_conf.rb b/lib/inspec/resources/apache_conf.rb index 8b34075ae..cc90e5d91 100644 --- a/lib/inspec/resources/apache_conf.rb +++ b/lib/inspec/resources/apache_conf.rb @@ -82,7 +82,7 @@ module Inspec::Resources end end - @params.merge!(params) + @params.merge!(params) { |key, current_val, new_val| [*current_val].to_a + [*new_val].to_a } to_read = to_read.drop(1) to_read += include_files(params).find_all do |fp| From 72204bd0fcc41ba800fee05703eed4da67e74da3 Mon Sep 17 00:00:00 2001 From: Thomas Heinen Date: Mon, 23 Aug 2021 14:12:33 +0200 Subject: [PATCH 340/483] Proposed implementation for installation warnings --- .../lib/inspec-plugin-manager-cli/cli_command.rb | 15 ++++++++------- .../test/functional/install_test.rb | 4 ++-- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb b/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb index 2e55aed41..6ebb1db52 100644 --- a/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +++ b/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb @@ -232,10 +232,10 @@ module InspecPlugins # Already installed? if registry.known_plugin?(plugin_name.to_sym) - ui.red("Plugin already installed - #{plugin_name} - Use '#{EXEC_NAME} " \ - "plugin list' to see previously installed plugin - " \ - "installation failed.\n") - ui.exit Inspec::UI::EXIT_PLUGIN_ERROR + ui.bold("Plugin already installed - #{plugin_name} - Use '#{EXEC_NAME} " \ + "plugin list' to see previously installed plugin - " \ + "installation failed.\n") + ui.exit Inspec::UI::EXIT_NORMAL end # Can we figure out how to load it? @@ -391,8 +391,9 @@ module InspecPlugins they_explicitly_asked_for_a_version = !options[:version].nil? what_we_would_install_is_already_installed = pre_installed_versions.include?(requested_version) if what_we_would_install_is_already_installed && they_explicitly_asked_for_a_version - ui.red("Plugin already installed at requested version - plugin " \ + ui.bold("Plugin already installed at requested version - plugin " \ "#{plugin_name} #{requested_version} - refusing to install.\n") + ui.exit Inspec::UI::EXIT_NORMAL elsif what_we_would_install_is_already_installed && !they_explicitly_asked_for_a_version ui.red("Plugin already installed at latest version - plugin " \ "#{plugin_name} #{requested_version} - refusing to install.\n") @@ -462,10 +463,10 @@ module InspecPlugins latest_version = latest_version[plugin_name]&.last if pre_update_versions.include?(latest_version) - ui.plain_line("#{ui.red("Already installed at latest version:", print: false)} " \ + ui.plain_line("#{ui.bold("Already installed at latest version:", print: false)} " \ "#{plugin_name} is at #{latest_version}, which the " \ "latest - refusing to update") - ui.exit Inspec::UI::EXIT_PLUGIN_ERROR + ui.exit Inspec::UI::EXIT_NORMAL end end diff --git a/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb b/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb index 6e17ffa95..60e6b9965 100644 --- a/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb +++ b/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb @@ -131,7 +131,7 @@ class PluginManagerCliInstall < Minitest::Test assert_empty install_result.stderr - assert_exit_code 2, install_result + assert_exit_code 0, install_result end def test_fail_install_from_path_when_the_dir_structure_is_wrong @@ -268,7 +268,7 @@ class PluginManagerCliInstall < Minitest::Test assert_empty install_result.stderr - assert_exit_code 2, install_result + assert_exit_code 0, install_result end def test_refuse_install_when_already_installed_can_update From b24ac70dfca33b20c2b0eb1154a1140100dc7acd Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 23 Aug 2021 12:12:53 +0000 Subject: [PATCH 341/483] Bump version to 4.41.8 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb56a6069..d9bfb711f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.7](https://github.com/inspec/inspec/tree/v4.41.7) (2021-08-18) + +## [v4.41.8](https://github.com/inspec/inspec/tree/v4.41.8) (2021-08-23) #### Merged Pull Requests -- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) +- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) - Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) - Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) - Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 740a444e9..3cd3079cf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.7 \ No newline at end of file +4.41.8 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index fcb6e61a1..7f45cb41b 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.7".freeze + VERSION = "4.41.8".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 5df266741..f69beeffa 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.7".freeze + VERSION = "4.41.8".freeze end From 096e5cd655ec4f4110a773e9acf00340b3d065ce Mon Sep 17 00:00:00 2001 From: Thomas Heinen Date: Mon, 23 Aug 2021 15:01:17 +0200 Subject: [PATCH 342/483] Fix tests Signed-off-by: Thomas Heinen --- .../lib/inspec-plugin-manager-cli/cli_command.rb | 12 ++++++------ .../test/functional/update_test.rb | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb b/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb index 6ebb1db52..7b26ef355 100644 --- a/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +++ b/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb @@ -397,14 +397,14 @@ module InspecPlugins elsif what_we_would_install_is_already_installed && !they_explicitly_asked_for_a_version ui.red("Plugin already installed at latest version - plugin " \ "#{plugin_name} #{requested_version} - refusing to install.\n") - else - # There are existing versions installed, but none of them are what was requested - ui.red("Update required - plugin #{plugin_name}, requested " \ - "#{requested_version}, have " \ - "#{pre_installed_versions.join(", ")}; use `inspec " \ - "plugin update` - refusing to install.\n") + ui.exit Inspec::UI::EXIT_NORMAL end + # There are existing versions installed, but none of them are what was requested + ui.red("Update required - plugin #{plugin_name}, requested " \ + "#{requested_version}, have " \ + "#{pre_installed_versions.join(", ")}; use `inspec " \ + "plugin update` - refusing to install.\n") ui.exit Inspec::UI::EXIT_PLUGIN_ERROR end diff --git a/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb b/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb index b4a472aa7..48ebbbbdd 100644 --- a/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb +++ b/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb @@ -46,7 +46,7 @@ class PluginManagerCliUpdate < Minitest::Test assert_empty update_result.stderr - assert_exit_code 2, update_result + assert_exit_code 0, update_result end def test_fail_update_from_nonexistant_gem From 50698e85a1c37d908ecb78d5fee99e3b797ecc5e Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 24 Aug 2021 02:41:20 +0000 Subject: [PATCH 343/483] Bump version to 4.41.9 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9bfb711f..ed12a85f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.8](https://github.com/inspec/inspec/tree/v4.41.8) (2021-08-23) + +## [v4.41.9](https://github.com/inspec/inspec/tree/v4.41.9) (2021-08-24) #### Merged Pull Requests -- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) +- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) - Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) - Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) - Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 3cd3079cf..7b709e7f4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.8 \ No newline at end of file +4.41.9 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 7f45cb41b..7257743f2 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.8".freeze + VERSION = "4.41.9".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index f69beeffa..7d6aeaa5a 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.8".freeze + VERSION = "4.41.9".freeze end From 16b23fd2c9b9e6f636b7189d3c12e0ac4f451adb Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 24 Aug 2021 02:50:59 +0000 Subject: [PATCH 344/483] Bump version to 4.41.10 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed12a85f5..b262a3292 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.9](https://github.com/inspec/inspec/tree/v4.41.9) (2021-08-24) + +## [v4.41.10](https://github.com/inspec/inspec/tree/v4.41.10) (2021-08-24) #### Merged Pull Requests -- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) +- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) - Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) - Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) - Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 7b709e7f4..975ab9cdd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.9 \ No newline at end of file +4.41.10 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 7257743f2..f899806b8 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.9".freeze + VERSION = "4.41.10".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 7d6aeaa5a..92320f9a4 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.9".freeze + VERSION = "4.41.10".freeze end From 7415fc11d000dae1813a14ba12d957851fa999b3 Mon Sep 17 00:00:00 2001 From: "chef-expeditor[bot]" <49165653+chef-expeditor[bot]@users.noreply.github.com> Date: Tue, 24 Aug 2021 15:38:04 +0000 Subject: [PATCH 345/483] Updating references of master to main as part of Expeditor agent rename. --- .expeditor/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.expeditor/config.yml b/.expeditor/config.yml index 93d7ab958..9bd9c2bf9 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -72,7 +72,7 @@ github: version_tag_format: v{{version}} release_branches: - - master: + - main: version_constraint: 4.* - 1-stable: version_constraint: 1.* From e3c93c2ef2e3077f336395989f91bfdf91e433be Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 26 Aug 2021 14:57:36 +0530 Subject: [PATCH 346/483] Fedora support documented Signed-off-by: Nikita Mathur --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e33eee626..9de21e6c3 100644 --- a/README.md +++ b/README.md @@ -332,6 +332,7 @@ In addition, runtime support is provided for: | macOS | 10.14+ | x86_64 | | Debian | 9, 10 | x86_64 | | RHEL | 6, 7, 8 | x86_64 | +| Fedora | 29+ | x86_64 | | Ubuntu | 16.04+ | x86_64 | | Windows | 8+ | x86_64 | | Windows | 2012+ | x86_64 | From 5768cb8eab0ce22e83fedbef33fbbfec64d0e28e Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 26 Aug 2021 16:15:38 +0530 Subject: [PATCH 347/483] Added info about the minitest framework in contributing doc for the info Signed-off-by: Nikita Mathur --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1b876efa1..cf9acd646 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -26,7 +26,7 @@ We have a 3 step process for contributions: Chef Projects are built to last. We strive to ensure high quality throughout the experience. In order to ensure this, we require that all pull requests to Chef projects meet these specifications: 1. **Tests:** To ensure high quality code and protect against future regressions, we require all the code in Chef Projects to have at least unit test coverage. See the [test/unit](https://github.com/inspec/inspec/tree/master/test/unit) -directory for the existing tests and use ```bundle exec rake test``` to run them. +directory for the existing tests and use ```bundle exec rake test``` to run them. It should be good to know InSpec uses [minitest](https://github.com/seattlerb/minitest) as a testing framework. 2. **Green CI Tests:** We use [Travis CI](https://travis-ci.org/) and/or [AppVeyor](https://www.appveyor.com/) CI systems to test all pull requests. We require these test runs to succeed on every pull request before being merged. 3. **Up-to-date Documentation:** Every code change should be reflected in an update for our [documentation](https://github.com/inspec/inspec/tree/master/docs-chef-io). We expect PRs to update the documentation with the code change. From 601238ca810f46dd36d2da3be8cca542a8d5aff5 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 27 Aug 2021 04:28:05 +0000 Subject: [PATCH 348/483] Bump version to 4.41.11 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b262a3292..360d3ad7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.10](https://github.com/inspec/inspec/tree/v4.41.10) (2021-08-24) + +## [v4.41.11](https://github.com/inspec/inspec/tree/v4.41.11) (2021-08-27) #### Merged Pull Requests -- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) +- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) - Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) - Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) - Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 975ab9cdd..cf81b012c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.10 \ No newline at end of file +4.41.11 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index f899806b8..78f8df66a 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.10".freeze + VERSION = "4.41.11".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 92320f9a4..12a76823e 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.10".freeze + VERSION = "4.41.11".freeze end From 460ce4627bf9c67a3fd2012a9b2e1188091c04d2 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 27 Aug 2021 10:55:04 +0530 Subject: [PATCH 349/483] Updated security_policy resource docs Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/security_policy.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs-chef-io/content/inspec/resources/security_policy.md b/docs-chef-io/content/inspec/resources/security_policy.md index 991474adf..d30353a1e 100644 --- a/docs-chef-io/content/inspec/resources/security_policy.md +++ b/docs-chef-io/content/inspec/resources/security_policy.md @@ -31,10 +31,15 @@ A `security_policy` resource block declares the name of a security policy and th its('policy_name') { should eq 'value' } end + describe security_policy(translate_sid: true) do + its('policy_name') { should include 'sid_name' } + end + where - `'policy_name'` must specify a security policy - `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test +- `translate_sid` converts the SID into human readable SID name if true. Default value is false. ## Examples From 6ad475de9fb0dced699fe95ae610afb0f5ea0ebe Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 27 Aug 2021 14:13:01 +0530 Subject: [PATCH 350/483] Added missing cli commands in cli docs Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/cli.md | 48 ++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 43bfe77eb..0ddcd218f 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -46,6 +46,18 @@ This subcommand has additional options: * ``--zip``, ``--no-zip`` Generates a zip archive. +## automate + +Communicate with Chef Automate. + +### Syntax + +This subcommand has the following syntax: + +```bash +inspec automate SUBCOMMAND +``` + ## check Verify metadata in inspec.yml. Verify control data has fields (title, description, @@ -363,6 +375,30 @@ This subcommand has the following syntax: inspec help [COMMAND] ``` +## habitat + +Create Chef Habitat package + +### Syntax + +This subcommand has the following syntax: + +```bash +inspec habitat SUBCOMMAND +``` + +## init + +Scaffold a new project + +### Syntax + +This subcommand has the following syntax: + +```bash +inspec init TEMPLATE +``` + ## json Read all tests in path and generate a json summary @@ -402,6 +438,18 @@ This subcommand has the following syntax: inspec nothing ``` +## plugin + +Install and manage plugin + +### Syntax + +This subcommand has the following syntax: + +```bash +inspec plugin SUBCOMMAND +``` + ## schema Print the json schema From 8487da327fdb0b3748128d6ec1c43870d1a7437a Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 26 Aug 2021 15:34:42 +0530 Subject: [PATCH 351/483] Fix for security_policy resource does not return array for local groups Signed-off-by: Vasu1105 --- lib/inspec/resources/security_policy.rb | 7 ++++--- test/fixtures/cmd/secedit-export | 1 + test/unit/resources/security_policy_test.rb | 2 ++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/inspec/resources/security_policy.rb b/lib/inspec/resources/security_policy.rb index 9d10da377..2bf7832dd 100644 --- a/lib/inspec/resources/security_policy.rb +++ b/lib/inspec/resources/security_policy.rb @@ -147,7 +147,7 @@ module Inspec::Resources # extracts the values, this methods detects: # numbers and SIDs and optimizes them for further usage - def extract_value(val) + def extract_value(key, val) if val =~ /^\d+$/ val.to_i # special handling for SID array @@ -166,14 +166,15 @@ module Inspec::Resources elsif !(m = /^\"(.*)\"$/.match(val)).nil? m[1] else - val + # When there is Registry Values we are not spliting the value for backward compatibility + key.include?("\\") ? val : val.split(",") end end def convert_hash(hash) new_hash = {} hash.each do |k, v| - v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(v) + v.is_a?(Hash) ? value = convert_hash(v) : value = extract_value(k, v) new_hash[k.strip] = value end new_hash diff --git a/test/fixtures/cmd/secedit-export b/test/fixtures/cmd/secedit-export index 86ae2bade..fb8a1dcd9 100644 --- a/test/fixtures/cmd/secedit-export +++ b/test/fixtures/cmd/secedit-export @@ -5,3 +5,4 @@ MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\Secur [Privilege Rights] SeUndockPrivilege = *S-1-5-32-544 SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555 +SeServiceLogonRight = DB2ADMNS,db2admin diff --git a/test/unit/resources/security_policy_test.rb b/test/unit/resources/security_policy_test.rb index 58784efa1..9e1df2530 100644 --- a/test/unit/resources/security_policy_test.rb +++ b/test/unit/resources/security_policy_test.rb @@ -11,6 +11,7 @@ describe "Inspec::Resources::SecurityPolicy" do _(resource.send('MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel')).must_equal "4,0" _(resource.SeUndockPrivilege).must_equal ["S-1-5-32-544"] _(resource.SeRemoteInteractiveLogonRight).must_equal ["S-1-5-32-544", "S-1-5-32-555"] + _(resource.SeServiceLogonRight).must_equal %w{ DB2ADMNS db2admin } end it "parse empty policy file" do @@ -33,5 +34,6 @@ describe "Inspec::Resources::SecurityPolicy" do _(resource.send('MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel')).must_equal "4,0" _(resource.SeUndockPrivilege).must_equal ["BUILTIN\\Administrators"] _(resource.SeRemoteInteractiveLogonRight).must_equal ["BUILTIN\\Administrators", "S-1-5-32-555"] + _(resource.SeServiceLogonRight).must_equal %w{ DB2ADMNS db2admin } end end From 2100a66bef115e1e6127cc200ec4b0186bb2b333 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 30 Aug 2021 12:47:03 +0530 Subject: [PATCH 352/483] Removed use of wmic from security_identifier resource as it will be deprecated soon Signed-off-by: Vasu1105 --- lib/inspec/resources/security_identifier.rb | 22 +++++++------------ test/fixtures/cmd/security-identifier-alice | 2 +- test/fixtures/cmd/security-identifier-guests | 2 +- test/fixtures/cmd/security-identifier-unknown | 2 +- test/helpers/mock_loader.rb | 12 +++++----- 5 files changed, 17 insertions(+), 23 deletions(-) diff --git a/lib/inspec/resources/security_identifier.rb b/lib/inspec/resources/security_identifier.rb index 1393921ce..ebd697bae 100644 --- a/lib/inspec/resources/security_identifier.rb +++ b/lib/inspec/resources/security_identifier.rb @@ -57,14 +57,14 @@ module Inspec::Resources @sids = {} case @type when :group - sid_data = wmi_results(:group) + sid_data = cim_results(:group) when :user - sid_data = wmi_results(:user) + sid_data = cim_results(:user) when :unspecified # try group first, then user - sid_data = wmi_results(:group) + sid_data = cim_results(:group) if sid_data.empty? - sid_data = wmi_results(:user) + sid_data = cim_results(:user) end else raise "Unhandled entity type '#{@type}'" @@ -72,20 +72,14 @@ module Inspec::Resources sid_data.each { |sid| @sids[sid[1]] = sid[2] } end - def wmi_results(type) - query = "wmic " + def cim_results(type) case type when :group - query += "group" + cmd = "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID | Where-Object { $_.Name -eq '#{@name}' -and { $_.SIDType -eq 4 -or $_.SIDType -eq 5 } } | ConvertTo-Csv -NoTypeInformation" when :user - query += "useraccount" + cmd = "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID, SIDType | Where-Object { $_.Name -eq '#{@name}' -and $_.SIDType -eq 1 } | ConvertTo-Csv -NoTypeInformation" end - query += " where 'Name=\"#{@name}\"' get Name\",\"SID /format:csv" - # Example output: - # inspec> command("wmic useraccount where 'Name=\"Administrator\"' get Name\",\"SID /format:csv").stdout - # => "\r\n\r\nNode,Name,SID\r\n\r\nComputer1,Administrator,S-1-5-21-650485088-1194226989-968533923-500\r\n\r\n" - # Remove the \r characters, split on \n\n, ignore the CSV header row - inspec.command(query).stdout.strip.tr("\r", "").split("\n\n")[1..-1].map { |entry| entry.split(",") } + inspec.command(cmd).stdout.strip.gsub("\"", "").tr("\r", "").split("\n")[1..-1].map { |entry| entry.split(",") } end end end diff --git a/test/fixtures/cmd/security-identifier-alice b/test/fixtures/cmd/security-identifier-alice index 3dfc2a1d7..163d63db8 100644 --- a/test/fixtures/cmd/security-identifier-alice +++ b/test/fixtures/cmd/security-identifier-alice @@ -1,4 +1,4 @@ -Node,Name,SID +Domain,Name,SID Computer1,Alice,S-1-5-21-1601936709-1892662786-3840804712-315762 diff --git a/test/fixtures/cmd/security-identifier-guests b/test/fixtures/cmd/security-identifier-guests index 6954f82ce..4f3db8c4e 100644 --- a/test/fixtures/cmd/security-identifier-guests +++ b/test/fixtures/cmd/security-identifier-guests @@ -1,4 +1,4 @@ -Node,Name,SID +Domain,Name,SID Computer1,Guests,S-1-5-32-546 diff --git a/test/fixtures/cmd/security-identifier-unknown b/test/fixtures/cmd/security-identifier-unknown index 12d81461b..f280a8888 100644 --- a/test/fixtures/cmd/security-identifier-unknown +++ b/test/fixtures/cmd/security-identifier-unknown @@ -1,3 +1,3 @@ -Node, +Domain, diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 863b17090..82352de25 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -565,12 +565,12 @@ class MockLoader "(New-Object System.Security.Principal.SecurityIdentifier(\"S-1-5-32-544\")).Translate( [System.Security.Principal.NTAccount]).Value" => cmd.call("security-policy-sid-translated"), "(New-Object System.Security.Principal.SecurityIdentifier(\"S-1-5-32-555\")).Translate( [System.Security.Principal.NTAccount]).Value" => cmd.call("security-policy-sid-untranslated"), - # Windows SID calls - 'wmic useraccount where \'Name="Alice"\' get Name","SID /format:csv' => cmd.call("security-identifier-alice"), - 'wmic useraccount where \'Name="Bob"\' get Name","SID /format:csv' => cmd.call("security-identifier-unknown"), - 'wmic useraccount where \'Name="DontExist"\' get Name","SID /format:csv' => cmd.call("security-identifier-unknown"), - 'wmic group where \'Name="Guests"\' get Name","SID /format:csv' => cmd.call("security-identifier-guests"), - 'wmic group where \'Name="DontExist"\' get Name","SID /format:csv' => cmd.call("security-identifier-unknown"), + # Windows SID calls with CimInstance + "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID, SIDType | Where-Object { $_.Name -eq 'Alice' -and $_.SIDType -eq 1 } | ConvertTo-Csv -NoTypeInformation" => cmd.call("security-identifier-alice"), + "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID, SIDType | Where-Object { $_.Name -eq 'Bob' -and $_.SIDType -eq 1 } | ConvertTo-Csv -NoTypeInformation" => cmd.call("security-identifier-unknown"), + "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID, SIDType | Where-Object { $_.Name -eq 'DontExist' -and $_.SIDType -eq 1 } | ConvertTo-Csv -NoTypeInformation" => cmd.call("security-identifier-unknown"), + "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID | Where-Object { $_.Name -eq 'Guests' -and { $_.SIDType -eq 4 -or $_.SIDType -eq 5 } } | ConvertTo-Csv -NoTypeInformation" => cmd.call("security-identifier-guests"), + "Get-CimInstance -ClassName Win32_Account | Select-Object -Property Domain, Name, SID | Where-Object { $_.Name -eq 'DontExist' -and { $_.SIDType -eq 4 -or $_.SIDType -eq 5 } } | ConvertTo-Csv -NoTypeInformation" => cmd.call("security-identifier-unknown"), # alpine package commands "apk info -vv --no-network | grep git" => cmd.call("apk-info-grep-git"), From 99a170d7e50789b5c0a554fd388854f6741d32d1 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 30 Aug 2021 18:08:06 +0530 Subject: [PATCH 353/483] Updated inspec-aws git url to replace branch to master to main Signed-off-by: Vasu1105 --- lib/plugins/inspec-init/templates/profiles/aws/inspec.yml | 2 +- test/fixtures/profiles/cloud/test-aws/inspec.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml b/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml index 753901434..ac7235f13 100644 --- a/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml +++ b/lib/plugins/inspec-init/templates/profiles/aws/inspec.yml @@ -16,6 +16,6 @@ inputs: description: 'Optional Custom AWS VPC Id' depends: - name: inspec-aws - url: https://github.com/inspec/inspec-aws/archive/master.tar.gz + url: https://github.com/inspec/inspec-aws/archive/main.tar.gz supports: - platform: aws diff --git a/test/fixtures/profiles/cloud/test-aws/inspec.yml b/test/fixtures/profiles/cloud/test-aws/inspec.yml index e1aa2fdcb..f7b6f6077 100644 --- a/test/fixtures/profiles/cloud/test-aws/inspec.yml +++ b/test/fixtures/profiles/cloud/test-aws/inspec.yml @@ -16,6 +16,6 @@ inputs: description: 'Optional Custom AWS VPC Id' depends: - name: inspec-aws - url: https://github.com/inspec/inspec-aws/archive/master.tar.gz + url: https://github.com/inspec/inspec-aws/archive/main.tar.gz supports: - platform: aws From 44cd84312f18ec08d1eb5cb369f7c2c7cc14b4b7 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 30 Aug 2021 19:10:11 +0530 Subject: [PATCH 354/483] Fix url fetcher when default git profile branch is not master Signed-off-by: Nikita Mathur --- lib/inspec/fetcher/url.rb | 46 +++++++++++++++++++++++++++++++--- test/unit/fetchers/url_test.rb | 4 +-- 2 files changed, 45 insertions(+), 5 deletions(-) diff --git a/lib/inspec/fetcher/url.rb b/lib/inspec/fetcher/url.rb index c6ccc8bcc..f22828073 100644 --- a/lib/inspec/fetcher/url.rb +++ b/lib/inspec/fetcher/url.rb @@ -44,11 +44,17 @@ module Inspec::Fetcher # - Branch URL # - Commit URL # - # master url: + # master url(default branch master): # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to # https://github.com/nathenharvey/tmp_compliance_profile/archive/master.tar.gz # https://bitbucket.org/username/repo is transformed to # https://bitbucket.org/username/repo/get/master.tar.gz + + # main url(default branch main): + # https://github.com/nathenharvey/tmp_compliance_profile/ is transformed to + # https://github.com/nathenharvey/tmp_compliance_profile/archive/main.tar.gz + # https://bitbucket.org/username/repo is transformed to + # https://bitbucket.org/username/repo/get/main.tar.gz # # branch: # https://github.com/hardening-io/tests-os-hardening/tree/2.0 is transformed to @@ -71,11 +77,13 @@ module Inspec::Fetcher def self.transform(target) transformed_target = if m = GITHUB_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition - "https://github.com/#{m[:user]}/#{m[:repo]}/archive/master.tar.gz" + default_branch = default_ref(m) + "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{default_branch}.tar.gz" elsif m = GITHUB_URL_WITH_TREE_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{m[:commit]}.tar.gz" elsif m = BITBUCKET_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition - "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/master.tar.gz" + default_branch = default_ref(m) + "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{default_branch}.tar.gz" elsif m = BITBUCKET_URL_BRANCH_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{m[:branch]}.tar.gz" elsif m = BITBUCKET_URL_COMMIT_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition @@ -120,6 +128,38 @@ module Inspec::Fetcher private + class << self + def default_ref(match_data) + remote_url = "https://github.com/#{match_data[:user]}/#{match_data[:repo]}.git" + command_string = "git remote show #{remote_url}" + cmd = shellout(command_string) + unless cmd.exitstatus == 0 + raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': #{cmd.stderr}") + else + ref = cmd.stdout.lines.detect { |l| l.include? "HEAD branch:" }&.split(":")&.last&.strip + unless ref + raise(Inspec::FetcherFailure, "Profile git dependency failed with default reference - #{remote_url} - error running '#{command_string}': NULL reference") + end + + ref + end + end + + def shellout(cmd, opts = {}) + Inspec::Log.debug("Running external command: #{cmd} (#{opts})") + cmd = Mixlib::ShellOut.new(cmd, opts) + cmd.run_command + Inspec::Log.debug("External command: completed with exit status: #{cmd.exitstatus}") + Inspec::Log.debug("External command: STDOUT BEGIN") + Inspec::Log.debug(cmd.stdout) + Inspec::Log.debug("External command: STDOUT END") + Inspec::Log.debug("External command: STDERR BEGIN") + Inspec::Log.debug(cmd.stderr) + Inspec::Log.debug("External command: STDERR END") + cmd + end + end + def parse_uri(target) return URI.parse(target) if target.is_a?(String) diff --git a/test/unit/fetchers/url_test.rb b/test/unit/fetchers/url_test.rb index d1b1be453..3f8f3f948 100644 --- a/test/unit/fetchers/url_test.rb +++ b/test/unit/fetchers/url_test.rb @@ -72,7 +72,7 @@ describe Inspec::Fetcher::Url do res = Inspec::Fetcher::Url.resolve(github) res.expects(:open).returns(mock_open) _(res).wont_be_nil - _(res.resolved_source).must_equal({ url: "https://github.com/chef/inspec/archive/master.tar.gz", sha256: expected_shasum }) + _(res.resolved_source).must_equal({ url: "https://github.com/chef/inspec/archive/main.tar.gz", sha256: expected_shasum }) end end end @@ -119,7 +119,7 @@ describe Inspec::Fetcher::Url do res = Inspec::Fetcher::Url.resolve(bitbucket) res.expects(:open).returns(mock_open) _(res).wont_be_nil - _(res.resolved_source).must_equal({ url: "https://bitbucket.org/chef/inspec/get/master.tar.gz", sha256: expected_shasum }) + _(res.resolved_source).must_equal({ url: "https://bitbucket.org/chef/inspec/get/main.tar.gz", sha256: expected_shasum }) end end end From 2b2faa7c41865e0dcfc1425d05813cd222ebf830 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 30 Aug 2021 20:46:46 +0000 Subject: [PATCH 355/483] Bump version to 4.41.12 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 360d3ad7a..6480402de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.11](https://github.com/inspec/inspec/tree/v4.41.11) (2021-08-27) + +## [v4.41.12](https://github.com/inspec/inspec/tree/v4.41.12) (2021-08-30) #### Merged Pull Requests -- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) +- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) - Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) - Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) - Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index cf81b012c..d453064c2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.11 \ No newline at end of file +4.41.12 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 78f8df66a..e7f41709b 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.11".freeze + VERSION = "4.41.12".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 12a76823e..f89918522 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.11".freeze + VERSION = "4.41.12".freeze end From 51c461581563674e1ffe58be50c98ef2cbd0ab59 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 30 Aug 2021 21:13:29 +0000 Subject: [PATCH 356/483] Bump version to 4.41.13 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6480402de..38a9c0e49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.12](https://github.com/inspec/inspec/tree/v4.41.12) (2021-08-30) + +## [v4.41.13](https://github.com/inspec/inspec/tree/v4.41.13) (2021-08-30) #### Merged Pull Requests -- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) +- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) - Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) - Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) - Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) diff --git a/VERSION b/VERSION index d453064c2..f4765f34f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.12 \ No newline at end of file +4.41.13 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index e7f41709b..7dfcd19b0 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.12".freeze + VERSION = "4.41.13".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index f89918522..40d8c2931 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.12".freeze + VERSION = "4.41.13".freeze end From 635a7cbbc22a920874581e5131f632316fe0a011 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 30 Aug 2021 21:16:38 +0000 Subject: [PATCH 357/483] Bump version to 4.41.14 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 38a9c0e49..45aca9cdc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.13](https://github.com/inspec/inspec/tree/v4.41.13) (2021-08-30) + +## [v4.41.14](https://github.com/inspec/inspec/tree/v4.41.14) (2021-08-30) #### Merged Pull Requests -- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) +- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) - Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) - Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) - Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index f4765f34f..9436128fd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.13 \ No newline at end of file +4.41.14 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 7dfcd19b0..642ec97f0 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.13".freeze + VERSION = "4.41.14".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 40d8c2931..fbbddd1de 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.13".freeze + VERSION = "4.41.14".freeze end From 3c2d0cd48bdc911efe2b9fe3f3f79a3d74f28393 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 30 Aug 2021 21:19:18 +0000 Subject: [PATCH 358/483] Bump version to 4.41.15 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 45aca9cdc..25166ced4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.14](https://github.com/inspec/inspec/tree/v4.41.14) (2021-08-30) + +## [v4.41.15](https://github.com/inspec/inspec/tree/v4.41.15) (2021-08-30) #### Merged Pull Requests -- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) +- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) - Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) - Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) - Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 9436128fd..e354cf7c6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.14 \ No newline at end of file +4.41.15 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 642ec97f0..06f29ce68 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.14".freeze + VERSION = "4.41.15".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index fbbddd1de..4ed536e46 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.14".freeze + VERSION = "4.41.15".freeze end From 59c0a9a0e162bde8fc0e713341d23d3e297b7b8f Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 30 Aug 2021 21:21:59 +0000 Subject: [PATCH 359/483] Bump version to 4.41.16 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 25166ced4..c14b06ec3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.15](https://github.com/inspec/inspec/tree/v4.41.15) (2021-08-30) + +## [v4.41.16](https://github.com/inspec/inspec/tree/v4.41.16) (2021-08-30) #### Merged Pull Requests -- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) +- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) - Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) - Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) - Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index e354cf7c6..098e47cdc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.15 \ No newline at end of file +4.41.16 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 06f29ce68..2b3250485 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.15".freeze + VERSION = "4.41.16".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 4ed536e46..f2116d783 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.15".freeze + VERSION = "4.41.16".freeze end From 52d9fe4321026938ae82a58dfbab3775d4fa18aa Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 30 Aug 2021 21:26:04 +0000 Subject: [PATCH 360/483] Bump version to 4.41.17 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c14b06ec3..8c59de756 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.16](https://github.com/inspec/inspec/tree/v4.41.16) (2021-08-30) + +## [v4.41.17](https://github.com/inspec/inspec/tree/v4.41.17) (2021-08-30) #### Merged Pull Requests -- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) +- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) - Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) - Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) - Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 098e47cdc..05fd36977 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.16 \ No newline at end of file +4.41.17 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 2b3250485..c4bff425c 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.16".freeze + VERSION = "4.41.17".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index f2116d783..0f67202a3 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.16".freeze + VERSION = "4.41.17".freeze end From 403647c3e45412a41bcb8a55181362fab5e4a85b Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Mon, 30 Aug 2021 16:49:46 -0700 Subject: [PATCH 361/483] Fix typos identified by cspell Just a pile of misc typos Signed-off-by: Tim Smith --- dev-docs/compliance.md | 2 +- dev-docs/filtertable-usage.md | 4 ++-- .../resources/aws_organizations_member.md | 2 +- .../inspec/resources/aws_sns_subscription.md | 2 +- .../azurerm_monitor_activity_log_alert.md | 2 +- .../azurerm_network_security_group.md | 6 +++--- lib/inspec/resources/registry_key.rb | 2 +- lib/inspec/resources/wmi.rb | 2 +- .../inspec-plugin-manager-cli/cli_command.rb | 4 ++-- .../test/functional/install_test.rb | 10 +++++----- .../test/functional/update_test.rb | 2 +- lib/resources/aws/aws_iam_access_key.rb | 2 +- lib/resources/azure/azure_backend.rb | 6 +++--- lib/resources/azure/azure_virtual_machine.rb | 2 +- .../azure/azure_virtual_machine_data_disk.rb | 4 ++-- .../exception-in-control/controls/01-file.rb | 6 +++--- .../controls/02-sshd_config.rb | 6 +++--- test/functional/inspec_exec_test.rb | 2 +- .../verify/controls/aws_cloudtrail_trail.rb | 2 +- .../aws/default/verify/controls/aws_kms_key.rb | 2 +- .../policies/default/controls/user_spec.rb | 2 +- .../find_files/libraries/find_files.rb | 2 +- test/unit/plugin/v2/api_input_test.rb | 2 +- test/unit/plugin/v2/installer_test.rb | 4 ++-- .../resources/aws_cloudtrail_trail_test.rb | 16 ++++++++-------- test/unit/resources/aws_iam_policy_test.rb | 18 +++++++++--------- test/unit/resources/aws_kms_key_test.rb | 18 +++++++++--------- test/unit/resources/command_test.rb | 4 ++-- .../resources/etc_hosts_allow_deny_test.rb | 2 +- test/unit/resources/json_test.rb | 4 ++-- test/unit/resources/port_test.rb | 4 ++-- test/unit/resources/postgres_hba_conf_test.rb | 2 +- test/unit/resources/x509_certificate_test.rb | 4 ++-- test/unit/runner_test.rb | 2 +- test/unit/utils/nginx_parser_test.rb | 8 ++++---- 35 files changed, 81 insertions(+), 81 deletions(-) diff --git a/dev-docs/compliance.md b/dev-docs/compliance.md index 808f0889b..722449a6d 100644 --- a/dev-docs/compliance.md +++ b/dev-docs/compliance.md @@ -55,7 +55,7 @@ Actual HTTP communication is handled by `InspecPlugins::Compliance::HTTP`, again #### lib/http.rb -This is probably unneccesary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar. +This is probably unnecessary. It is a wrapper around Net:HTTP. Instead, we should probably be using a REST API wrapper or something similar. #### lib/support.rb diff --git a/dev-docs/filtertable-usage.md b/dev-docs/filtertable-usage.md index efd39e49c..347275fe7 100644 --- a/dev-docs/filtertable-usage.md +++ b/dev-docs/filtertable-usage.md @@ -40,7 +40,7 @@ class Thing < Inspec.resource(1) filter_table_config.install_filter_methods_on_resource(self, :fetch_data) def fetch_data - # This method should return an array of hashes - the raw data. We'll hardcode it here. + # This method should return an array of hashes - the raw data. We'll hard code it here. [ { thing_id: 1, color: :red }, { thing_id: 2, color: :blue, tackiness: 'very' }, @@ -301,7 +301,7 @@ This method behaves just like `thing_ids`, except that it returns the values of You also get this for `thing_ids`. This is unrelated to `style: :simple` for `colors`. -People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resouces (`xinetd_conf` and `users`) advocate this as their primary use. +People definitely use this in the wild. It reads badly to me; I think this is a legacy usage that we should consider deprecating. To me, this seems to imply that there is a sub-resource (here, colors) we are auditing. At least two core resources (`xinetd_conf` and `users`) advocate this as their primary use. ```ruby # Filter on colors diff --git a/docs-chef-io/content/inspec/resources/aws_organizations_member.md b/docs-chef-io/content/inspec/resources/aws_organizations_member.md index 23920cc89..8e5f0cd97 100644 --- a/docs-chef-io/content/inspec/resources/aws_organizations_member.md +++ b/docs-chef-io/content/inspec/resources/aws_organizations_member.md @@ -50,7 +50,7 @@ _**If the current Account is the Master Account, the following properties are al | ------------- | ------------------------------------------------------ | | account_id | The ID of the current Account. | | account_arn | The ARN of the current Account. | -| account_name | The Name of the current Acccount. | +| account_name | The Name of the current Account. | | account_email | The Email address associated with the current Account. | ## Examples diff --git a/docs-chef-io/content/inspec/resources/aws_sns_subscription.md b/docs-chef-io/content/inspec/resources/aws_sns_subscription.md index 9c7e79f77..f2f400730 100644 --- a/docs-chef-io/content/inspec/resources/aws_sns_subscription.md +++ b/docs-chef-io/content/inspec/resources/aws_sns_subscription.md @@ -52,7 +52,7 @@ See also the [AWS documentation on SNS](https://docs.aws.amazon.com/sns/latest/d its('endpoint') { should cmp '+16105551234' } # If protocol is 'email' or 'email-json', endpoint should be an email address its('endpoint') { should cmp 'myemail@example.com' } - # If protocal is 'http', endpoint should be a URL beginning with 'https://' + # If protocol is 'http', endpoint should be a URL beginning with 'https://' its('endpoint') { should cmp 'https://www.exampleurl.com' } # If the protocol is 'lambda', its endpoint should be the ARN of a AWS Lambda function its('endpoint') { should cmp 'rn:aws:lambda:us-east-1:account-id:function:myfunction' } diff --git a/docs-chef-io/content/inspec/resources/azurerm_monitor_activity_log_alert.md b/docs-chef-io/content/inspec/resources/azurerm_monitor_activity_log_alert.md index 69e9f5853..511057bf9 100644 --- a/docs-chef-io/content/inspec/resources/azurerm_monitor_activity_log_alert.md +++ b/docs-chef-io/content/inspec/resources/azurerm_monitor_activity_log_alert.md @@ -69,7 +69,7 @@ name and resource group. ## Parameter Examples -The resource group as well as the Activty Log Alert +The resource group as well as the Activity Log Alert name. describe azurerm_monitor_activity_log_alert(resource_group: 'example', name: 'AlertName') do diff --git a/docs-chef-io/content/inspec/resources/azurerm_network_security_group.md b/docs-chef-io/content/inspec/resources/azurerm_network_security_group.md index 26d684e4f..e273ffb52 100644 --- a/docs-chef-io/content/inspec/resources/azurerm_network_security_group.md +++ b/docs-chef-io/content/inspec/resources/azurerm_network_security_group.md @@ -99,21 +99,21 @@ The default_security_rules property contains the set of Default Security Rules. ### allow_ssh_from_internet -The allow_ssh_from_internet property contains a boolean value determined by analysing +The allow_ssh_from_internet property contains a boolean value determined by analyzing the Security Rules and Default Security Rules for unrestricted SSH access. it { should_not allow_ssh_from_internet } ### allow_rdp_from_internet -The allow_rdp_from_internet property contains a boolean value determined by analysing +The allow_rdp_from_internet property contains a boolean value determined by analyzing the Security Rules and Default Security Rules for unrestricted RDP access. it { should_not allow_rdp_from_internet } ### allow\port_from_internet -The allow_port_from_internet property contains a boolean value determined by analysing +The allow_port_from_internet property contains a boolean value determined by analyzing the Security Rules and Default Security Rules for unrestricted access to a specified port. it { should_not allow_port_from_internet('443') } diff --git a/lib/inspec/resources/registry_key.rb b/lib/inspec/resources/registry_key.rb index 803009598..6e09fdb9c 100644 --- a/lib/inspec/resources/registry_key.rb +++ b/lib/inspec/resources/registry_key.rb @@ -105,7 +105,7 @@ module Inspec::Resources children_keys(@options[:path], filter) end - # returns nil, if not existant or value + # returns nil, if not existent or value def method_missing(*keys) # allow the use of array syntax in an `its` block so that users # can use it to query for keys with . characters in them diff --git a/lib/inspec/resources/wmi.rb b/lib/inspec/resources/wmi.rb index 056ccb1e0..523bc2180 100644 --- a/lib/inspec/resources/wmi.rb +++ b/lib/inspec/resources/wmi.rb @@ -36,7 +36,7 @@ module Inspec::Resources end end - # returns nil, if not existant or value + # returns nil, if not existent or value def method_missing(*keys) # catch behavior of rspec its implementation # @see https://github.com/rspec/rspec-its/blob/v1.2.0/lib/rspec/its.rb#L110 diff --git a/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb b/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb index 7b26ef355..aec668c2e 100644 --- a/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +++ b/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb @@ -434,7 +434,7 @@ module InspecPlugins "version #{options[:version]} found on #{source_host} - " \ "installation failed.\n") else - ui.red("Unknown error occured - installation failed.\n") + ui.red("Unknown error occurred - installation failed.\n") end ui.exit Inspec::UI::EXIT_USAGE_ERROR end @@ -458,7 +458,7 @@ module InspecPlugins end end - # Check for latest version (and implicitly, existance) + # Check for latest version (and implicitly, existence) latest_version = installer.search(plugin_name, exact: true, scope: :latest) latest_version = latest_version[plugin_name]&.last diff --git a/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb b/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb index 60e6b9965..d373a7392 100644 --- a/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb +++ b/lib/plugins/inspec-plugin-manager-cli/test/functional/install_test.rb @@ -8,7 +8,7 @@ class PluginManagerCliInstall < Minitest::Test include PluginManagerHelpers ruby_abi_version = (Gem.ruby_version.segments[0, 2] << 0).join(".") - # Test multiple hueristics of the path-mode install. + # Test multiple heuristics of the path-mode install. # These are all positive tests; they should resolve the entry point to the same path in each case. { "is_perfect" => { @@ -66,7 +66,7 @@ class PluginManagerCliInstall < Minitest::Test end end - def test_fail_install_from_nonexistant_path + def test_fail_install_from_nonexistent_path bad_path = File.join(project_fixtures_path, "none", "such", "inspec-test-fixture-nonesuch.rb") install_result = run_inspec_process_with_this_plugin("plugin install #{bad_path}") @@ -166,7 +166,7 @@ class PluginManagerCliInstall < Minitest::Test assert_exit_code 0, install_result end - def test_fail_install_from_nonexistant_gemfile + def test_fail_install_from_nonexistent_gemfile bad_path = File.join(project_fixtures_path, "none", "such", "inspec-test-fixture-nonesuch-0.3.0.gem") install_result = run_inspec_process_with_this_plugin("plugin install #{bad_path}") @@ -195,7 +195,7 @@ class PluginManagerCliInstall < Minitest::Test assert_exit_code 0, install_result end - def test_fail_install_from_nonexistant_remote_rubygem + def test_fail_install_from_nonexistent_remote_rubygem install_result = run_inspec_process_with_this_plugin("plugin install inspec-test-fixture-nonesuch") assert_match(/No such plugin gem .+ could be found on rubygems.org - installation failed./, install_result.stdout) @@ -224,7 +224,7 @@ class PluginManagerCliInstall < Minitest::Test assert_exit_code 0, install_result end - def test_fail_install_from_nonexistant_rubygem_version + def test_fail_install_from_nonexistent_rubygem_version install_result = run_inspec_process_with_this_plugin("plugin install inspec-test-fixture -v 99.99.99") fail_message = install_result.stdout.split("\n").grep(/failed/).last diff --git a/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb b/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb index 48ebbbbdd..c913c81c2 100644 --- a/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb +++ b/lib/plugins/inspec-plugin-manager-cli/test/functional/update_test.rb @@ -49,7 +49,7 @@ class PluginManagerCliUpdate < Minitest::Test assert_exit_code 0, update_result end - def test_fail_update_from_nonexistant_gem + def test_fail_update_from_nonexistent_gem update_result = run_inspec_process_with_this_plugin("plugin update inspec-test-fixture-nonesuch") assert_match(/No such plugin installed:.+ - update failed/, update_result.stdout) diff --git a/lib/resources/aws/aws_iam_access_key.rb b/lib/resources/aws/aws_iam_access_key.rb index 4de346780..52e810208 100644 --- a/lib/resources/aws/aws_iam_access_key.rb +++ b/lib/resources/aws/aws_iam_access_key.rb @@ -86,7 +86,7 @@ class AwsIamAccessKey < Inspec.resource(1) end if access_keys.count > 1 - raise "More than one access key matched for aws_iam_access_key. Use more specific paramaters, such as access_key_id." + raise "More than one access key matched for aws_iam_access_key. Use more specific parameters, such as access_key_id." end @exists = true diff --git a/lib/resources/azure/azure_backend.rb b/lib/resources/azure/azure_backend.rb index d6ebf329d..27eaf2b6b 100644 --- a/lib/resources/azure/azure_backend.rb +++ b/lib/resources/azure/azure_backend.rb @@ -6,7 +6,7 @@ module Inspec::Resources class AzureResourceBase < Inspec.resource(1) attr_reader :opts, :client, :azure - # Constructor that retreives the specified resource + # Constructor that retrieves the specified resource # # The opts hash should contain the following # :group_name - name of the resource group in which to look for items @@ -275,7 +275,7 @@ end # Class object to maintain a count of the Azure Resource types that are found # when a less specific test is carried out. For example if all the resoures of a resource -# group are called for, there will be variaous types and number of those types. +# group are called for, there will be various types and number of those types. # # Each type is namespaced, so for example a virtual machine has the type 'Microsoft.Compute/virtualMachines' # This is broken down into the 'Microsoft' class with the type 'Compute/virtualMachines' @@ -310,7 +310,7 @@ class AzureResourceTypeCounts end # Class object that is created for each element that is returned by Azure. -# This is what is interogated by Inspec. If they are nested hashes, then this results +# This is what is interrogated by InSpec. If they are nested hashes, then this results # in nested AzureResourceProbe objects. # # For example, if the following was seen in an Azure Resource diff --git a/lib/resources/azure/azure_virtual_machine.rb b/lib/resources/azure/azure_virtual_machine.rb index 8b2a97d66..90ca23855 100644 --- a/lib/resources/azure/azure_virtual_machine.rb +++ b/lib/resources/azure/azure_virtual_machine.rb @@ -127,7 +127,7 @@ module Inspec::Resources password_authentication? end - # Deteremine if the machine allows password authentication + # Determine if the machine allows password authentication # # @return boolean def password_authentication? diff --git a/lib/resources/azure/azure_virtual_machine_data_disk.rb b/lib/resources/azure/azure_virtual_machine_data_disk.rb index 9dfacf666..1559c1818 100644 --- a/lib/resources/azure/azure_virtual_machine_data_disk.rb +++ b/lib/resources/azure/azure_virtual_machine_data_disk.rb @@ -85,7 +85,7 @@ module Inspec::Resources # return hashtable def parse_datadisk(disk, index) # Configure parsed hashtable to hold the information - # Initialise this with common attributes from the different types of disk + # Initialize this with common attributes from the different types of disk parsed = { disk: index, number: index + 1, @@ -115,7 +115,7 @@ module Inspec::Resources parsed[:storage_account_type] = disk.managedDisk.storageAccountType parsed[:id] = disk.managedDisk.id - # Break up the ID string so that the following information can get retreived + # Break up the ID string so that the following information can get retrieved # - subscription_id # - resource_group id_parts = parsed[:id].split(%r{/}).reject(&:empty?) diff --git a/test/fixtures/profiles/exception-in-control/controls/01-file.rb b/test/fixtures/profiles/exception-in-control/controls/01-file.rb index 6383196a5..7e47003b9 100644 --- a/test/fixtures/profiles/exception-in-control/controls/01-file.rb +++ b/test/fixtures/profiles/exception-in-control/controls/01-file.rb @@ -1,13 +1,13 @@ title 'Test case 1 for exceptions in the file resource' -control 'c01 using file resource on nonexistant file with no property access' do +control 'c01 using file resource on nonexistent file with no property access' do f = file('/i/do/not/exist') describe 'Test block' do it { should include 'Test'} end end -control 'c02 using file resource on nonexistant file with contents access in test block' do +control 'c02 using file resource on nonexistent file with contents access in test block' do f = file('/i/do/not/exist') describe 'Test block' do subject { f.content } @@ -15,7 +15,7 @@ control 'c02 using file resource on nonexistant file with contents access in tes end end -control 'c03 using file resource on nonexistant file with contents access control block' do +control 'c03 using file resource on nonexistent file with contents access control block' do f = file('/i/do/not/exist') c = f.content describe 'Test block' do diff --git a/test/fixtures/profiles/exception-in-control/controls/02-sshd_config.rb b/test/fixtures/profiles/exception-in-control/controls/02-sshd_config.rb index 5e0660215..34fdd64ff 100644 --- a/test/fixtures/profiles/exception-in-control/controls/02-sshd_config.rb +++ b/test/fixtures/profiles/exception-in-control/controls/02-sshd_config.rb @@ -1,6 +1,6 @@ title 'Test case 2 for exceptions in the sshd_config resource' -control 'sshd01 using sshd_config resource nonexistant path with no property access' do +control 'sshd01 using sshd_config resource nonexistent path with no property access' do s = sshd_config('/i/do/not/exist') describe 'Test block' do it { should include 'Test'} @@ -8,7 +8,7 @@ control 'sshd01 using sshd_config resource nonexistant path with no property acc end # sshd02 throws exception but is caught and fails the resource -control 'sshd02 sshd_config resource nonexistant path with contents access in test block' do +control 'sshd02 sshd_config resource nonexistent path with contents access in test block' do s = sshd_config('/i/do/not/exist') describe 'Test block' do subject { s } @@ -35,7 +35,7 @@ end # sshd05 throws exception which is not caught, and aborts inspec with stacktrace # Defective on 2.1.54 -control 'sshd05 sshd_config resource nonexistant path with contents access control block' do +control 'sshd05 sshd_config resource nonexistent path with contents access control block' do s = sshd_config('/i/do/not/exist') # Next line triggers compile-time exception c = s.Protocol diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index b64fac272..42d7a9654 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -916,7 +916,7 @@ Test Summary: 2 successful, 0 failures, 0 skipped\n" end end - describe "when --config points to a nonexistant location" do + describe "when --config points to a nonexistent location" do let(:cli_args) { "--config " + "no/such/path" } it "should issue an error with the file path" do _(stderr).wont_match looks_like_a_stacktrace diff --git a/test/integration/aws/default/verify/controls/aws_cloudtrail_trail.rb b/test/integration/aws/default/verify/controls/aws_cloudtrail_trail.rb index e3e46e410..2394d428b 100644 --- a/test/integration/aws/default/verify/controls/aws_cloudtrail_trail.rb +++ b/test/integration/aws/default/verify/controls/aws_cloudtrail_trail.rb @@ -26,7 +26,7 @@ control "aws_cloudtrail_trail recall" do it { should exist } end - describe aws_cloudtrail_trail('non-existant-trail') do + describe aws_cloudtrail_trail('non-existent-trail') do it { should_not exist } end end diff --git a/test/integration/aws/default/verify/controls/aws_kms_key.rb b/test/integration/aws/default/verify/controls/aws_kms_key.rb index d08434664..936aab44a 100644 --- a/test/integration/aws/default/verify/controls/aws_kms_key.rb +++ b/test/integration/aws/default/verify/controls/aws_kms_key.rb @@ -19,7 +19,7 @@ control "aws_kms_key recall" do describe aws_kms_key(key_id: fixtures['kms_key_enabled_key_id']) do it { should exist } end - describe aws_kms_key('non-existant-key') do + describe aws_kms_key('non-existent-key') do it { should_not exist } end end diff --git a/test/kitchen/policies/default/controls/user_spec.rb b/test/kitchen/policies/default/controls/user_spec.rb index 99d454f46..15ab67477 100644 --- a/test/kitchen/policies/default/controls/user_spec.rb +++ b/test/kitchen/policies/default/controls/user_spec.rb @@ -146,7 +146,7 @@ describe users.where(username: userinfo[:username]) do end end -# catch case where user is not existant +# catch case where user is not existent describe user('not_available') do it { should_not exist } its ('uid') { should eq nil} diff --git a/test/kitchen/policies/find_files/libraries/find_files.rb b/test/kitchen/policies/find_files/libraries/find_files.rb index c69adc7ed..353c17e3b 100644 --- a/test/kitchen/policies/find_files/libraries/find_files.rb +++ b/test/kitchen/policies/find_files/libraries/find_files.rb @@ -3,7 +3,7 @@ class TestFindFiles < Inspec.resource(1) name "test_find_files" desc " - Resource used for testing the funcitonality of Utils::FindFiles + Resource used for testing the functionality of Utils::FindFiles " example " diff --git a/test/unit/plugin/v2/api_input_test.rb b/test/unit/plugin/v2/api_input_test.rb index 24d4a2abb..3128d9f9d 100644 --- a/test/unit/plugin/v2/api_input_test.rb +++ b/test/unit/plugin/v2/api_input_test.rb @@ -4,7 +4,7 @@ require "inspec/plugin/v2" describe "Input plugin type" do describe "when registering the plugin type superclass" do - it "returns the superclass when calling the global defintion method" do + it "returns the superclass when calling the global definition method" do klass = Inspec.plugin(2, :input) _(klass).must_be_kind_of Class _(klass).must_equal Inspec::Plugin::V2::PluginType::Input diff --git a/test/unit/plugin/v2/installer_test.rb b/test/unit/plugin/v2/installer_test.rb index 8f110a928..3db13b6fa 100644 --- a/test/unit/plugin/v2/installer_test.rb +++ b/test/unit/plugin/v2/installer_test.rb @@ -155,7 +155,7 @@ class PluginInstallerInstallationTests < Minitest::Test def test_install_a_gem_from_missing_local_file gem_file = File.join(@plugin_fixture_pkg_path, "inspec-test-fixture-nonesuch-0.0.0.gem") - refute File.exist?(gem_file), "The nonexistant gem should not exist prior to install attempt" + refute File.exist?(gem_file), "The non-existent gem should not exist prior to install attempt" ex = assert_raises(Inspec::Plugin::V2::InstallError) { @installer.install("inspec-test-fixture-nonesuch", gem_file: gem_file) } assert_includes ex.message, "Could not find local gem file" end @@ -396,7 +396,7 @@ end class PluginInstallerUninstallTests < Minitest::Test include InstallerTestHelpers - def test_uninstalling_a_nonexistant_plugin_is_an_error + def test_uninstalling_a_nonexistent_plugin_is_an_error # Try a mythical one ex = assert_raises(Inspec::Plugin::V2::UnInstallError) do @installer.uninstall("inspec-test-fixture-nonesuch") diff --git a/test/unit/resources/aws_cloudtrail_trail_test.rb b/test/unit/resources/aws_cloudtrail_trail_test.rb index 207c42a83..65f49f715 100644 --- a/test/unit/resources/aws_cloudtrail_trail_test.rb +++ b/test/unit/resources/aws_cloudtrail_trail_test.rb @@ -51,7 +51,7 @@ class AwsCloudTrailTrailRecallTest < Minitest::Test end def test_search_miss_is_not_an_exception - refute AwsCloudTrailTrail.new(trail_name: "non-existant").exists? + refute AwsCloudTrailTrail.new(trail_name: "non-existent").exists? end end @@ -66,37 +66,37 @@ class AwsCloudTrailTrailPropertiesTest < Minitest::Test def test_property_s3_bucket_name assert_equal("aws-s3-bucket-test-trail-1", AwsCloudTrailTrail.new("test-trail-1").s3_bucket_name) - assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existant").s3_bucket_name) + assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existent").s3_bucket_name) end def test_property_trail_arn assert_equal("arn:aws:cloudtrail:us-east-1::trail/test-trail-1", AwsCloudTrailTrail.new("test-trail-1").trail_arn) - assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existant").trail_arn) + assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existent").trail_arn) end def test_property_cloud_watch_logs_role_arn assert_equal("arn:aws:iam:::role/CloudTrail_CloudWatchLogs_Role", AwsCloudTrailTrail.new("test-trail-1").cloud_watch_logs_role_arn) - assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existant").cloud_watch_logs_role_arn) + assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existent").cloud_watch_logs_role_arn) end def test_property_cloud_watch_logs_log_group_arn assert_equal("arn:aws:logs:us-east-1::log-group:test:*", AwsCloudTrailTrail.new("test-trail-1").cloud_watch_logs_log_group_arn) - assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existant").cloud_watch_logs_log_group_arn) + assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existent").cloud_watch_logs_log_group_arn) end def test_property_kms_key_id assert_equal("arn:aws:kms:us-east-1::key/88197884-041f-4f8e-a801-cf120e4845a8", AwsCloudTrailTrail.new("test-trail-1").kms_key_id) - assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existant").kms_key_id) + assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existent").kms_key_id) end def test_property_home_region assert_equal("us-east-1", AwsCloudTrailTrail.new("test-trail-1").home_region) - assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existant").home_region) + assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existent").home_region) end def test_property_delivered_logs_days_ago assert_equal(0, AwsCloudTrailTrail.new("test-trail-1").delivered_logs_days_ago) - assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existant").delivered_logs_days_ago) + assert_nil(AwsCloudTrailTrail.new(trail_name: "non-existent").delivered_logs_days_ago) end end diff --git a/test/unit/resources/aws_iam_policy_test.rb b/test/unit/resources/aws_iam_policy_test.rb index fa507f80d..622c6bfcb 100644 --- a/test/unit/resources/aws_iam_policy_test.rb +++ b/test/unit/resources/aws_iam_policy_test.rb @@ -51,7 +51,7 @@ class AwsIamPolicyRecallTest < Minitest::Test end def test_search_miss_is_not_an_exception - refute AwsIamPolicy.new(policy_name: "non-existant").exists? + refute AwsIamPolicy.new(policy_name: "non-existent").exists? end end @@ -66,32 +66,32 @@ class AwsIamPolicyPropertiesTest < Minitest::Test def test_property_arn assert_equal("arn:aws:iam::aws:policy/test-policy-1", AwsIamPolicy.new("test-policy-1").arn) - assert_nil(AwsIamPolicy.new(policy_name: "non-existant").arn) + assert_nil(AwsIamPolicy.new(policy_name: "non-existent").arn) end def test_property_default_version_id assert_equal("v1", AwsIamPolicy.new("test-policy-1").default_version_id) - assert_nil(AwsIamPolicy.new(policy_name: "non-existant").default_version_id) + assert_nil(AwsIamPolicy.new(policy_name: "non-existent").default_version_id) end def test_property_attachment_count assert_equal(3, AwsIamPolicy.new("test-policy-1").attachment_count) - assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attachment_count) + assert_nil(AwsIamPolicy.new(policy_name: "non-existent").attachment_count) end def test_property_attached_users assert_equal(["test-user"], AwsIamPolicy.new("test-policy-1").attached_users) - assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attached_users) + assert_nil(AwsIamPolicy.new(policy_name: "non-existent").attached_users) end def test_property_attached_groups assert_equal(["test-group"], AwsIamPolicy.new("test-policy-1").attached_groups) - assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attached_groups) + assert_nil(AwsIamPolicy.new(policy_name: "non-existent").attached_groups) end def test_property_attached_roles assert_equal(["test-role"], AwsIamPolicy.new("test-policy-1").attached_roles) - assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attached_roles) + assert_nil(AwsIamPolicy.new(policy_name: "non-existent").attached_roles) end def test_property_policy @@ -99,11 +99,11 @@ class AwsIamPolicyPropertiesTest < Minitest::Test assert_kind_of(Hash, policy) assert(policy.key?("Statement"), "test-policy-1 should have a Statement key when unpacked") assert_equal(1, policy["Statement"].count, "test-policy-1 should have 1 statements when unpacked") - assert_nil(AwsIamPolicy.new("non-existant").policy) + assert_nil(AwsIamPolicy.new("non-existent").policy) end def test_property_statement_count - assert_nil(AwsIamPolicy.new("non-existant").statement_count) + assert_nil(AwsIamPolicy.new("non-existent").statement_count) assert_equal(1, AwsIamPolicy.new("test-policy-1").statement_count) assert_equal(2, AwsIamPolicy.new("test-policy-2").statement_count) assert_equal(1, AwsIamPolicy.new("test-policy-3").statement_count) diff --git a/test/unit/resources/aws_kms_key_test.rb b/test/unit/resources/aws_kms_key_test.rb index 6365504a8..131589f1d 100644 --- a/test/unit/resources/aws_kms_key_test.rb +++ b/test/unit/resources/aws_kms_key_test.rb @@ -52,7 +52,7 @@ class AwsKmsKeyRecallTest < Minitest::Test end def test_search_miss_is_not_an_exception - refute AwsKmsKey.new(key_id: "non-existant").exists? + refute AwsKmsKey.new(key_id: "non-existent").exists? end end @@ -71,42 +71,42 @@ class AwsKmsKeyPropertiesTest < Minitest::Test def test_property_arn assert_equal("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").arn) - assert_nil(AwsKmsKey.new(key_id: "non-existant").arn) + assert_nil(AwsKmsKey.new(key_id: "non-existent").arn) end def test_property_creation_date assert_equal(TIME_NOW - 10 * 24 * 3600, AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").creation_date) - assert_nil(AwsKmsKey.new(key_id: "non-existant").creation_date) + assert_nil(AwsKmsKey.new(key_id: "non-existent").creation_date) end def test_property_key_usage assert_equal("ENCRYPT_DECRYPT", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").key_usage) - assert_nil(AwsKmsKey.new(key_id: "non-existant").key_usage) + assert_nil(AwsKmsKey.new(key_id: "non-existent").key_usage) end def test_property_key_state assert_equal("Enabled", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").key_state) - assert_nil(AwsKmsKey.new(key_id: "non-existant").key_state) + assert_nil(AwsKmsKey.new(key_id: "non-existent").key_state) end def test_property_description assert_equal("test-key-1-desc", AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").description) - assert_nil(AwsKmsKey.new(key_id: "non-existant").description) + assert_nil(AwsKmsKey.new(key_id: "non-existent").description) end def test_property_deletion_time assert_equal(TIME_NOW + 10 * 24 * 3600, AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").deletion_time) - assert_nil(AwsKmsKey.new(key_id: "non-existant").deletion_time) + assert_nil(AwsKmsKey.new(key_id: "non-existent").deletion_time) end def test_property_invalidation_time assert_nil(AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").invalidation_time) - assert_nil(AwsKmsKey.new(key_id: "non-existant").invalidation_time) + assert_nil(AwsKmsKey.new(key_id: "non-existent").invalidation_time) end def test_property_created_days_ago assert_equal(10, AwsKmsKey.new("arn:aws:kms:us-east-1::key/7a6950aa-c8e6-4e51-8afc-111111111111").created_days_ago) - assert_nil(AwsKmsKey.new(key_id: "non-existant").created_days_ago) + assert_nil(AwsKmsKey.new(key_id: "non-existent").created_days_ago) end end diff --git a/test/unit/resources/command_test.rb b/test/unit/resources/command_test.rb index 822867d22..97ae0cf0d 100644 --- a/test/unit/resources/command_test.rb +++ b/test/unit/resources/command_test.rb @@ -40,13 +40,13 @@ describe Inspec::Resources::Cmd do _(result.resource_exception_message).must_match(/must be a regular expression/) end - it "redacts output if `redact_regex` is passed with caputure groups" do + it "redacts output if `redact_regex` is passed with capture groups" do cmd = "command_with_password -p supersecret -d no_redact" expected_to_s = "Command: `command_with_password -p REDACTED -d no_redact`" _(resource(cmd, redact_regex: /(-p ).*( -d)/).to_s).must_equal(expected_to_s) end - it "redacts output if `redact_regex` is passed without a caputure group" do + it "redacts output if `redact_regex` is passed without a capture group" do cmd = "command_with_password -p supersecret -d no_redact" expected_to_s = "Command: `command_with_password REDACTED no_redact`" _(resource(cmd, redact_regex: /-p .* -d/).to_s).must_equal(expected_to_s) diff --git a/test/unit/resources/etc_hosts_allow_deny_test.rb b/test/unit/resources/etc_hosts_allow_deny_test.rb index c603c444f..6f78c4c68 100644 --- a/test/unit/resources/etc_hosts_allow_deny_test.rb +++ b/test/unit/resources/etc_hosts_allow_deny_test.rb @@ -53,7 +53,7 @@ describe "Inspec::Resources::EtcHostsAllow" do end describe "Inspec::Resources::EtcHostsDeny" do - describe "EtcHostsDeny Paramaters" do + describe "EtcHostsDeny Parameters" do resource = load_resource("etc_hosts_deny") it "Verify etc_hosts_deny filtering by `daemon`" do entries = resource.where { daemon == "ALL" } diff --git a/test/unit/resources/json_test.rb b/test/unit/resources/json_test.rb index 86306f85a..10b0ad63d 100644 --- a/test/unit/resources/json_test.rb +++ b/test/unit/resources/json_test.rb @@ -22,11 +22,11 @@ describe "Inspec::Resources::JSON" do _(resource.send("run_list")).must_equal %w{a b} end - it "doesnt resolve dot-notation names" do + it "doesn't resolve dot-notation names" do _(resource.send("x.y.z")).must_be_nil end - it "doesnt resolve symbol-notation names" do + it "doesn't resolve symbol-notation names" do _(resource.send(:'x.y.z')).must_be_nil end diff --git a/test/unit/resources/port_test.rb b/test/unit/resources/port_test.rb index 72d4431a7..a0614ff6f 100644 --- a/test/unit/resources/port_test.rb +++ b/test/unit/resources/port_test.rb @@ -129,7 +129,7 @@ describe "Inspec::Resources::Port" do _(resource.protocols("udp").entries.length).must_equal 15 end - it "verify port on Windows 2008 (unpriviledged)" do + it "verify port on Windows 2008 (unprivileged)" do ml = MockLoader.new(:windows) # kill windows 2012 shell commands ml.backend.backend.commands @@ -144,7 +144,7 @@ describe "Inspec::Resources::Port" do _(resource.addresses).must_equal %w{0.0.0.0 ::} end - it "verify port list on Windows 2008 (unpriviledged)" do + it "verify port list on Windows 2008 (unprivileged)" do ml = MockLoader.new(:windows) # kill windows 2012 shell commands ml.backend.backend.commands diff --git a/test/unit/resources/postgres_hba_conf_test.rb b/test/unit/resources/postgres_hba_conf_test.rb index 6bc9ebc52..c23918263 100644 --- a/test/unit/resources/postgres_hba_conf_test.rb +++ b/test/unit/resources/postgres_hba_conf_test.rb @@ -5,7 +5,7 @@ require "inspec/resource" require "inspec/resources/postgres_hba_conf" describe "Inspec::Resources::PGHbaConf" do - describe "PGHbaConf Paramaters" do + describe "PGHbaConf Parameters" do resource = load_resource("postgres_hba_conf", "/test/path/to/postgres/pg_hba.conf") it "Verify postgres_hba_conf filtering by `type`" do diff --git a/test/unit/resources/x509_certificate_test.rb b/test/unit/resources/x509_certificate_test.rb index 945c1b6eb..1b9ab3f25 100644 --- a/test/unit/resources/x509_certificate_test.rb +++ b/test/unit/resources/x509_certificate_test.rb @@ -25,7 +25,7 @@ describe "Inspec::Resources::X509Certificate" do end # TODO: Regenerate certificate using `InSpec` not `Inspec` - it "verify subject distingushed name" do + it "verify subject distinguished name" do _(resource_cert.send("subject_dn")).must_match "Inspec Test Certificate" end @@ -40,7 +40,7 @@ describe "Inspec::Resources::X509Certificate" do end # TODO: Regenerate certificate using `InSpec` not `Inspec` - it "verify issue distingushed name" do + it "verify issue distinguished name" do _(resource_cert.send("issuer_dn")).must_match "Inspec Test CA" end diff --git a/test/unit/runner_test.rb b/test/unit/runner_test.rb index 5023cb284..d3046a2d2 100644 --- a/test/unit/runner_test.rb +++ b/test/unit/runner_test.rb @@ -59,7 +59,7 @@ describe Inspec::Runner do _(config["reporter"]).must_equal expected end - it "delets format if set to a rspec format" do + it "deletes format if set to a rspec format" do opts = { command_runner: :generic, backend_cache: true, "reporter" => ["progress"] } runner = Inspec::Runner.new(opts) config = runner.instance_variable_get(:"@conf") diff --git a/test/unit/utils/nginx_parser_test.rb b/test/unit/utils/nginx_parser_test.rb index 8adb3264c..595ca917a 100644 --- a/test/unit/utils/nginx_parser_test.rb +++ b/test/unit/utils/nginx_parser_test.rb @@ -38,25 +38,25 @@ describe NginxParser do _(result[0][:assignment][:args][0][:value]).must_equal "/a/b/c/*.conf" end - it "parses an assignemnt with single quote in a double quoted value" do + it "parses an assignment with single quote in a double quoted value" do result = parse('include "/a/\'b/*.conf";') _(result[0][:assignment][:identifier]).must_equal "include" _(result[0][:assignment][:args][0][:value]).must_equal "/a/'b/*.conf" end - it "parses an assignemnt with double quote in a single quoted value" do + it "parses an assignment with double quote in a single quoted value" do result = parse("include '/a/\"b/*.conf';") _(result[0][:assignment][:identifier]).must_equal "include" _(result[0][:assignment][:args][0][:value]).must_equal "/a/\"b/*.conf" end - it "parses an assignemnt with single quote in a single quoted value" do + it "parses an assignment with single quote in a single quoted value" do result = parse("include '/a/\\\'b/*.conf';") _(result[0][:assignment][:identifier]).must_equal "include" _(result[0][:assignment][:args][0][:value]).must_equal "/a/\\\'b/*.conf" end - it "parses an assignemnt with double quote in a double quoted value" do + it "parses an assignment with double quote in a double quoted value" do result = parse('include "/a/\"b/*.conf";') _(result[0][:assignment][:identifier]).must_equal "include" _(result[0][:assignment][:args][0][:value]).must_equal '/a/\"b/*.conf' From e7b413df218b8064750c1930c9a8aa8691a1233c Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 31 Aug 2021 12:17:10 +0530 Subject: [PATCH 362/483] Fix cannot load such file -- aws-sdk-batch (LoadError) Signed-off-by: Vasu1105 --- inspec.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inspec.gemspec b/inspec.gemspec index 34a0a64f9..ca153de8e 100644 --- a/inspec.gemspec +++ b/inspec.gemspec @@ -31,7 +31,7 @@ Gem::Specification.new do |spec| # Train plugins we ship with InSpec spec.add_dependency "train-habitat", "~> 0.1" - spec.add_dependency "train-aws", "~> 0.1" + spec.add_dependency "train-aws", "~> 0.2" spec.add_dependency "train-winrm", "~> 0.2" spec.add_dependency "mongo", "= 2.13.2" # 2.14 introduces a broken symlink in mongo-2.14.0/spec/support/ocsp end From ca1991451fb698f5896db188ec8ea64a7b38d140 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 31 Aug 2021 13:12:20 +0530 Subject: [PATCH 363/483] Issue fix related to bitbucket default branch fetching in url fetcher Signed-off-by: Nikita Mathur --- lib/inspec/fetcher/url.rb | 10 ++++++---- test/unit/fetchers/url_test.rb | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/lib/inspec/fetcher/url.rb b/lib/inspec/fetcher/url.rb index f22828073..b6f198457 100644 --- a/lib/inspec/fetcher/url.rb +++ b/lib/inspec/fetcher/url.rb @@ -74,15 +74,17 @@ module Inspec::Fetcher BITBUCKET_URL_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?[\w-]+)/(?[\w-]+)(\.git)?(/)?$}.freeze BITBUCKET_URL_BRANCH_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?[\w-]+)/(?[\w-]+)/branch/(?[\w\.]+)(/)?$}.freeze BITBUCKET_URL_COMMIT_REGEX = %r{^https?://(www\.)?bitbucket\.org/(?[\w-]+)/(?[\w-]+)/commits/(?[\w\.]+)(/)?$}.freeze + GITHUB_URL = "https://github.com".freeze + BITBUCKET_URL = "https://bitbucket.org".freeze def self.transform(target) transformed_target = if m = GITHUB_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition - default_branch = default_ref(m) + default_branch = default_ref(m, GITHUB_URL) "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{default_branch}.tar.gz" elsif m = GITHUB_URL_WITH_TREE_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition "https://github.com/#{m[:user]}/#{m[:repo]}/archive/#{m[:commit]}.tar.gz" elsif m = BITBUCKET_URL_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition - default_branch = default_ref(m) + default_branch = default_ref(m, BITBUCKET_URL) "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{default_branch}.tar.gz" elsif m = BITBUCKET_URL_BRANCH_REGEX.match(target) # rubocop:disable Lint/AssignmentInCondition "https://bitbucket.org/#{m[:user]}/#{m[:repo]}/get/#{m[:branch]}.tar.gz" @@ -129,8 +131,8 @@ module Inspec::Fetcher private class << self - def default_ref(match_data) - remote_url = "https://github.com/#{match_data[:user]}/#{match_data[:repo]}.git" + def default_ref(match_data, repo_url) + remote_url = "#{repo_url}/#{match_data[:user]}/#{match_data[:repo]}.git" command_string = "git remote show #{remote_url}" cmd = shellout(command_string) unless cmd.exitstatus == 0 diff --git a/test/unit/fetchers/url_test.rb b/test/unit/fetchers/url_test.rb index 3f8f3f948..4b15f2e8a 100644 --- a/test/unit/fetchers/url_test.rb +++ b/test/unit/fetchers/url_test.rb @@ -18,6 +18,20 @@ describe Inspec::Fetcher::Url do m end + let(:git_remote_head_main) do + out = mock + out.stubs(:stdout).returns("HEAD branch: main\n") + out.stubs(:exitstatus).returns(0) + out.stubs(:stderr).returns("") + out.stubs(:error!).returns(false) + out.stubs(:run_command).returns(true) + out + end + + def expect_git_remote_head_main(remote_url) + Mixlib::ShellOut.expects(:new).returns(git_remote_head_main) + end + def expect_url_transform @mock_logger = Minitest::Mock.new @mock_logger.expect(:warn, nil, [/URL target.*transformed/]) @@ -116,6 +130,7 @@ describe Inspec::Fetcher::Url do http://www.bitbucket.org/chef/inspec.git}.each do |bitbucket| it "resolves a bitbucket url #{bitbucket}" do expect_url_transform do + expect_git_remote_head_main(bitbucket) res = Inspec::Fetcher::Url.resolve(bitbucket) res.expects(:open).returns(mock_open) _(res).wont_be_nil From 81b28c2c5180dd78baea1ede81d44ec3003e3996 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 31 Aug 2021 14:04:38 +0530 Subject: [PATCH 364/483] Change master to main branch for inspec-gcp and inspec-azure repo Signed-off-by: Vasu1105 --- lib/plugins/inspec-init/templates/profiles/azure/inspec.yml | 2 +- lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml | 2 +- test/fixtures/profiles/cloud/test-azure/inspec.yml | 2 +- test/fixtures/profiles/cloud/test-gcp/inspec.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml b/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml index 0f5469be9..17d8e7ce2 100644 --- a/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml +++ b/lib/plugins/inspec-init/templates/profiles/azure/inspec.yml @@ -9,6 +9,6 @@ version: 0.1.0 inspec_version: '>= 2.2.7' depends: - name: inspec-azure - url: https://github.com/inspec/inspec-azure/archive/master.tar.gz + url: https://github.com/inspec/inspec-azure/archive/main.tar.gz supports: - platform: azure diff --git a/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml b/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml index 8ccbcdcba..8a47966c0 100644 --- a/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml +++ b/lib/plugins/inspec-init/templates/profiles/gcp/inspec.yml @@ -13,6 +13,6 @@ inputs: description: 'The GCP project identifier.' depends: - name: inspec-gcp - url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz + url: https://github.com/inspec/inspec-gcp/archive/main.tar.gz supports: - platform: gcp diff --git a/test/fixtures/profiles/cloud/test-azure/inspec.yml b/test/fixtures/profiles/cloud/test-azure/inspec.yml index dff1ab175..70323356a 100644 --- a/test/fixtures/profiles/cloud/test-azure/inspec.yml +++ b/test/fixtures/profiles/cloud/test-azure/inspec.yml @@ -9,6 +9,6 @@ version: 0.1.0 inspec_version: '>= 2.2.7' depends: - name: inspec-azure - url: https://github.com/inspec/inspec-azure/archive/master.tar.gz + url: https://github.com/inspec/inspec-azure/archive/main.tar.gz supports: - platform: azure diff --git a/test/fixtures/profiles/cloud/test-gcp/inspec.yml b/test/fixtures/profiles/cloud/test-gcp/inspec.yml index e2a4c8c91..cfaaae139 100644 --- a/test/fixtures/profiles/cloud/test-gcp/inspec.yml +++ b/test/fixtures/profiles/cloud/test-gcp/inspec.yml @@ -13,6 +13,6 @@ inputs: description: 'The GCP project identifier.' depends: - name: inspec-gcp - url: https://github.com/inspec/inspec-gcp/archive/master.tar.gz + url: https://github.com/inspec/inspec-gcp/archive/main.tar.gz supports: - platform: gcp From ddcb09666624407f4a1707d8347582a5d3978db8 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 31 Aug 2021 17:17:24 +0530 Subject: [PATCH 365/483] Fix control tags fetching logic which was breaking profiles with tags used Signed-off-by: Nikita Mathur --- lib/inspec/control_eval_context.rb | 19 ++++++++++++------- .../profiles/control-tags/controls/example.rb | 8 ++++++++ test/functional/inspec_exec_test.rb | 11 ++++++++++- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index a062d84a5..aa287cad8 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -53,19 +53,24 @@ module Inspec def control(id, opts = {}, &block) opts[:skip_only_if_eval] = @skip_only_if_eval - tag_ids = control_tags(&block) - if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) || tag_exist_in_control_tags?(tag_ids) + if (controls_list_empty? && tags_list_empty?) || control_exist_in_controls_list?(id) register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)) + elsif !tags_list_empty? + # Inside elsif rule is initialised before registering it because it enables fetching of control tags + inspec_rule = Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block) + tag_ids = control_tags(inspec_rule) + register_control(inspec_rule) if tag_exist_in_control_tags?(tag_ids) end end alias rule control - def control_tags(&block) - tag_source = block.source.split("\n").select { |src| src.split.first.eql?("tag") } - tag_source = tag_source.map { |src| src.sub("tag", "").strip }.map { |src| src.split(",").map { |final_src| final_src.sub(/([^:]*):/, "") } }.flatten - output = tag_source.map { |src| src.sub(/\[|\]/, "") }.map { |src| instance_eval(src) } - output.compact.uniq + def control_tags(inspec_rule) + all_tags = [] + inspec_rule.tag.each do |key, value| + value.nil? ? all_tags.push(key) : all_tags.push(value) + end + all_tags.flatten.compact.uniq.map(&:to_s) rescue [] end diff --git a/test/fixtures/profiles/control-tags/controls/example.rb b/test/fixtures/profiles/control-tags/controls/example.rb index b96cfdc2b..a91f27aa8 100644 --- a/test/fixtures/profiles/control-tags/controls/example.rb +++ b/test/fixtures/profiles/control-tags/controls/example.rb @@ -1,8 +1,16 @@ control "basic" do tag "tag1" + tag :special, :special1 tag severity: nil tag data: "tag2" tag data_arr: ["tag3", "tag4"] + tag error1: "Line with a line-feed + error" + tag error2: "Line with a comma,error" + tag cci: ['CCI-000366'] + tag legacy: [] + tag nist: ["AU-9", "AU-9 (3)", "AC-3 (4)", "AC-6 (10)"] + tag ref: "http:example.html:CIS CSC v6.0 #5.1;" describe(true) { it { should eq true } } end diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index b64fac272..bec77482e 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -258,7 +258,7 @@ Test Summary: 0 successful, 0 failures, 0 skipped it "executes only specified controls when selecting the controls by using regex on tags" do inspec("exec " + File.join(profile_path, "control-tags") + " --no-create-lockfile --tags '/\s+/'") _(stdout).must_include "true is expected to eq true\n" - _(stdout).must_include "Test Summary: 1 successful, 0 failures, 0 skipped\n" + _(stdout).must_include "Test Summary: 2 successful, 0 failures, 0 skipped\n" _(stderr).must_equal "" assert_exit_code 0, out @@ -282,6 +282,15 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 100, out end + it "executes profile successfully when tags are used with single element array, punctuations and linefeeds" do + inspec("exec " + File.join(profile_path, "control-tags") + " --no-create-lockfile --tags tag1 'Line with a comma,error' CCI-000366") + _(stdout).must_include "true is expected to eq true\n" + _(stdout).must_include "Test Summary: 1 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + it "reports whan a profile cannot be loaded" do inspec("exec " + File.join(profile_path, "raise_outside_control") + " --no-create-lockfile") _(stdout).must_match(/Profile:[\W]+InSpec Profile \(raise_outside_control\)/) From c85f49d0d83d65c0b5d2a9a32f090c3e6e08cdd6 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 31 Aug 2021 18:14:57 +0530 Subject: [PATCH 366/483] Change to filter tags on both key and value basis of hashmap style tags Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/cli.md | 2 +- lib/inspec/control_eval_context.rb | 4 +++- test/fixtures/profiles/control-tags/controls/example.rb | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 43bfe77eb..4e8185ccf 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -337,7 +337,7 @@ This subcommand has additional options: * ``--target-id=TARGET_ID`` Provide a ID which will be included on reports * ``--tags=one two three`` - A list of tags, a list of regular expressions that match tags, or a hash map where each value is a tag. `exec` will run controls referenced by the listed or matching tags. + A list of tags, a list of regular expressions that match tags. `exec` will run controls referenced by the listed or matching tags. * ``--user=USER`` The login user for a remote scan. * ``--vendor-cache=VENDOR_CACHE`` diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index aa287cad8..5ad3f885f 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -57,6 +57,7 @@ module Inspec register_control(Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block)) elsif !tags_list_empty? # Inside elsif rule is initialised before registering it because it enables fetching of control tags + # This condition is only true when --tags option is used inspec_rule = Inspec::Rule.new(id, profile_id, resources_dsl, opts, &block) tag_ids = control_tags(inspec_rule) register_control(inspec_rule) if tag_exist_in_control_tags?(tag_ids) @@ -68,7 +69,8 @@ module Inspec def control_tags(inspec_rule) all_tags = [] inspec_rule.tag.each do |key, value| - value.nil? ? all_tags.push(key) : all_tags.push(value) + all_tags.push(key) + all_tags.push(value) unless value.nil? end all_tags.flatten.compact.uniq.map(&:to_s) rescue diff --git a/test/fixtures/profiles/control-tags/controls/example.rb b/test/fixtures/profiles/control-tags/controls/example.rb index a91f27aa8..9c140017d 100644 --- a/test/fixtures/profiles/control-tags/controls/example.rb +++ b/test/fixtures/profiles/control-tags/controls/example.rb @@ -1,6 +1,6 @@ control "basic" do tag "tag1" - tag :special, :special1 + tag :symbol_key1, :symbol_key2 tag severity: nil tag data: "tag2" tag data_arr: ["tag3", "tag4"] From 3509d196902921ad1938f6ad00b0945c80a8d7f4 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Tue, 31 Aug 2021 22:12:32 -0400 Subject: [PATCH 367/483] Update location of default branch for omnibus and omnibus-software Signed-off-by: Clinton Wolfe --- omnibus/Gemfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/omnibus/Gemfile b/omnibus/Gemfile index 54c1f29d4..c502ee31f 100644 --- a/omnibus/Gemfile +++ b/omnibus/Gemfile @@ -1,7 +1,7 @@ source "https://rubygems.org" -gem "omnibus", github: ENV.fetch("OMNIBUS_GITHUB_REPO", "chef/omnibus"), branch: ENV.fetch("OMNIBUS_GITHUB_BRANCH", "master") -gem "omnibus-software", github: ENV.fetch("OMNIBUS_SOFTWARE_GITHUB_REPO", "chef/omnibus-software"), branch: ENV.fetch("OMNIBUS_SOFTWARE_GITHUB_BRANCH", "master") +gem "omnibus", github: ENV.fetch("OMNIBUS_GITHUB_REPO", "chef/omnibus"), branch: ENV.fetch("OMNIBUS_GITHUB_BRANCH", "main") +gem "omnibus-software", github: ENV.fetch("OMNIBUS_SOFTWARE_GITHUB_REPO", "chef/omnibus-software"), branch: ENV.fetch("OMNIBUS_SOFTWARE_GITHUB_BRANCH", "main") gem "artifactory" gem "ffi", ">= 1.9.14", "!= 1.13.0" From b0debb83dd3252849f5d8684c86860965a76aa8d Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 1 Sep 2021 02:17:33 +0000 Subject: [PATCH 368/483] Bump version to 4.41.18 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c59de756..57a05e502 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.17](https://github.com/inspec/inspec/tree/v4.41.17) (2021-08-30) + +## [v4.41.18](https://github.com/inspec/inspec/tree/v4.41.18) (2021-09-01) #### Merged Pull Requests -- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) +- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) - Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) - Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 05fd36977..c479e0c2e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.17 \ No newline at end of file +4.41.18 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index c4bff425c..51c5fac40 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.17".freeze + VERSION = "4.41.18".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 0f67202a3..0b63516ec 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.17".freeze + VERSION = "4.41.18".freeze end From 5c4d53406624cd6201f8f3348e40ccb5ee63e108 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 1 Sep 2021 03:29:23 +0000 Subject: [PATCH 369/483] Bump version to 4.41.19 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57a05e502..269f5692b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.18](https://github.com/inspec/inspec/tree/v4.41.18) (2021-09-01) + +## [v4.41.19](https://github.com/inspec/inspec/tree/v4.41.19) (2021-09-01) #### Merged Pull Requests -- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08)) - Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) - Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index c479e0c2e..05c175d6c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.18 \ No newline at end of file +4.41.19 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 51c5fac40..9e6237271 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.18".freeze + VERSION = "4.41.19".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 0b63516ec..b4756dae7 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.18".freeze + VERSION = "4.41.19".freeze end From 489318042c97e1601fafbbd758fb134a9e9b93dd Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 1 Sep 2021 03:42:24 +0000 Subject: [PATCH 370/483] Bump version to 4.41.20 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 269f5692b..69ba0991b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.19](https://github.com/inspec/inspec/tree/v4.41.19) (2021-09-01) + +## [v4.41.20](https://github.com/inspec/inspec/tree/v4.41.20) (2021-09-01) #### Merged Pull Requests -- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08)) +- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.2 release #### Merged Pull Requests +- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08)) - Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08)) - Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) diff --git a/VERSION b/VERSION index 05c175d6c..91f803fc3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.19 \ No newline at end of file +4.41.20 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 9e6237271..8efb12c05 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.19".freeze + VERSION = "4.41.20".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index b4756dae7..71e706b04 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.19".freeze + VERSION = "4.41.20".freeze end From 30ea9cfe57ca394520eb46331daec33c501e99df Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 10 Aug 2021 18:02:08 +0530 Subject: [PATCH 371/483] Add ibmdb2_conf and ibmdb2_session resource Signed-off-by: Vasu1105 --- .../content/inspec/resources/ibmdb2_conf.md | 53 ++++++++++++++++ .../inspec/resources/ibmdb2_session.md | 58 ++++++++++++++++++ lib/inspec/resources.rb | 2 + lib/inspec/resources/ibmdb2_conf.rb | 48 +++++++++++++++ lib/inspec/resources/ibmdb2_session.rb | 61 +++++++++++++++++++ test/fixtures/cmd/ibmdb2_conf_output | 8 +++ test/fixtures/cmd/ibmdb2_connect_to_instance | 1 + test/fixtures/cmd/ibmdb2_db_connect_output | 1 + test/fixtures/cmd/ibmdb2_query_output | 14 +++++ test/helpers/mock_loader.rb | 6 ++ test/unit/resources/ibmdb2_conf_test.rb | 29 +++++++++ test/unit/resources/ibmdb2_session_test.rb | 29 +++++++++ 12 files changed, 310 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/ibmdb2_conf.md create mode 100644 docs-chef-io/content/inspec/resources/ibmdb2_session.md create mode 100644 lib/inspec/resources/ibmdb2_conf.rb create mode 100644 lib/inspec/resources/ibmdb2_session.rb create mode 100644 test/fixtures/cmd/ibmdb2_conf_output create mode 100644 test/fixtures/cmd/ibmdb2_connect_to_instance create mode 100644 test/fixtures/cmd/ibmdb2_db_connect_output create mode 100644 test/fixtures/cmd/ibmdb2_query_output create mode 100644 test/unit/resources/ibmdb2_conf_test.rb create mode 100644 test/unit/resources/ibmdb2_session_test.rb diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md new file mode 100644 index 000000000..d3e279873 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md @@ -0,0 +1,53 @@ ++++ +title = "ibmdb2_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "ibmdb2_conf" + identifier = "inspec/resources/os/ibmdb2_conf.md ibmdb2_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `ibmdb2_conf` Chef InSpec audit resource to test the configuration settings. +Make sure you are using the database instance user credentials to run the InSpec test. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `ibmdb2_conf` resource block declares db2_executable_file_path, db_instance to connect and then runs command to get the configuration values and compares it to the value stated in the test: + + describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} + end + +where + +- `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect. +- `db2_executable_file_path` is the path of the db2 binary file. +- `db_instance` is the name of the database instance. +- `its("output") { should include("expected_settings")}` compares the results of the output against the expected result in the test. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test the audit buffer size configuration settings of IBM Db2 database + + describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000")} + end + + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_session.md b/docs-chef-io/content/inspec/resources/ibmdb2_session.md new file mode 100644 index 000000000..e776769d9 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/ibmdb2_session.md @@ -0,0 +1,58 @@ ++++ +title = "ibmdb2_session resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "ibmdb2_session" + identifier = "inspec/resources/os/ibmdb2_session.md ibmdb2_session resource" + parent = "inspec/resources/os" ++++ + +Use the `ibmdb2_session` Chef InSpec audit resource to test SQL commands run against an IBM Db2 database. +Make sure you are using the database instance user credentials to run the InSpec test. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `ibmdb2_session` resource block declares the db2_executable_file_path, db_instance and db_name to use for the session, and then the query to be run: + + describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("select rolename from syscat.roleauth") do + its("output") { should match(/SYSTS_MGR/) } + end + +where + +- `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect. +- `db2_executable_file_path` is the path of the db2 binary file. +- `db_instance` is the name of the database instance. +- `db_name` is the name of the database to query on. +- `query('QUERY')` contains the query to be run. +- `its('output') { should eq(/expected-result/) }` compares the results of the query against the expected result in the test. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test for matching role name + + describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("select rolename from syscat.roleauth") do + its("output") { should match(/SYSTS_MGR/) } + end + +### Test for matching database + + describe ibmdb2_session(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample").query("list database directory") do + its("output") { should match(/SAMPLE/) } + end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 513612271..cc9434919 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -58,6 +58,8 @@ require "inspec/resources/groups" require "inspec/resources/grub_conf" require "inspec/resources/host" require "inspec/resources/http" +require "inspec/resources/ibmdb2_conf" +require "inspec/resources/ibmdb2_session" require "inspec/resources/iis_app" require "inspec/resources/iis_app_pool" require "inspec/resources/iis_site" diff --git a/lib/inspec/resources/ibmdb2_conf.rb b/lib/inspec/resources/ibmdb2_conf.rb new file mode 100644 index 000000000..0eb103a2e --- /dev/null +++ b/lib/inspec/resources/ibmdb2_conf.rb @@ -0,0 +1,48 @@ +require "inspec/resources/ibmdb2_conf" + +module Inspec::Resources + class Ibmdb2Conf < Inspec.resource(1) + name "ibmdb2_conf" + + supports platform: "unix" + + desc "Use the ibmdb2_conf InSpec audit resource to test the configuration values of IBM Db2 database." + example <<~EXAMPLE + describe ibmdb2_conf(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1") do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} + end + EXAMPLE + + attr_reader :output + + def initialize(opts = {}) + @db2_executable_file_path = opts[:db2_executable_file_path] + @db_instance = opts[:db_instance] + raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil? + @output = run_command + end + + def to_s + "IBM Db2 Conf" + end + + private + + def run_command + cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\;") + out = cmd.stdout + "\n" + cmd.stderr + if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 instance/ || out.downcase =~ /^error:.*/ + raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" + end + + cmd = inspec.command("#{@db2_executable_file_path} get database manager configuration") + out = cmd.stdout + "\n" + cmd.stderr + if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ + raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" + else + cmd.stdout.gsub(/\n/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, ' ') } + end + end + end +end diff --git a/lib/inspec/resources/ibmdb2_session.rb b/lib/inspec/resources/ibmdb2_session.rb new file mode 100644 index 000000000..b90212352 --- /dev/null +++ b/lib/inspec/resources/ibmdb2_session.rb @@ -0,0 +1,61 @@ +require "inspec/resources/ibmdb2_session" + +module Inspec::Resources + class Lines + attr_reader :output, :exit_status + + def initialize(raw, desc, exit_status) + @output = raw + @desc = desc + @exit_status = exit_status + end + + def to_s + @desc + end + end + + class Ibmdb2Session < Inspec.resource(1) + name "ibmdb2_session" + + supports platform: "unix" + + desc "Use the ibmdb2_session InSpec audit resource to test SQL commands run against a IBM Db2 database." + example <<~EXAMPLE + describe ibmdb2_session(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1", db_name: "sample").query('list database directory') do + its('output') { should_not match(/sample/) } + end + EXAMPLE + + def initialize(opts = {}) + @db2_executable_file_path = opts[:db2_executable_file_path] + @db_instance = opts[:db_instance] + @db_name = opts[:db_name] + raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." if @db2_executable_file_path.nil? || @db_instance.nil? || @db_name.nil? + end + + def query(q) + raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? + + # connect to the db + cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\;") + out = cmd.stdout + "\n" + cmd.stderr + if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/ + raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" + end + + # query on the database + cmd = inspec.command("#{@db2_executable_file_path} #{q}\;") + out = cmd.stdout + "\n" + cmd.stderr + if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ + raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" + else + Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}", cmd.exit_status) + end + end + + def to_s + "IBM Db2 Session" + end + end +end diff --git a/test/fixtures/cmd/ibmdb2_conf_output b/test/fixtures/cmd/ibmdb2_conf_output new file mode 100644 index 000000000..8275f544f --- /dev/null +++ b/test/fixtures/cmd/ibmdb2_conf_output @@ -0,0 +1,8 @@ +Database Manager Configuration + +Node type = Enterprise Server Edition with local and remote clients + +Database manager configuration release level = 0x1500 + +CPU speed (millisec/instruction) (CPUSPEED) = 2.952151e-07 +Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0 diff --git a/test/fixtures/cmd/ibmdb2_connect_to_instance b/test/fixtures/cmd/ibmdb2_connect_to_instance new file mode 100644 index 000000000..992fe865d --- /dev/null +++ b/test/fixtures/cmd/ibmdb2_connect_to_instance @@ -0,0 +1 @@ +"\n Instance Attachment Information\n\n Instance server = DB2/LINUXX8664 11.5.6.0\n Authorization ID = DB2INST1\n Local instance alias = DB2INST1\n\n" diff --git a/test/fixtures/cmd/ibmdb2_db_connect_output b/test/fixtures/cmd/ibmdb2_db_connect_output new file mode 100644 index 000000000..9cbcb68ed --- /dev/null +++ b/test/fixtures/cmd/ibmdb2_db_connect_output @@ -0,0 +1 @@ +"\n Instance Attachment Information\n\n Instance server = DB2/LINUXX8664 11.5.6.0\n Authorization ID = DB2INST1\n Local instance alias = DB2INST1\n\n\n Database Connection Information\n\n Database server = DB2/LINUXX8664 11.5.6.0\n SQL authorization ID = DB2INST1\n Local database alias = SAMPLE\n\n" diff --git a/test/fixtures/cmd/ibmdb2_query_output b/test/fixtures/cmd/ibmdb2_query_output new file mode 100644 index 000000000..d8efd7499 --- /dev/null +++ b/test/fixtures/cmd/ibmdb2_query_output @@ -0,0 +1,14 @@ +ROLENAME -------------------------------------------------------------------------------------------------------------- + +SYSTS_ADM + +SYSTS_MGR + +SYSDEBUG + +SYSDEBUGPRIVATE + +SYSTS_USR + + +5 record(s) selected.\n\n" diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 82352de25..eee95f6a9 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -583,6 +583,12 @@ class MockLoader "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"), "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"), "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"), + + #ibmdb2 + "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1;" => cmd.call("ibmdb2_connect_to_instance"), + "/opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), + "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 connect to sample;" => cmd.call("ibmdb2_db_connect_output"), + "/opt/ibm/db2/V11.5/bin/db2 select rolename from syscat.roleauth;" => cmd.call("ibmdb2_query_output"), } if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") diff --git a/test/unit/resources/ibmdb2_conf_test.rb b/test/unit/resources/ibmdb2_conf_test.rb new file mode 100644 index 000000000..fac0deef7 --- /dev/null +++ b/test/unit/resources/ibmdb2_conf_test.rb @@ -0,0 +1,29 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/ibmdb2_conf" + +describe "Inspec::Resources::ibmdb2_conf" do + it "fails when no IBM db2 executable path is provided" do + resource = load_resource("ibmdb2_conf", db_instance: "db2inst1") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." + end + + it "fails when no IBM db2 instance name is provided" do + resource = load_resource("ibmdb2_conf", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." + end + + it "return the output in array format" do + resource = load_resource("ibmdb2_conf", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") + _(resource.resource_failed?).must_equal false + _(resource.output).must_be_kind_of Array + end + + it "returns expected result" do + resource = load_resource("ibmdb2_conf", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") + _(resource.resource_failed?).must_equal false + _(resource.output).must_include "Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0" + end +end diff --git a/test/unit/resources/ibmdb2_session_test.rb b/test/unit/resources/ibmdb2_session_test.rb new file mode 100644 index 000000000..80c5c66a2 --- /dev/null +++ b/test/unit/resources/ibmdb2_session_test.rb @@ -0,0 +1,29 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/ibmdb2_session" + +describe "Inspec::Resources::ibmdb2_session" do + it "fails when no IBM db2 instance name is provided" do + resource = load_resource("ibmdb2_session", db_instance: "db2inst1", db_name: "sample") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." + end + + it "fails when no IBM db2 instance name is provided" do + resource = load_resource("ibmdb2_session", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_name: "sample") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." + end + + it "fails when no IBM db2 database name is provided" do + resource = load_resource("ibmdb2_session", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." + end + + it "returns expected result" do + resource = load_resource("ibmdb2_session", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample") + _(resource.resource_failed?).must_equal false + _(resource.query("select rolename from syscat.roleauth").output).must_match(/SYSTS_ADM/) + end +end From dece4cb9ee4ea7a1688e70eddd84e7a7a06ca83e Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 10 Aug 2021 19:00:34 +0530 Subject: [PATCH 372/483] Updated docs Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/ibmdb2_conf.md | 2 +- docs-chef-io/content/inspec/resources/ibmdb2_session.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md index d3e279873..7e22109a3 100644 --- a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md +++ b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md @@ -12,7 +12,7 @@ platform = "os" +++ Use the `ibmdb2_conf` Chef InSpec audit resource to test the configuration settings. -Make sure you are using the database instance user credentials to run the InSpec test. +Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test. ## Availability diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_session.md b/docs-chef-io/content/inspec/resources/ibmdb2_session.md index e776769d9..53664954c 100644 --- a/docs-chef-io/content/inspec/resources/ibmdb2_session.md +++ b/docs-chef-io/content/inspec/resources/ibmdb2_session.md @@ -12,7 +12,7 @@ platform = "os" +++ Use the `ibmdb2_session` Chef InSpec audit resource to test SQL commands run against an IBM Db2 database. -Make sure you are using the database instance user credentials to run the InSpec test. +Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test. ## Availability From 763f22181000ddca04dc9613ba6a34c430536562 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 11 Aug 2021 11:26:28 +0530 Subject: [PATCH 373/483] Fix lint errors Signed-off-by: Vasu1105 --- lib/inspec/resources/ibmdb2_conf.rb | 5 +++-- lib/inspec/resources/ibmdb2_session.rb | 2 +- test/helpers/mock_loader.rb | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/inspec/resources/ibmdb2_conf.rb b/lib/inspec/resources/ibmdb2_conf.rb index 0eb103a2e..ee4b75619 100644 --- a/lib/inspec/resources/ibmdb2_conf.rb +++ b/lib/inspec/resources/ibmdb2_conf.rb @@ -18,8 +18,9 @@ module Inspec::Resources def initialize(opts = {}) @db2_executable_file_path = opts[:db2_executable_file_path] - @db_instance = opts[:db_instance] + @db_instance = opts[:db_instance] raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil? + @output = run_command end @@ -41,7 +42,7 @@ module Inspec::Resources if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" else - cmd.stdout.gsub(/\n/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, ' ') } + cmd.stdout.gsub(/\n/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, " ") } end end end diff --git a/lib/inspec/resources/ibmdb2_session.rb b/lib/inspec/resources/ibmdb2_session.rb index b90212352..e0d47a817 100644 --- a/lib/inspec/resources/ibmdb2_session.rb +++ b/lib/inspec/resources/ibmdb2_session.rb @@ -29,7 +29,7 @@ module Inspec::Resources def initialize(opts = {}) @db2_executable_file_path = opts[:db2_executable_file_path] - @db_instance = opts[:db_instance] + @db_instance = opts[:db_instance] @db_name = opts[:db_name] raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." if @db2_executable_file_path.nil? || @db_instance.nil? || @db_name.nil? end diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index eee95f6a9..decc59685 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -584,7 +584,7 @@ class MockLoader "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"), "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"), - #ibmdb2 + # ibmdb2 "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1;" => cmd.call("ibmdb2_connect_to_instance"), "/opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 connect to sample;" => cmd.call("ibmdb2_db_connect_output"), From 65852c29700ebba45117b0be03f07da94eebba9f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 11 Aug 2021 12:50:19 +0530 Subject: [PATCH 374/483] bad code : self require fix Signed-off-by: Vasu1105 --- lib/inspec/resources/ibmdb2_conf.rb | 2 -- lib/inspec/resources/ibmdb2_session.rb | 2 -- 2 files changed, 4 deletions(-) diff --git a/lib/inspec/resources/ibmdb2_conf.rb b/lib/inspec/resources/ibmdb2_conf.rb index ee4b75619..b9bf0c5e1 100644 --- a/lib/inspec/resources/ibmdb2_conf.rb +++ b/lib/inspec/resources/ibmdb2_conf.rb @@ -1,5 +1,3 @@ -require "inspec/resources/ibmdb2_conf" - module Inspec::Resources class Ibmdb2Conf < Inspec.resource(1) name "ibmdb2_conf" diff --git a/lib/inspec/resources/ibmdb2_session.rb b/lib/inspec/resources/ibmdb2_session.rb index e0d47a817..df261837e 100644 --- a/lib/inspec/resources/ibmdb2_session.rb +++ b/lib/inspec/resources/ibmdb2_session.rb @@ -1,5 +1,3 @@ -require "inspec/resources/ibmdb2_session" - module Inspec::Resources class Lines attr_reader :output, :exit_status From 39432f29e54e71478ef570dceccc98a6c868a71e Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 11 Aug 2021 14:58:37 +0530 Subject: [PATCH 375/483] IBM Db2 connection failure fix for error Reason Code 3 Signed-off-by: Vasu1105 --- lib/inspec/resources/ibmdb2_conf.rb | 9 +++++++-- lib/inspec/resources/ibmdb2_session.rb | 10 +++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/lib/inspec/resources/ibmdb2_conf.rb b/lib/inspec/resources/ibmdb2_conf.rb index b9bf0c5e1..f293e6c84 100644 --- a/lib/inspec/resources/ibmdb2_conf.rb +++ b/lib/inspec/resources/ibmdb2_conf.rb @@ -29,13 +29,18 @@ module Inspec::Resources private def run_command + cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\;") out = cmd.stdout + "\n" + cmd.stderr - if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 instance/ || out.downcase =~ /^error:.*/ + # check if following specific error is there. Sourcing the db2profile to resolve the error. + if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ + cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") + elsif cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 instance/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" + else + cmd = inspec.command("#{@db2_executable_file_path} get database manager configuration") end - cmd = inspec.command("#{@db2_executable_file_path} get database manager configuration") out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" diff --git a/lib/inspec/resources/ibmdb2_session.rb b/lib/inspec/resources/ibmdb2_session.rb index df261837e..31a34c727 100644 --- a/lib/inspec/resources/ibmdb2_session.rb +++ b/lib/inspec/resources/ibmdb2_session.rb @@ -38,12 +38,16 @@ module Inspec::Resources # connect to the db cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\;") out = cmd.stdout + "\n" + cmd.stderr - if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/ + # check if following specific error is there. Sourcing the db2profile to resolve the error. + if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ + cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") + elsif cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" + else + # query on the database + cmd = inspec.command("#{@db2_executable_file_path} #{q}\;") end - # query on the database - cmd = inspec.command("#{@db2_executable_file_path} #{q}\;") out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" From 12e3ee9aca03445a334e3c9d196c6c71e63cfa12 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 11 Aug 2021 20:33:15 +0530 Subject: [PATCH 376/483] Fix the command to query on the database Signed-off-by: Vasu1105 --- lib/inspec/resources/ibmdb2_conf.rb | 13 +++++-------- lib/inspec/resources/ibmdb2_session.rb | 18 +++++++----------- test/fixtures/cmd/ibmdb2_conf_output | 6 ++++++ test/fixtures/cmd/ibmdb2_connect_to_instance | 1 - test/fixtures/cmd/ibmdb2_db_connect_output | 1 - test/fixtures/cmd/ibmdb2_query_output | 13 +++++++++++++ test/helpers/mock_loader.rb | 6 ++---- 7 files changed, 33 insertions(+), 25 deletions(-) delete mode 100644 test/fixtures/cmd/ibmdb2_connect_to_instance delete mode 100644 test/fixtures/cmd/ibmdb2_db_connect_output diff --git a/lib/inspec/resources/ibmdb2_conf.rb b/lib/inspec/resources/ibmdb2_conf.rb index f293e6c84..f795e8560 100644 --- a/lib/inspec/resources/ibmdb2_conf.rb +++ b/lib/inspec/resources/ibmdb2_conf.rb @@ -29,19 +29,16 @@ module Inspec::Resources private def run_command - - cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\;") + # attach to the db2 instance and get the configuration + cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") out = cmd.stdout + "\n" + cmd.stderr + # check if following specific error is there. Sourcing the db2profile to resolve the error. if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ - cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") - elsif cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 instance/ || out.downcase =~ /^error:.*/ - raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" - else - cmd = inspec.command("#{@db2_executable_file_path} get database manager configuration") + cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") + out = cmd.stdout + "\n" + cmd.stderr end - out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" else diff --git a/lib/inspec/resources/ibmdb2_session.rb b/lib/inspec/resources/ibmdb2_session.rb index 31a34c727..d3c8cbe4a 100644 --- a/lib/inspec/resources/ibmdb2_session.rb +++ b/lib/inspec/resources/ibmdb2_session.rb @@ -35,22 +35,18 @@ module Inspec::Resources def query(q) raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? - # connect to the db - cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\;") + # connect to the db and query on the database + cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") out = cmd.stdout + "\n" + cmd.stderr + # check if following specific error is there. Sourcing the db2profile to resolve the error. if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ - cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") - elsif cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/ - raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" - else - # query on the database - cmd = inspec.command("#{@db2_executable_file_path} #{q}\;") + cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") + out = cmd.stdout + "\n" + cmd.stderr end - out = cmd.stdout + "\n" + cmd.stderr - if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ - raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" + if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/ + raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" else Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}", cmd.exit_status) end diff --git a/test/fixtures/cmd/ibmdb2_conf_output b/test/fixtures/cmd/ibmdb2_conf_output index 8275f544f..2c4242601 100644 --- a/test/fixtures/cmd/ibmdb2_conf_output +++ b/test/fixtures/cmd/ibmdb2_conf_output @@ -1,3 +1,9 @@ +Instance Attachment Information + +Instance server = DB2/LINUXX8664 11.5.6.0\ +Authorization ID = DB2INST1\n Local instance alias = DB2INST1 + + Database Manager Configuration Node type = Enterprise Server Edition with local and remote clients diff --git a/test/fixtures/cmd/ibmdb2_connect_to_instance b/test/fixtures/cmd/ibmdb2_connect_to_instance deleted file mode 100644 index 992fe865d..000000000 --- a/test/fixtures/cmd/ibmdb2_connect_to_instance +++ /dev/null @@ -1 +0,0 @@ -"\n Instance Attachment Information\n\n Instance server = DB2/LINUXX8664 11.5.6.0\n Authorization ID = DB2INST1\n Local instance alias = DB2INST1\n\n" diff --git a/test/fixtures/cmd/ibmdb2_db_connect_output b/test/fixtures/cmd/ibmdb2_db_connect_output deleted file mode 100644 index 9cbcb68ed..000000000 --- a/test/fixtures/cmd/ibmdb2_db_connect_output +++ /dev/null @@ -1 +0,0 @@ -"\n Instance Attachment Information\n\n Instance server = DB2/LINUXX8664 11.5.6.0\n Authorization ID = DB2INST1\n Local instance alias = DB2INST1\n\n\n Database Connection Information\n\n Database server = DB2/LINUXX8664 11.5.6.0\n SQL authorization ID = DB2INST1\n Local database alias = SAMPLE\n\n" diff --git a/test/fixtures/cmd/ibmdb2_query_output b/test/fixtures/cmd/ibmdb2_query_output index d8efd7499..fc4912ad4 100644 --- a/test/fixtures/cmd/ibmdb2_query_output +++ b/test/fixtures/cmd/ibmdb2_query_output @@ -1,3 +1,16 @@ +Instance Attachment Information + +Instance server = DB2/LINUXX8664 11.5.6.0 +Authorization ID = DB2INST1\n Local instance alias = DB2INST1 + + +Database Connection Information + +Database server = DB2/LINUXX8664 11.5.6.0 +SQL authorization ID = DB2INST1 +Local database alias = SAMPLE + + ROLENAME -------------------------------------------------------------------------------------------------------------- SYSTS_ADM diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index decc59685..a2b42aeda 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -585,10 +585,8 @@ class MockLoader "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"), # ibmdb2 - "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1;" => cmd.call("ibmdb2_connect_to_instance"), - "/opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), - "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 connect to sample;" => cmd.call("ibmdb2_db_connect_output"), - "/opt/ibm/db2/V11.5/bin/db2 select rolename from syscat.roleauth;" => cmd.call("ibmdb2_query_output"), + "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), + "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 connect to sample; /opt/ibm/db2/V11.5/bin/db2 select rolename from syscat.roleauth;" => cmd.call("ibmdb2_query_output"), } if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") From 10d96ece3feaa2b97fb9351d9c97f02b2e09e2f4 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 12 Aug 2021 16:25:11 +0530 Subject: [PATCH 377/483] Add windows platform support for ibmdb2_conf and ibmdb2_session resource Signed-off-by: Vasu1105 --- lib/inspec/resources/ibmdb2_conf.rb | 28 +++++++++++------ lib/inspec/resources/ibmdb2_session.rb | 36 ++++++++++++++-------- test/helpers/mock_loader.rb | 2 ++ test/unit/resources/ibmdb2_conf_test.rb | 6 ++++ test/unit/resources/ibmdb2_session_test.rb | 12 ++++++++ 5 files changed, 61 insertions(+), 23 deletions(-) diff --git a/lib/inspec/resources/ibmdb2_conf.rb b/lib/inspec/resources/ibmdb2_conf.rb index f795e8560..c013b0631 100644 --- a/lib/inspec/resources/ibmdb2_conf.rb +++ b/lib/inspec/resources/ibmdb2_conf.rb @@ -3,6 +3,7 @@ module Inspec::Resources name "ibmdb2_conf" supports platform: "unix" + supports platform: "windows" desc "Use the ibmdb2_conf InSpec audit resource to test the configuration values of IBM Db2 database." example <<~EXAMPLE @@ -15,10 +16,11 @@ module Inspec::Resources attr_reader :output def initialize(opts = {}) - @db2_executable_file_path = opts[:db2_executable_file_path] - @db_instance = opts[:db_instance] - raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil? - + if inspec.os.platform?("unix") + @db2_executable_file_path = opts[:db2_executable_file_path] + @db_instance = opts[:db_instance] + raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil? + end @output = run_command end @@ -30,19 +32,25 @@ module Inspec::Resources def run_command # attach to the db2 instance and get the configuration - cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") - out = cmd.stdout + "\n" + cmd.stderr + if inspec.os.platform?("unix") + cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") + out = cmd.stdout + "\n" + cmd.stderr - # check if following specific error is there. Sourcing the db2profile to resolve the error. - if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ - cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") + # check if following specific error is there. Sourcing the db2profile to resolve the error. + if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ + cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration") + out = cmd.stdout + "\n" + cmd.stderr + end + elsif inspec.os.platform?("windows") + # set-item command set the powershell to run the db2 commands. + cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 get database manager configuration") out = cmd.stdout + "\n" + cmd.stderr end if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}" else - cmd.stdout.gsub(/\n/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, " ") } + cmd.stdout.gsub(/\n|\r/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, " ") } end end end diff --git a/lib/inspec/resources/ibmdb2_session.rb b/lib/inspec/resources/ibmdb2_session.rb index d3c8cbe4a..a95b49e5b 100644 --- a/lib/inspec/resources/ibmdb2_session.rb +++ b/lib/inspec/resources/ibmdb2_session.rb @@ -1,11 +1,10 @@ module Inspec::Resources class Lines - attr_reader :output, :exit_status + attr_reader :output - def initialize(raw, desc, exit_status) + def initialize(raw, desc) @output = raw @desc = desc - @exit_status = exit_status end def to_s @@ -17,6 +16,7 @@ module Inspec::Resources name "ibmdb2_session" supports platform: "unix" + supports platform: "windows" desc "Use the ibmdb2_session InSpec audit resource to test SQL commands run against a IBM Db2 database." example <<~EXAMPLE @@ -26,29 +26,39 @@ module Inspec::Resources EXAMPLE def initialize(opts = {}) - @db2_executable_file_path = opts[:db2_executable_file_path] - @db_instance = opts[:db_instance] @db_name = opts[:db_name] - raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." if @db2_executable_file_path.nil? || @db_instance.nil? || @db_name.nil? + if inspec.os.platform?("unix") + @db2_executable_file_path = opts[:db2_executable_file_path] + @db_instance = opts[:db_instance] + raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." if @db2_executable_file_path.nil? || @db_instance.nil? || @db_name.nil? + elsif inspec.os.platform?("windows") + raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db_name option provided." if @db_name.nil? + end end def query(q) raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? - # connect to the db and query on the database - cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") - out = cmd.stdout + "\n" + cmd.stderr + if inspec.os.platform?("unix") + # connect to the db and query on the database + cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") + out = cmd.stdout + "\n" + cmd.stderr - # check if following specific error is there. Sourcing the db2profile to resolve the error. - if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ - cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") + # check if following specific error is there. Sourcing the db2profile to resolve the error. + if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved. Reason code: "3"/ + cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;") + out = cmd.stdout + "\n" + cmd.stderr + end + elsif inspec.os.platform?("windows") + # set-item command set the powershell to run the db2 commands. + cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 #{q}\;") out = cmd.stdout + "\n" + cmd.stderr end if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}" else - Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}", cmd.exit_status) + Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}") end end diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index a2b42aeda..8e1bd91c8 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -587,6 +587,8 @@ class MockLoader # ibmdb2 "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 connect to sample; /opt/ibm/db2/V11.5/bin/db2 select rolename from syscat.roleauth;" => cmd.call("ibmdb2_query_output"), + "set-item -path env:DB2CLP -value \"**$$**\"; db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), + "set-item -path env:DB2CLP -value \"**$$**\"; db2 connect to sample; db2 select rolename from syscat.roleauth;" => cmd.call("ibmdb2_query_output"), } if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd") diff --git a/test/unit/resources/ibmdb2_conf_test.rb b/test/unit/resources/ibmdb2_conf_test.rb index fac0deef7..f97770916 100644 --- a/test/unit/resources/ibmdb2_conf_test.rb +++ b/test/unit/resources/ibmdb2_conf_test.rb @@ -15,6 +15,12 @@ describe "Inspec::Resources::ibmdb2_conf" do _(resource.resource_exception_message).must_equal "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." end + it "verify ibmdb2_conf on windows" do + resource = MockLoader.new(:windows).load_resource("ibmdb2_conf") + _(resource.resource_failed?).must_equal false + _(resource.output).must_be_kind_of Array + end + it "return the output in array format" do resource = load_resource("ibmdb2_conf", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") _(resource.resource_failed?).must_equal false diff --git a/test/unit/resources/ibmdb2_session_test.rb b/test/unit/resources/ibmdb2_session_test.rb index 80c5c66a2..00cd0a2a0 100644 --- a/test/unit/resources/ibmdb2_session_test.rb +++ b/test/unit/resources/ibmdb2_session_test.rb @@ -21,6 +21,18 @@ describe "Inspec::Resources::ibmdb2_session" do _(resource.resource_exception_message).must_equal "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." end + it "fails when no IBM db2 database name is provided on Windows" do + resource = MockLoader.new(:windows).load_resource("ibmdb2_session") + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run IBM DB2 queries without db_name option provided." + end + + it "verify ibmdb2_conf on windows" do + resource = MockLoader.new(:windows).load_resource("ibmdb2_session", db_name: "sample") + _(resource.resource_failed?).must_equal false + _(resource.query("select rolename from syscat.roleauth").output).must_match(/SYSTS_ADM/) + end + it "returns expected result" do resource = load_resource("ibmdb2_session", db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1", db_name: "sample") _(resource.resource_failed?).must_equal false From 084f6b1f2b9f4b56716cbc4dc0a5c07db07dc4b5 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Mon, 16 Aug 2021 11:41:43 +0530 Subject: [PATCH 378/483] Updated docs for Windows example Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/ibmdb2_conf.md | 11 +++++++++-- .../content/inspec/resources/ibmdb2_session.md | 10 ++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md index 7e22109a3..83e03cf38 100644 --- a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md +++ b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md @@ -29,11 +29,18 @@ A `ibmdb2_conf` resource block declares db2_executable_file_path, db_instance to its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} end +Windows + + describe ibmdb2_conf do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} + end + where - `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect. -- `db2_executable_file_path` is the path of the db2 binary file. -- `db_instance` is the name of the database instance. +- `db2_executable_file_path` is the path of the db2 binary file. For Windows this is not required. +- `db_instance` is the name of the database instance. For Windows this is not required. - `its("output") { should include("expected_settings")}` compares the results of the output against the expected result in the test. ## Examples diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_session.md b/docs-chef-io/content/inspec/resources/ibmdb2_session.md index 53664954c..fb7036487 100644 --- a/docs-chef-io/content/inspec/resources/ibmdb2_session.md +++ b/docs-chef-io/content/inspec/resources/ibmdb2_session.md @@ -28,11 +28,17 @@ A `ibmdb2_session` resource block declares the db2_executable_file_path, db_inst its("output") { should match(/SYSTS_MGR/) } end +Windows + + describe ibmdb2_session(db_name: "sample").query("select rolename from syscat.roleauth") do + its("output") { should match(/SYSTS_MGR/) } + end + where - `ibmdb2_session` declares a db2_executable_file_path, db_instance and db_name to connect. -- `db2_executable_file_path` is the path of the db2 binary file. -- `db_instance` is the name of the database instance. +- `db2_executable_file_path` is the path of the db2 binary file. For Windows this is not required. +- `db_instance` is the name of the database instance. For Windows this is not required. - `db_name` is the name of the database to query on. - `query('QUERY')` contains the query to be run. - `its('output') { should eq(/expected-result/) }` compares the results of the query against the expected result in the test. From 06bb90244d466abd3c83a13a9819d38b942fcb35 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 31 Aug 2021 15:37:54 +0530 Subject: [PATCH 379/483] Update code to remove ruby 2.4 support Signed-off-by: Vasu1105 --- support/rebuild_inspec_test_fixture_plugin.sh | 2 +- test/functional/inspec_exec_test.rb | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/support/rebuild_inspec_test_fixture_plugin.sh b/support/rebuild_inspec_test_fixture_plugin.sh index 00a67456a..9e9811706 100755 --- a/support/rebuild_inspec_test_fixture_plugin.sh +++ b/support/rebuild_inspec_test_fixture_plugin.sh @@ -10,7 +10,7 @@ FIXTURE_BASE=test/fixtures/config_dirs FIXTURE_VERSIONS="1 2" # The format here is ", <"" -RUBY_VERSIONS="2.4.5,2.4.0 2.5.3,2.5.0 2.6.2,2.6.0" +RUBY_VERSIONS="2.5.3,2.5.0 2.6.2,2.6.0" # Make two fresh gems cd $PLUGIN_SRC_DIR diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index f1872ff4a..374767d4e 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -962,8 +962,7 @@ Test Summary: 2 successful, 0 failures, 0 skipped\n" describe "when specifying the execution target" do let(:local_plat) do json = run_inspec_process("detect --format json", {}).stdout - # .slice is available in ruby 2.5+ - JSON.parse(json).select { |k, v| %w{name release}.include? k } + JSON.parse(json).slice("name", "release") end let(:run_result) { run_inspec_process("exec " + File.join(profile_path, "simple-metadata") + " " + cli_args, json: true) } let(:seen_platform) { run_result; @json["platform"].select { |k, v| %w{name release target_id}.include? k } } From 5b5a1a1438ec2860b917eb9d6fcd4219ee3c9eaf Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 1 Sep 2021 18:04:29 +0530 Subject: [PATCH 380/483] Removed comments which are not applicable now Signed-off-by: Vasu1105 --- lib/inspec/run_data/profile.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/inspec/run_data/profile.rb b/lib/inspec/run_data/profile.rb index c653b04c5..ff6aa8950 100644 --- a/lib/inspec/run_data/profile.rb +++ b/lib/inspec/run_data/profile.rb @@ -49,7 +49,6 @@ module Inspec end class Profile - # Good candidate for keyword_init, but that is not in 2.4 Dependency = Struct.new( :name, :path, :status, :status_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path ) do @@ -71,7 +70,6 @@ module Inspec end end - # Good candidate for keyword_init, but that is not in 2.4 Group = Struct.new( :title, :controls, :id ) do From 316d8b0a797d9f1583fb1730b0a86f65824ba676 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 1 Sep 2021 23:42:17 +0000 Subject: [PATCH 381/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 53 +++++++++++++++++++++++++--------------------------- Dockerfile | 2 +- 2 files changed, 26 insertions(+), 29 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69ba0991b..140b35f87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,37 +1,35 @@ # Change Log - -## [v4.41.20](https://github.com/inspec/inspec/tree/v4.41.20) (2021-09-01) - -#### Merged Pull Requests -- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08)) + - -### Changes since 4.41.2 release - -#### Merged Pull Requests -- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08)) -- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08)) -- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) -- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) -- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) -- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) -- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) -- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) -- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) -- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) -- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) -- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) -- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) -- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) -- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) -- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) -- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) -- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) + +## [v4.41.20](https://github.com/inspec/inspec/tree/v4.41.20) (2021-09-01) + +#### Merged Pull Requests +- Build fix for ruby version 2.5 - HTML Proofer gem installation error [#5610](https://github.com/inspec/inspec/pull/5610) ([Nik08](https://github.com/Nik08)) +- Fix range based filtering in filter tables [#5598](https://github.com/inspec/inspec/pull/5598) ([Nik08](https://github.com/Nik08)) +- Fix apache_conf issue when Server Root is not present in configuration [#5601](https://github.com/inspec/inspec/pull/5601) ([Nik08](https://github.com/Nik08)) +- Fix `--insecure` not working with profile [#5600](https://github.com/inspec/inspec/pull/5600) ([Nik08](https://github.com/Nik08)) +- Fix `--chef-license=accept` option to only show license accepted message [#5609](https://github.com/inspec/inspec/pull/5609) ([Nik08](https://github.com/Nik08)) +- Fix postgres_session error Unable to connect to database [#5619](https://github.com/inspec/inspec/pull/5619) ([Vasu1105](https://github.com/Vasu1105)) +- Fix merging of included conf and main conf params in apache conf [#5623](https://github.com/inspec/inspec/pull/5623) ([Nik08](https://github.com/Nik08)) +- Add aliyun3 support to service resource [#5578](https://github.com/inspec/inspec/pull/5578) ([elsnepal](https://github.com/elsnepal)) +- Fedora runtime support documented [#5628](https://github.com/inspec/inspec/pull/5628) ([Nik08](https://github.com/Nik08)) +- Updated inspec-aws git url to replace branch to master to main [#5637](https://github.com/inspec/inspec/pull/5637) ([Vasu1105](https://github.com/Vasu1105)) +- Replace use of wmic from security_identifier resource as it will be deprecated soon [#5636](https://github.com/inspec/inspec/pull/5636) ([Vasu1105](https://github.com/Vasu1105)) +- Updated security_policy resource docs [#5633](https://github.com/inspec/inspec/pull/5633) ([Vasu1105](https://github.com/Vasu1105)) +- Added info about the Minitest framework in contributing doc [#5630](https://github.com/inspec/inspec/pull/5630) ([Nik08](https://github.com/Nik08)) +- Fix for security_policy resource does not return array for local groups [#5629](https://github.com/inspec/inspec/pull/5629) ([Vasu1105](https://github.com/Vasu1105)) +- Proposed implementation for installation warnings [#5625](https://github.com/inspec/inspec/pull/5625) ([tecracer-theinen](https://github.com/tecracer-theinen)) +- Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08)) +- Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08)) + + ## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-16) #### New Features @@ -45,7 +43,6 @@ - Filter active controls in profile by tags [#5596](https://github.com/inspec/inspec/pull/5596) ([Nik08](https://github.com/Nik08)) - Remove empty .gitmodules file [#5616](https://github.com/inspec/inspec/pull/5616) ([tduffield](https://github.com/tduffield)) - Fix the typo in documentation file for opa_api resource [#5608](https://github.com/inspec/inspec/pull/5608) ([Vasu1105](https://github.com/Vasu1105)) - ## [v4.38.9](https://github.com/inspec/inspec/tree/v4.38.9) (2021-07-22) diff --git a/Dockerfile b/Dockerfile index a827507f9..ebaa58b7c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.41.2 +ARG VERSION=4.41.20 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From aa72a9be6b4c0496489baf5e0e33796cd3bc0e88 Mon Sep 17 00:00:00 2001 From: jayashri garud Date: Thu, 2 Sep 2021 16:17:15 +0530 Subject: [PATCH 382/483] Replace deprecated --without flag with bundle config Signed-off-by: jayashri garud --- .expeditor/buildkite/verify.ps1 | 3 ++- .expeditor/buildkite/verify.sh | 3 ++- .expeditor/buildkite/wwwrelease.sh | 3 ++- omnibus/Gemfile | 2 +- omnibus/README.md | 3 ++- omnibus/config/software/inspec.rb | 3 ++- 6 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.expeditor/buildkite/verify.ps1 b/.expeditor/buildkite/verify.ps1 index 62a52ee5e..980a1875d 100644 --- a/.expeditor/buildkite/verify.ps1 +++ b/.expeditor/buildkite/verify.ps1 @@ -5,7 +5,8 @@ ruby -v bundle --version echo "--- bundle install" -bundle install --jobs=7 --retry=3 --without tools maintenance deploy +bundle config set --local without tools maintenance deploy +bundle install --jobs=7 --retry=3 echo "+++ bundle exec rake test:parallel" bundle exec rake test:parallel K=4 diff --git a/.expeditor/buildkite/verify.sh b/.expeditor/buildkite/verify.sh index c18162c6f..e79ac1a81 100755 --- a/.expeditor/buildkite/verify.sh +++ b/.expeditor/buildkite/verify.sh @@ -25,7 +25,8 @@ pull_bundle echo "--- bundle" bundle config --local path vendor/bundle -bundle install --jobs=7 --retry=3 --without tools maintenance deploy +bundle config set --local without tools maintenance deploy +bundle install --jobs=7 --retry=3 echo "--- push bundle cache" push_bundle diff --git a/.expeditor/buildkite/wwwrelease.sh b/.expeditor/buildkite/wwwrelease.sh index cf97147bc..692fbc693 100755 --- a/.expeditor/buildkite/wwwrelease.sh +++ b/.expeditor/buildkite/wwwrelease.sh @@ -7,7 +7,8 @@ set -ue echo "--- bundle install" cd www -bundle install --jobs=7 --retry=3 --without tools maintenance deploy +bundle config set --local without tools maintenance deploy +bundle install --jobs=7 --retry=3 echo "+++ bundle exec rake" bundle exec rake www V=1 PUSH=1 diff --git a/omnibus/Gemfile b/omnibus/Gemfile index c502ee31f..c197bea35 100644 --- a/omnibus/Gemfile +++ b/omnibus/Gemfile @@ -9,7 +9,7 @@ gem "ffi", ">= 1.9.14", "!= 1.13.0" # This development group is installed by default when you run `bundle install`, # but if you are using Omnibus in a CI-based infrastructure, you do not need # the Test Kitchen-based build lab. You can skip these unnecessary dependencies -# by running `bundle install --without development` to speed up build times. +# by running `bundle config set --local without development` to speed up build times. group :development do # Use Berkshelf for resolving cookbook dependencies gem "berkshelf", ">= 7.0" diff --git a/omnibus/README.md b/omnibus/README.md index 4f2ef2108..7ba6618a6 100644 --- a/omnibus/README.md +++ b/omnibus/README.md @@ -121,7 +121,8 @@ $ bundle exec kitchen converge i386``` # Now inside the kitchen vm, open a cmd/ps shell $ C:\vagrant\load-omnibus-toolchain.ps1 # (or .bar if you're on cmd) $ cd C:\vagrant\code\inspec\omnibus -$ bundle install --without development +$ bundle config set --local without development +$ bundle install $ bundle exec omnibus build inspec -l debug # If you get a 'can't sign this msi because I don't have a key to do so' error diff --git a/omnibus/config/software/inspec.rb b/omnibus/config/software/inspec.rb index 8216f8cc0..d94e667f7 100644 --- a/omnibus/config/software/inspec.rb +++ b/omnibus/config/software/inspec.rb @@ -35,7 +35,8 @@ build do # We bundle install to ensure the versions of gems we are going to # appbundle-lock to are definitely installed - bundle "install --without test integration tools maintenance", env: env + bundle "config set --local without test integration tools maintenance", env: env + bundle "install", env: env gem "build #{name}-core.gemspec", env: env gem "install #{name}-core*.gem --no-document", env: env From 89957e51a4a1080a22a1c6f74f94acf82788bb4c Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Fri, 3 Sep 2021 10:37:15 -0700 Subject: [PATCH 383/483] Docs edits Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/cli.md | 2 +- docs-chef-io/content/inspec/resources/apache_conf.md | 2 +- docs-chef-io/content/inspec/resources/security_policy.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 4e8185ccf..2ab0d0446 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -337,7 +337,7 @@ This subcommand has additional options: * ``--target-id=TARGET_ID`` Provide a ID which will be included on reports * ``--tags=one two three`` - A list of tags, a list of regular expressions that match tags. `exec` will run controls referenced by the listed or matching tags. + A list of tags or a list of regular expressions that match tags. `exec` will run controls referenced by the listed or matching tags. * ``--user=USER`` The login user for a remote scan. * ``--vendor-cache=VENDOR_CACHE`` diff --git a/docs-chef-io/content/inspec/resources/apache_conf.md b/docs-chef-io/content/inspec/resources/apache_conf.md index 44d1d3653..bfae0d2d9 100644 --- a/docs-chef-io/content/inspec/resources/apache_conf.md +++ b/docs-chef-io/content/inspec/resources/apache_conf.md @@ -21,7 +21,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ### Requirements -`ServerRoot` should be included in a apache conf file. If not present the included configs will not be accessible to the resource. +`ServerRoot` must be included in an Apache configuration file. If not present, the included configurations will not be accessible to the resource. ### Version diff --git a/docs-chef-io/content/inspec/resources/security_policy.md b/docs-chef-io/content/inspec/resources/security_policy.md index d30353a1e..3afc3f577 100644 --- a/docs-chef-io/content/inspec/resources/security_policy.md +++ b/docs-chef-io/content/inspec/resources/security_policy.md @@ -39,7 +39,7 @@ where - `'policy_name'` must specify a security policy - `{ should eq 'value' }` tests the value of `policy_name` against the value declared in the test -- `translate_sid` converts the SID into human readable SID name if true. Default value is false. +- `translate_sid` converts the security identifier (SID) into a human readable SID name if `true`. Default value is `false`. ## Examples From 7f6c1c13a964df25e4e9b1a00ae299b41a535cdc Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Fri, 3 Sep 2021 11:25:25 -0700 Subject: [PATCH 384/483] Add labeler workflow with docs label Signed-off-by: Ian Maddaus --- .github/labeler.yml | 3 +++ .github/workflows/labeler.yml | 11 +++++++++++ 2 files changed, 14 insertions(+) create mode 100644 .github/labeler.yml create mode 100644 .github/workflows/labeler.yml diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 000000000..e9e57d36c --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,3 @@ +documentation: + - 'docs-chef-io/**/*' + diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml new file mode 100644 index 000000000..4415f0010 --- /dev/null +++ b/.github/workflows/labeler.yml @@ -0,0 +1,11 @@ +name: "Pull Request Labeler" +on: + - pull_request_target + +jobs: + triage: + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@main + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" From dc33c0b541ef4f1fc84522a8110d3896e33c416a Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 15:26:07 +0530 Subject: [PATCH 385/483] 5426 changes Signed-off-by: Deepa Kumaraswamy --- .../resources/google_project_alert_policy.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md index 29830a1e8..e6c67bdfe 100644 --- a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md +++ b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md @@ -32,15 +32,15 @@ end ### Test that a GCP alert policy is enabled - describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do - it { should be_enabled } - end +describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do + it { should be_enabled } +end ### Test that a GCP compute alert policy display name is correct - describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do - its('display_name') { should eq 'policy name' } - end +describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do + its('display_name') { should eq 'policy name' } +end ## Properties @@ -55,11 +55,11 @@ Properties that can be accessed from the `google_project_alert_policy` resource: `combiner` : How to combine the results of multiple conditions to determine if an incident should be opened. - Possible values: +Possible values: - - AND - - OR - - AND_WITH_MATCHING_RESOURCE +- AND +- OR +- AND_WITH_MATCHING_RESOURCE `creation_record` : A read-only record of the creation of the alerting policy. If provided in a call to create or update, this field will be ignored. From 2fcbf7d82ea9a9dcb8d4a88e19bf68bb9206c3cc Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 15:33:28 +0530 Subject: [PATCH 386/483] #5426 edits Signed-off-by: Deepa Kumaraswamy --- .../inspec/resources/google_project_alert_policy.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md index 4faebc004..e45fb7832 100644 --- a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md +++ b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md @@ -32,15 +32,15 @@ end ### Test that a GCP alert policy is enabled - describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do - it { should be_enabled } - end +describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do + it { should be_enabled } +end ### Test that a GCP compute alert policy display name is correct - describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do - its('display_name') { should eq 'policy name' } - end +describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do + its('display_name') { should eq 'policy name' } +end ## Properties From 9656dde3200ebb8c7cadf75ec3b18012b0f1d8d1 Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 16:21:39 +0530 Subject: [PATCH 387/483] #5561 changes Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/sybase_conf.md | 23 ++++---- .../inspec/resources/sybase_session.md | 54 +++++++++---------- 2 files changed, 37 insertions(+), 40 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/sybase_conf.md b/docs-chef-io/content/inspec/resources/sybase_conf.md index b3011e7db..bbc2c04b5 100644 --- a/docs-chef-io/content/inspec/resources/sybase_conf.md +++ b/docs-chef-io/content/inspec/resources/sybase_conf.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `sybase_conf` Chef InSpec audit resource to test configuration of a Sybase / SAP ASE database. +Use the `sybase_conf` Chef InSpec audit resource to test the configuration of a Sybase / SAP ASE database. ## Availability @@ -29,16 +29,16 @@ You must have access to a database user that has access to the `sa` role on the A `sybase_conf` resource block declares the configuration item name, server, and password to use. - describe sybase_session('config item', server: 'SYBASE', password: 'password') do - its('run_value') { should cmp 'expected' } - its('config_value') { should cmp 'expected' } - end +describe sybase_session('config item', server: 'SYBASE', password: 'PASSWORD') do + its('run_value') { should cmp 'EXPECTED' } + its('config_value') { should cmp 'EXPECTED' } +end where - `sybase_conf` declares a config item, server, and password with permission to run `sp_configure`. -- `its('run_value') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value -- `its('config_value') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value +- `its('run_value') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value. +- `its('config_value') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value. ### Optional Parameters @@ -60,12 +60,11 @@ The following examples show how to use this Chef InSpec audit resource. ### Test for max memory configuration - describe sybase_session('max memory', server: 'SYBASE', password: 'password') do - its('run_value') { should cmp 180224 } - its('config_value') { should cmp 180224 } - end +describe sybase_session('max memory', server: 'SYBASE', password: 'PASSWORD') do + its('run_value') { should cmp 180224 } + its('config_value') { should cmp 180224 } +end ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). - diff --git a/docs-chef-io/content/inspec/resources/sybase_session.md b/docs-chef-io/content/inspec/resources/sybase_session.md index df8768863..bf9e2bd65 100644 --- a/docs-chef-io/content/inspec/resources/sybase_session.md +++ b/docs-chef-io/content/inspec/resources/sybase_session.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `sybase_session` Chef InSpec audit resource to test SQL commands run against a Sybase / SAP ASE database. +Use the `sybase_session` Chef InSpec audit resource to test the SQL commands run against a Sybase / SAP ASE database. ## Availability @@ -27,15 +27,15 @@ The `isql` command line tool must be installed on the target system. A `sybase_session` resource block declares the server, database, username and password to use for the session, and then the command to be run: - describe sybase_session(database: 'pubs2', server: 'SYBASE', username: 'username', password: 'password').query('QUERY').row(0).column('result') do - its('value') { should eq('expected') } - end +describe sybase_session(database: 'pubs2', server: 'SYBASE', username: 'USERNAME', password: 'PASSWORD').query('QUERY').row(0).column('RESULT') do + its('value') { should eq('EXPECTED') } +end where - `sybase_session` declares a server, database, username and password with permission to run the query. -- `query('QUERY')` contains the query to be run -- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test +- `query('QUERY')` contains the query to be run. +- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test. ### Optional Parameters @@ -43,28 +43,27 @@ where You may use the `bin` parameter to specify the path to the `isql` cli tool. - describe sybase_session(database: 'pubs2', - server: 'SYBASE', - username: 'username', - password: 'password', - bin: '/opt/sap/OCS-16_0/bin/isql', - ).query('QUERY').row(0).column('result') do - its('value') { should eq('expected') } - end - +describe sybase_session(database: 'pubs2', + server: 'SYBASE', + username: 'USERNAME', + password: 'PASSWORD', + bin: '/opt/sap/OCS-16_0/bin/isql', + ).query('QUERY').row(0).column('RESULT') do + its('value') { should eq('EXPECTED') } +end #### sybase_home You may use the `sybase_home` parameter to specify the path to the sybase installation. - describe sybase_session(database: 'pubs2', - server: 'SYBASE', - username: 'username', - password: 'password', - sybase_home: '/opt/sap', - ).query('QUERY').row(0).column('result') do - its('value') { should eq('expected') } - end +describe sybase_session(database: 'pubs2', + server: 'SYBASE', + username: 'USERNAME', + password: 'PASSWORD', + sybase_home: '/opt/sap', + ).query('QUERY').row(0).column('RESULT') do + its('value') { should eq('EXPECTED') } +end ## Examples @@ -72,13 +71,12 @@ The following examples show how to use this Chef InSpec audit resource. ### Test for matching values in the pubs2 sample database - sql = sybase_session(database: 'pubs2', server: 'SYBASE', username: 'my_user', password: 'password') +sql = sybase_session(database: 'pubs2', server: 'SYBASE', username: 'MY_USER', password: 'PASSWORD') - describe sql.query("SELECT au_lname FROM authors").row(0).column('au_lname') do - its("value") { should eq 'Bennet' } - end +describe sql.query("SELECT au_lname FROM authors").row(0).column('AU_LNAME') do + its("value") { should eq 'BENNET' } +end ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). - From 1d8b19fa98a7563cdca06590506e7b957e079cd7 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 7 Sep 2021 16:49:30 +0530 Subject: [PATCH 388/483] Fix --tags filter for dependent profiles Signed-off-by: Nikita Mathur --- lib/inspec/control_eval_context.rb | 48 +++++++++---------- lib/inspec/dsl.rb | 13 +++-- .../profile_a/controls/example.rb | 2 + .../profile_b/controls/example.rb | 4 +- .../profile_c/controls/example.rb | 1 + test/functional/inspec_exec_test.rb | 47 ++++++++++++++++++ 6 files changed, 87 insertions(+), 28 deletions(-) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index 5ad3f885f..678873fae 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -189,6 +189,30 @@ module Inspec @skip_file = true end + # Check if the given control exist in the --tags option + def tag_exist_in_control_tags?(tag_ids) + tag_option_matches_with_list = false + if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist? + tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty? + unless tag_option_matches_with_list + @conf["profile"].include_tags_list.any? do |inclusion| + # Try to see if the inclusion is a regex, and if it matches + if inclusion.is_a?(Regexp) + tag_ids.each do |id| + tag_option_matches_with_list = (inclusion =~ id) + break if tag_option_matches_with_list + end + end + end + end + end + tag_option_matches_with_list + end + + def tags_list_empty? + !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty? + end + private def block_location(block, alternate_caller) @@ -214,10 +238,6 @@ module Inspec !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty? end - def tags_list_empty? - !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty? - end - # Check if the given control exist in the --controls option def control_exist_in_controls_list?(id) id_exist_in_list = false @@ -229,25 +249,5 @@ module Inspec end id_exist_in_list end - - # Check if the given control exist in the --tags option - def tag_exist_in_control_tags?(tag_ids) - tag_option_matches_with_list = false - if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist? - tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty? - unless tag_option_matches_with_list - @conf["profile"].include_tags_list.any? do |inclusion| - # Try to see if the inclusion is a regex, and if it matches - if inclusion.is_a?(Regexp) - tag_ids.each do |id| - tag_option_matches_with_list = (inclusion =~ id) - break if tag_option_matches_with_list - end - end - end - end - end - tag_option_matches_with_list - end end end diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index 00beb82f4..8e53dfbd5 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -93,22 +93,29 @@ module Inspec::DSL context = dep_entry.profile.runner_context # if we don't want all the rules, then just make 1 pass to get all rule_IDs # that we want to keep from the original - filter_included_controls(context, dep_entry.profile, &block) unless opts[:include_all] + filter_included_controls(context, dep_entry.profile, opts, &block) if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) + # interpret the block and skip/modify as required context.load(block) if block_given? bind_context.add_subcontext(context) end - def self.filter_included_controls(context, profile, &block) + def self.filter_included_controls(context, profile, opts, &block) mock = Inspec::Backend.create(Inspec::Config.mock) include_ctx = Inspec::ProfileContext.for_profile(profile, mock) include_ctx.load(block) if block_given? + include_ctx.control_eval_context.instance_variable_set(:@conf, opts[:conf]) + control_eval_ctx = include_ctx.control_eval_context # remove all rules that were not registered context.all_rules.each do |r| id = Inspec::Rule.rule_id(r) fid = Inspec::Rule.profile_id(r) + "/" + id - unless include_ctx.rules[id] || include_ctx.rules[fid] + if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid]) context.remove_rule(fid) + elsif !control_eval_ctx.tags_list_empty? + # filter included controls using --tags + tag_ids = control_eval_ctx.control_tags(r) + context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids) end end end diff --git a/test/fixtures/profiles/dependencies/profile_a/controls/example.rb b/test/fixtures/profiles/dependencies/profile_a/controls/example.rb index e59adc568..0eca4569e 100644 --- a/test/fixtures/profiles/dependencies/profile_a/controls/example.rb +++ b/test/fixtures/profiles/dependencies/profile_a/controls/example.rb @@ -14,12 +14,14 @@ control 'profilea-1' do # A unique ID for this control impact 0.7 # The criticality, if this control fails. title 'Create / directory' # A human-readable title desc 'An optional description...' + tag "tag-profilea1" describe file('/') do # The actual test it { should be_directory } end end control 'profilea-2' do + tag "tag-profilea2" describe example_config do its('version') { should eq('1.0') } end diff --git a/test/fixtures/profiles/dependencies/profile_b/controls/example.rb b/test/fixtures/profiles/dependencies/profile_b/controls/example.rb index 73901831a..2a9013b21 100644 --- a/test/fixtures/profiles/dependencies/profile_b/controls/example.rb +++ b/test/fixtures/profiles/dependencies/profile_b/controls/example.rb @@ -8,13 +8,15 @@ control 'profileb-1' do # A unique ID for this control impact 0.7 # The criticality, if this control fails. title 'Create / directory' # A human-readable title desc 'An optional description...' + tag "tag-profileb1" describe file('/') do # The actual test it { should be_directory } end end control 'profileb-2' do + tag "tag-profileb2" describe example_config do its('version') { should eq('2.0') } end -end +end \ No newline at end of file diff --git a/test/fixtures/profiles/dependencies/profile_c/controls/example.rb b/test/fixtures/profiles/dependencies/profile_c/controls/example.rb index 2a03b25be..b5a570c42 100644 --- a/test/fixtures/profiles/dependencies/profile_c/controls/example.rb +++ b/test/fixtures/profiles/dependencies/profile_c/controls/example.rb @@ -3,6 +3,7 @@ control 'profilec-1' do # A unique ID for this control impact 0.7 # The criticality, if this control fails. title 'Create /tmp directory' # A human-readable title desc 'An optional description...' + tag 'tag-profilec1' describe file('/') do # The actual test it { should be_directory } end diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index f1872ff4a..410bdd6dc 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -291,6 +291,53 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 0, out end + it "executes only specified controls of included dependent profile by using literal names of tags" do + inspec("exec " + File.join(profile_path, "dependencies", "profile_a") + " --no-create-lockfile --tags tag-profilea1 tag-profilec1") + _(stdout).must_include "✔ profilea-1: Create / directory\n" + _(stdout).must_include "✔ profilec-1: Create /tmp directory\n" + _(stdout).must_include "✔ File / is expected to be directory\n" + _(stdout).wont_include "✔ profilea-2: example_config\n" + _(stdout).must_include "Test Summary: 2 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + it "executes only specified controls of included dependent profile by using regex on tags" do + inspec("exec " + File.join(profile_path, "dependencies", "profile_a") + " --no-create-lockfile --tags '/^tag-profilea/'") + _(stdout).must_include "✔ profilea-1: Create / directory\n" + _(stdout).must_include "✔ profilea-2: example_config\n" + _(stdout).wont_include "✔ profilec-1: Create /tmp directory\n" + _(stdout).must_include "Test Summary: 2 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + it "executes only specified controls of required dependent profile by using literal names of tags" do + inspec("exec " + File.join(profile_path, "dependencies", "require_controls_test") + " --no-create-lockfile --tags tag-profileb2") + _(stdout).must_include "✔ profileb-2: example_config\n" + _(stdout).must_include "✔ example_config version is expected to eq \"2.0\"\n" + _(stdout).wont_include "✔ profilea-1: Create / directory\n" + _(stdout).wont_include "✔ profilea-2: example_config\n" + _(stdout).must_include "Test Summary: 2 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + it "executes only specified controls of required dependent profile by using regex on tags" do + inspec("exec " + File.join(profile_path, "dependencies", "require_controls_test") + " --no-create-lockfile --tags '/^tag-profileb/'") + _(stdout).must_include "✔ profileb-2: example_config\n" + _(stdout).must_include "✔ example_config version is expected to eq \"2.0\"\n" + _(stdout).wont_include "✔ profilea-1: Create / directory\n" + _(stdout).wont_include "✔ profilea-2: example_config\n" + _(stdout).must_include "Test Summary: 2 successful, 0 failures, 0 skipped\n" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + it "reports whan a profile cannot be loaded" do inspec("exec " + File.join(profile_path, "raise_outside_control") + " --no-create-lockfile") _(stdout).must_match(/Profile:[\W]+InSpec Profile \(raise_outside_control\)/) From 9aab6114a7f21953eaae8556f64ece57a3e3480a Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 17:48:45 +0530 Subject: [PATCH 389/483] #5573 edits Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/oracledb_conf.md | 26 +++++++++---------- .../resources/oracledb_listener_conf.md | 20 +++++++------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/oracledb_conf.md b/docs-chef-io/content/inspec/resources/oracledb_conf.md index 9af8b52ed..0fe5e5cb0 100644 --- a/docs-chef-io/content/inspec/resources/oracledb_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_conf.md @@ -11,23 +11,23 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `oracledb_conf` Chef InSpec audit resource to test the system parameters of Oracle. +Use the `oracledb_conf` Chef InSpec audit resource to test the Oracle system parameters. -### Installation +## Installation This resource is distributed along with Chef InSpec itself. You can use it automatically. -### Requirements +## Requirements -You must have access to a database user that has access to the `DBA` role. +You must have access to a database user with `DBA` role. ## Syntax -A `oracledb_conf` resource block declares user and password to use. It fetches system parameters which are defined in `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: +A `oracledb_conf` resource block declares user and password to use. It fetches system parameters which are defined in the `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: - describe oracledb_conf(user: 'USER', password: 'PASSWORD') do - its("config item") { should cmp "value" } - end +describe oracledb_conf(user: 'USER', password: 'PASSWORD') do + its("config item") { should cmp "value" } +end ### Optional Parameters @@ -39,11 +39,11 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the database view - describe oracledb_conf(user: 'USER', password: 'PASSWORD') do - its("audit_sys_operations") { should cmp "true" } - its("sql92_security") { should cmp "true" } - end +describe oracledb_conf(user: 'USER', password: 'PASSWORD') do + its("audit_sys_operations") { should cmp "true" } + its("sql92_security") { should cmp "true" } +end ## Matchers -For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). \ No newline at end of file +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md index 7e01b3633..5fb71d4df 100644 --- a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md @@ -13,11 +13,11 @@ platform = "os" Use the `oracledb_listener_conf` Chef InSpec audit resource to test the listeners settings of Oracle DB, typically located at `$ORACLE_HOME/network/admin/listener.ora` or `$ORACLE_HOME\network\admin\listener.ora` depending upon the platform. -### Installation +## Installation This resource is distributed along with Chef InSpec itself. You can use it automatically. -### Requirements +## Requirements - You must have sufficient permission to access listener settings defined in `listener.ora` file. - Value for environment variable `ORACLE_HOME` should be set in the system. @@ -26,9 +26,9 @@ This resource is distributed along with Chef InSpec itself. You can use it autom A `oracledb_listener_conf` resource block fetches listeners settings in the `listener.ora` file, and then compares them with the value stated in the test: - describe oracledb_listener_conf do - its('config item') { should eq 'value' } - end +describe oracledb_listener_conf do + its('config item') { should eq 'value' } +end ## Examples @@ -36,11 +36,11 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the listener file - describe oracledb_listener_conf do - its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } - its('EM_EXPRESS_PORT') { should eq '5500' } - end +describe oracledb_listener_conf do + its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } + its('EM_EXPRESS_PORT') { should eq '5500' } +end ## Matchers -For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). \ No newline at end of file +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). From 6f2b77d774dedb68fe7fd408bfb6a6c0bb4be20a Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 18:01:52 +0530 Subject: [PATCH 390/483] 5589 edits Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/chrony_conf.md | 42 ++++++++-------- .../content/inspec/resources/oracledb_conf.md | 49 +++++++++++++++++++ 2 files changed, 70 insertions(+), 21 deletions(-) create mode 100644 docs-chef-io/content/inspec/resources/oracledb_conf.md diff --git a/docs-chef-io/content/inspec/resources/chrony_conf.md b/docs-chef-io/content/inspec/resources/chrony_conf.md index ed4f22920..c097cb8d1 100644 --- a/docs-chef-io/content/inspec/resources/chrony_conf.md +++ b/docs-chef-io/content/inspec/resources/chrony_conf.md @@ -28,15 +28,15 @@ This resource first became available in v of InSpec. --> An `chrony_conf` resource block declares the synchronization settings that should be tested: - describe chrony_conf('path') do - its('setting_name') { should eq 'value' } - end + describe chrony_conf('PATH') do + its('setting_name') { should eq 'VALUE' } + end where -- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file -- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`) -- `{ should eq 'value' }` is the value that is expected +- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file. +- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`). +- `{ should eq 'value' }` is the value that is expected. ## Examples @@ -44,30 +44,30 @@ The following examples show how to use this Chef InSpec audit resource. ### Test for clock drift against named servers - describe chrony_conf do - its('driftfile') { should cmp '/var/lib/chrony/drift' } - its('server') do - should cmp [ - '0.ubuntu.pool.ntp.org', - '1.ubuntu.pool.ntp.org', - '2.ubuntu.pool.ntp.org' - ] - end +describe chrony_conf do + its('driftfile') { should cmp '/var/lib/chrony/drift' } + its('server') do + should cmp [ + '0.ubuntu.pool.ntp.org', + '1.ubuntu.pool.ntp.org', + '2.ubuntu.pool.ntp.org' + ] end +end ## Matchers This resource matches any service that is listed in the `chrony.conf` file. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). - its('server') { should_not eq nil } + its('server') { should_not eq nil } or: - its('allow') { should include '192.168.0.0/16'} + its('allow') { should include '192.168.0.0/16'} For example: - describe chrony_conf do - its('server') { should_not eq nil } - its('allow') { should include '192.168.0.0/16'} - end + describe chrony_conf do + its('server') { should_not eq nil } + its('allow') { should include '192.168.0.0/16'} + end diff --git a/docs-chef-io/content/inspec/resources/oracledb_conf.md b/docs-chef-io/content/inspec/resources/oracledb_conf.md new file mode 100644 index 000000000..559a01de0 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/oracledb_conf.md @@ -0,0 +1,49 @@ ++++ +title = "oracledb_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "oracledb_conf" + identifier = "inspec/resources/os/oracledb_conf.md oracledb_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `oracledb_conf` Chef InSpec audit resource to test the Oracle system parameters. + +## Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Requirements + +You must have access to a database user with `DBA` role. + +## Syntax + +A `oracledb_conf` resource block declares user and password to use. It fetches system parameters defined in the `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: + +describe oracledb_conf(user: 'USER', password: 'PASSWORD') do + its("config item") { should cmp "value" } +end + +### Optional Parameters + +`oracledb_conf` is based on `oracledb_session`, and accepts all parameters that `oracledb_session` accepts. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test parameters set within the database view + +describe oracledb_conf(user: 'USER', password: 'PASSWORD') do + its("audit_sys_operations") { should cmp "true" } + its("sql92_security") { should cmp "true" } +end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). From 78ded420471aa4d5b6ed7e2109696e39314e19ab Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 18:54:47 +0530 Subject: [PATCH 391/483] #5574 edits Signed-off-by: Deepa Kumaraswamy --- .../inspec/resources/mssql_sys_conf.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md index 3ecadf9e6..d00430a60 100644 --- a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md +++ b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md @@ -11,13 +11,13 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `mssql_sys_conf` Chef InSpec audit resource to test configuration of a Mssql database. +Use the `mssql_sys_conf` Chef InSpec audit resource to test the configuration of a Mssql database. -### Installation +## Installation This resource is distributed along with Chef InSpec itself. You can use it automatically. -### Requirements +## Requirements You must have database access. @@ -25,16 +25,16 @@ You must have database access. A `mssql_sys_conf` resource block declares the configuration item name, user, and password to use. - describe mssql_sys_conf("config item", user: 'USER', password: 'PASSWORD') do - its("value_in_use") { should cmp "value" } - its("value_configured") { should cmp "value" } - end +describe mssql_sys_conf("config item", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "value" } + its("value_configured") { should cmp "value" } +end where - `mssql_sys_conf` declares a config item, user, and password with permission to use `sys.configurations`. -- `its('value_in_use') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value -- `its('value_configured') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value +- `its('value_in_use') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value. +- `its('value_configured') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value. ### Optional Parameters @@ -50,10 +50,10 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the database view - describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do - its("value_in_use") { should cmp "0" } - its("value_configured") { should cmp "0" } - end +describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "0" } + its("value_configured") { should cmp "0" } +end ## Matchers From 1794716c0461df963afb979c8c586e25838f76a4 Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 19:44:01 +0530 Subject: [PATCH 392/483] #5614 edits Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/ibmdb2_conf.md | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md index 83e03cf38..f10ea76b6 100644 --- a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md +++ b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md @@ -11,8 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `ibmdb2_conf` Chef InSpec audit resource to test the configuration settings. -Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test. +Use the `ibmdb2_conf` Chef InSpec audit resource to test the configuration settings. Make sure you are using the IBM Db2 database instance user credentials to run the InSpec test. ## Availability @@ -24,17 +23,17 @@ This resource is distributed along with Chef InSpec itself. You can use it autom A `ibmdb2_conf` resource block declares db2_executable_file_path, db_instance to connect and then runs command to get the configuration values and compares it to the value stated in the test: - describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do - its("output") { should_not be_empty } - its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} - end +describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} +end Windows - describe ibmdb2_conf do - its("output") { should_not be_empty } - its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} - end +describe ibmdb2_conf do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} +end where @@ -49,11 +48,10 @@ The following examples show how to use this Chef InSpec audit resource. ### Test the audit buffer size configuration settings of IBM Db2 database - describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do - its("output") { should_not be_empty } - its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000")} - end - +describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000")} +end ## Matchers From 4b953a608540537f690a5cf7528d7e123cc22f1a Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Tue, 7 Sep 2021 19:57:38 +0530 Subject: [PATCH 393/483] 5617 edits Signed-off-by: Deepa Kumaraswamy --- docs-chef-io/content/inspec/cli.md | 105 +++++++++++++++-------------- 1 file changed, 54 insertions(+), 51 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 0a0d7fb35..3f423a47a 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -15,7 +15,7 @@ Use the InSpec CLI to run tests and audits against targets using local, SSH, Win ## archive -Archive a profile to tar.gz (default) or zip +Archive a profile to tar.gz (default) or zip. ### Syntax @@ -42,14 +42,13 @@ This subcommand has additional options: * ``--tar``, ``--no-tar`` Generates a tar.gz archive. * ``--vendor-cache=VENDOR_CACHE`` - Use the given path for caching dependencies. (default: ~/.inspec/cache) + Use the given path for caching dependencies. (default: ~/.inspec/cache). * ``--zip``, ``--no-zip`` Generates a zip archive. ## check -Verify metadata in inspec.yml. Verify control data has fields (title, description, -impact) defined and that all controls have visible tests. +Verify metadata in inspec.yml. Verify control data has fields (title, description, impact) defined and that all controls have visible tests. ### Syntax @@ -64,7 +63,7 @@ inspec check PATH This subcommand has additional options: * ``--format=FORMAT`` - The output format to use doc (default), json. If valid format is not provided then it will use the default. + The output format to use doc (default), json. If valid format is not provided, then it will use the default. * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--vendor-cache=VENDOR_CACHE`` @@ -72,7 +71,7 @@ This subcommand has additional options: ## detect -Detect the target os +Detect the target OS. ### Syntax @@ -89,11 +88,11 @@ This subcommand has additional options: * ``-b``, ``--backend=BACKEND`` Choose a backend: local, ssh, winrm, docker. * ``--bastion-host=BASTION_HOST`` - Specifies the bastion host if applicable + Specifies the bastion host if applicable. * ``--bastion-port=BASTION_PORT`` - Specifies the bastion port if applicable + Specifies the bastion port if applicable. * ``--bastion-user=BASTION_USER`` - Specifies the bastion user if applicable + Specifies the bastion user if applicable. * ``--config=CONFIG`` Read configuration from JSON file (`-` reads from stdin). * ``--docker-url`` @@ -105,7 +104,7 @@ This subcommand has additional options: * ``--host=HOST`` Specify a remote host which is tested. * ``--insecure``, ``--no-insecure`` - Disable SSL verification on select targets + Disable SSL verification on select targets. * ``-i``, ``--key-files=one two three`` Login key or certificate file for a remote scan. * ``--password=PASSWORD`` @@ -115,7 +114,7 @@ This subcommand has additional options: * ``-p``, ``--port=N`` Specify the login port for a remote scan. * ``--proxy-command=PROXY_COMMAND`` - Specifies the command to use to connect to the server + Specifies the command to use to connect to the server. * ``--self-signed``, ``--no-self-signed`` Allow remote scans with self-signed certificates (WinRM). * ``--shell``, ``--no-shell`` @@ -137,7 +136,7 @@ This subcommand has additional options: * ``-t``, ``--target=TARGET`` Simple targeting option using URIs, e.g. ssh://user:pass@host:port * ``--target-id=TARGET_ID`` - Provide a ID which will be included on reports + Provide a ID which will be included on reports. * ``--user=USER`` The login user for a remote scan. * ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only`` @@ -151,7 +150,7 @@ This subcommand has additional options: ## env -Output shell-appropriate completion configuration +Output shell-appropriate completion configuration. ### Syntax @@ -165,9 +164,7 @@ inspec env Run all test files at the specified locations. -The subcommand loads the given profiles, fetches their dependencies if needed, then -connects to the target and executes any controls contained in the profiles. -One or more reporters are used to generate the output. +The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate the output. ``` exit codes: @@ -183,6 +180,7 @@ exit codes: Below are some examples of using `exec` with different test locations: Chef Automate: + ``` inspec automate login inspec exec compliance://username/linux-baseline @@ -195,31 +193,37 @@ inspec compliance login ``` Chef Supermarket: + ``` inspec exec supermarket://username/linux-baseline ``` Local profile (executes all tests in `controls/`): + ``` inspec exec /path/to/profile ``` Local single test (doesn't allow inputs or custom resources): + ``` inspec exec /path/to/a_test.rb ``` Git via SSH: + ``` inspec exec git@github.com:dev-sec/linux-baseline.git ``` Git via HTTPS (.git suffix is required): + ``` inspec exec https://github.com/dev-sec/linux-baseline.git ``` Private Git via HTTPS (.git suffix is required): + ``` inspec exec https://api_token@github.com/dev-sec/linux-baseline.git ``` @@ -241,7 +245,6 @@ Web-hosted file with basic authentication (supports .zip): inspec exec https://username:password@webserver/linux-baseline.tar.gz ``` - ### Syntax This subcommand has the following syntax: @@ -259,13 +262,13 @@ This subcommand has additional options: * ``-b``, ``--backend=BACKEND`` Choose a backend: local, ssh, winrm, docker. * ``--backend-cache``, ``--no-backend-cache`` - Allow caching for backend command output. (default: true) + Allow caching for backend command output. (default: true). * ``--bastion-host=BASTION_HOST`` - Specifies the bastion host if applicable + Specifies the bastion host if applicable. * ``--bastion-port=BASTION_PORT`` - Specifies the bastion port if applicable + Specifies the bastion port if applicable. * ``--bastion-user=BASTION_USER`` - Specifies the bastion user if applicable + Specifies the bastion user if applicable. * ``--command-timeout=SECONDS`` Maximum seconds to allow a command to run. * ``--config=CONFIG`` @@ -273,7 +276,7 @@ This subcommand has additional options: * ``--controls=one two three`` A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests. * ``--create-lockfile``, ``--no-create-lockfile`` - Write out a lockfile based on this execution (unless one already exists) + Write out a lockfile based on this execution (unless one already exists). * ``--distinct-exit``, ``--no-distinct-exit`` Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures. * ``--docker-url`` @@ -287,9 +290,9 @@ This subcommand has additional options: * ``--input=name1=value1 name2=value2`` Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures. * ``--input-file=one two three`` - Load one or more input files, a YAML file with values for the profile to use + Load one or more input files, a YAML file with values for the profile to use. * ``--insecure``, ``--no-insecure`` - Disable SSL verification on select targets + Disable SSL verification on select targets. * ``-i``, ``--key-files=one two three`` Login key or certificate file for a remote scan. * ``--password=PASSWORD`` @@ -301,15 +304,15 @@ This subcommand has additional options: * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--proxy-command=PROXY_COMMAND`` - Specifies the command to use to connect to the server + Specifies the command to use to connect to the server. * ``--reporter=one two:/output/file/path`` - Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml + Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml. * ``--reporter-backtrace-inclusion``, ``--no-reporter-backtrace-inclusion`` - Include a code backtrace in report data (default: true) + Include a code backtrace in report data (default: true). * ``--reporter-include-source`` - Include full source code of controls in the CLI report + Include full source code of controls in the CLI report. * ``--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION`` - Number of characters to truncate failure messages in report data to (default: no truncation) + Number of characters to truncate failure messages in report data to (default: no truncation). * ``--self-signed``, ``--no-self-signed`` Allow remote scans with self-signed certificates (WinRM). * ``--shell``, ``--no-shell`` @@ -333,15 +336,15 @@ This subcommand has additional options: * ``--sudo-password=SUDO_PASSWORD`` Specify a sudo password, if it is required. * ``-t``, ``--target=TARGET`` - Simple targeting option using URIs, e.g. ssh://user:pass@host:port + Simple targeting option using URIs, e.g. ssh://user:pass@host:port. * ``--target-id=TARGET_ID`` - Provide a ID which will be included on reports + Provide a ID which will be included on reports. * ``--tags=one two three`` A list of tags, a list of regular expressions that match tags, or a hash map where each value is a tag. `exec` will run controls referenced by the listed or matching tags. * ``--user=USER`` The login user for a remote scan. * ``--vendor-cache=VENDOR_CACHE`` - Use the given path for caching dependencies. (default: ~/.inspec/cache) + Use the given path for caching dependencies. (default: ~/.inspec/cache). * ``--waiver-file=one two three`` Load one or more waiver files. * ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only`` @@ -353,7 +356,7 @@ This subcommand has additional options: ## help -Describe available commands or one specific command +Describe available commands or one specific command. ### Syntax @@ -365,7 +368,7 @@ inspec help [COMMAND] ## json -Read all tests in path and generate a json summary +Read all tests in path and generate a json summary. ### Syntax @@ -382,17 +385,17 @@ This subcommand has additional options: * ``--controls=one two three`` A list of controls to include. Ignore all other tests. * ``-o``, ``--output=OUTPUT`` - Save the created profile to a path + Save the created profile to a path. * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--tags=one two three`` A list of tags that reference certain controls. Other controls are ignored. * ``--vendor-cache=VENDOR_CACHE`` - Use the given path for caching dependencies. (default: ~/.inspec/cache) + Use the given path for caching dependencies. (default: ~/.inspec/cache). ## nothing -Does nothing +Does nothing. ### Syntax @@ -404,7 +407,7 @@ inspec nothing ## schema -Print the json schema +Print the json schema. ### Syntax @@ -416,7 +419,7 @@ inspec schema NAME ## shell -Open an interactive debugging shell +Open an interactive debugging shell. ### Syntax @@ -433,13 +436,13 @@ This subcommand has additional options: * ``-b``, ``--backend=BACKEND`` Choose a backend: local, ssh, winrm, docker. * ``--bastion-host=BASTION_HOST`` - Specifies the bastion host if applicable + Specifies the bastion host if applicable. * ``--bastion-port=BASTION_PORT`` - Specifies the bastion port if applicable + Specifies the bastion port if applicable. * ``--bastion-user=BASTION_USER`` - Specifies the bastion user if applicable + Specifies the bastion user if applicable. * ``-c``, ``--command=COMMAND`` - A single command string to run instead of launching the shell + A single command string to run instead of launching the shell. * ``--command-timeout=SECONDS`` Maximum seconds to allow a command to run. * ``--config=CONFIG`` @@ -455,7 +458,7 @@ This subcommand has additional options: * ``--host=HOST`` Specify a remote host which is tested. * ``--insecure``, ``--no-insecure`` - Disable SSL verification on select targets + Disable SSL verification on select targets. * ``--inspect``, ``--no-inspect`` Use verbose/debugging output for resources. * ``-i``, ``--key-files=one two three`` @@ -467,9 +470,9 @@ This subcommand has additional options: * ``-p``, ``--port=N`` Specify the login port for a remote scan. * ``--proxy-command=PROXY_COMMAND`` - Specifies the command to use to connect to the server + Specifies the command to use to connect to the server. * ``--reporter=one two:/output/file/path`` - Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit + Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit. * ``--self-signed``, ``--no-self-signed`` Allow remote scans with self-signed certificates (WinRM). * ``--shell``, ``--no-shell`` @@ -489,9 +492,9 @@ This subcommand has additional options: * ``--sudo-password=SUDO_PASSWORD`` Specify a sudo password, if it is required. * ``-t``, ``--target=TARGET`` - Simple targeting option using URIs, e.g. ssh://user:pass@host:port + Simple targeting option using URIs, e.g. ssh://user:pass@host:port. * ``--target-id=TARGET_ID`` - Provide a ID which will be included on reports + Provide a ID which will be included on reports. * ``--user=USER`` The login user for a remote scan. * ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only`` @@ -503,7 +506,7 @@ This subcommand has additional options: ## supermarket -Supermarket commands +Supermarket commands. ### Syntax @@ -515,7 +518,7 @@ inspec supermarket SUBCOMMAND ... ## vendor -Download all dependencies and generate a lockfile in a `vendor` directory +Download all dependencies and generate a lockfile in a `vendor` directory. ### Syntax @@ -534,7 +537,7 @@ This subcommand has additional options: ## version -Prints the version of this tool +Prints the version of this tool. ### Syntax From b1eb22e55abe7f5e094d0f7152cb9116b27de731 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 7 Sep 2021 14:49:48 -0700 Subject: [PATCH 394/483] Docs edits Signed-off-by: Ian Maddaus --- .../inspec/resources/mssql_sys_conf.md | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md index d00430a60..4f9cc86de 100644 --- a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md +++ b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `mssql_sys_conf` Chef InSpec audit resource to test the configuration of a Mssql database. +Use the `mssql_sys_conf` Chef InSpec audit resource to test the configuration of a Microsoft SQL Server database. ## Installation @@ -23,26 +23,28 @@ You must have database access. ## Syntax -A `mssql_sys_conf` resource block declares the configuration item name, user, and password to use. +A `mssql_sys_conf` resource block declares the configuration item, user, and password to test. -describe mssql_sys_conf("config item", user: 'USER', password: 'PASSWORD') do - its("value_in_use") { should cmp "value" } - its("value_configured") { should cmp "value" } +```ruby +describe mssql_sys_conf("CONFIGURATION ITEM TO TEST", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "EXPECTED_VALUE" } + its("value_configured") { should cmp "EXPECTED_VALUE" } end +``` -where +where: -- `mssql_sys_conf` declares a config item, user, and password with permission to use `sys.configurations`. -- `its('value_in_use') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value. -- `its('value_configured') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value. +- `mssql_sys_conf` declares a configuration item, `user`, and `password` with permission to use `sys.configurations`. +- `its('value_in_use') { should cmp 'EXPECTED_VALUE' }` compares the current running value of the configuration item against an expected value. +- `its('value_configured') { should cmp 'EXPECTED_VALUE' }` compares the saved value of the configuration item against an expected value. ### Optional Parameters -`mssql_sys_conf` is based on `mssql_session`, and accepts all parameters that `mssql_session` accepts. +`mssql_sys_conf` is based on the `mssql_session` resource and accepts all the parameters that `mssql_session` accepts. #### `username` -Defaults to `SA`. +The user name. Default value: `SA`. ## Examples From daa9d77766c9283c2e0fd84dedc65263f2df2907 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 7 Sep 2021 15:36:16 -0700 Subject: [PATCH 395/483] Docs edits Signed-off-by: Ian Maddaus --- .../content/inspec/resources/chrony_conf.md | 40 ++++++++------- .../content/inspec/resources/oracledb_conf.md | 49 ------------------- 2 files changed, 21 insertions(+), 68 deletions(-) delete mode 100644 docs-chef-io/content/inspec/resources/oracledb_conf.md diff --git a/docs-chef-io/content/inspec/resources/chrony_conf.md b/docs-chef-io/content/inspec/resources/chrony_conf.md index c097cb8d1..0b3a283c8 100644 --- a/docs-chef-io/content/inspec/resources/chrony_conf.md +++ b/docs-chef-io/content/inspec/resources/chrony_conf.md @@ -28,11 +28,13 @@ This resource first became available in v of InSpec. --> An `chrony_conf` resource block declares the synchronization settings that should be tested: - describe chrony_conf('PATH') do - its('setting_name') { should eq 'VALUE' } - end +```ruby +describe chrony_conf('PATH') do + its('setting_name') { should eq 'VALUE' } +end +``` -where +where: - `'setting_name'` is a synchronization setting defined in the `chrony.conf` file. - `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`). @@ -42,8 +44,11 @@ where The following examples show how to use this Chef InSpec audit resource. -### Test for clock drift against named servers +This resource matches any service listed in the `chrony.conf` file. +### Test for clock drift against named servers. + +```ruby describe chrony_conf do its('driftfile') { should cmp '/var/lib/chrony/drift' } its('server') do @@ -54,20 +59,17 @@ describe chrony_conf do ] end end +``` + +### Test that an NTP server exists and a specific subnet is specified from which NTP clients are allowed access. + +```ruby +describe chrony_conf do + its('server') { should_not eq nil } + its('allow') { should include '192.168.0.0/16'} +end +``` ## Matchers -This resource matches any service that is listed in the `chrony.conf` file. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). - - its('server') { should_not eq nil } - -or: - - its('allow') { should include '192.168.0.0/16'} - -For example: - - describe chrony_conf do - its('server') { should_not eq nil } - its('allow') { should include '192.168.0.0/16'} - end + For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/docs-chef-io/content/inspec/resources/oracledb_conf.md b/docs-chef-io/content/inspec/resources/oracledb_conf.md deleted file mode 100644 index 559a01de0..000000000 --- a/docs-chef-io/content/inspec/resources/oracledb_conf.md +++ /dev/null @@ -1,49 +0,0 @@ -+++ -title = "oracledb_conf resource" -draft = false -gh_repo = "inspec" -platform = "os" - -[menu] - [menu.inspec] - title = "oracledb_conf" - identifier = "inspec/resources/os/oracledb_conf.md oracledb_conf resource" - parent = "inspec/resources/os" -+++ - -Use the `oracledb_conf` Chef InSpec audit resource to test the Oracle system parameters. - -## Installation - -This resource is distributed along with Chef InSpec itself. You can use it automatically. - -## Requirements - -You must have access to a database user with `DBA` role. - -## Syntax - -A `oracledb_conf` resource block declares user and password to use. It fetches system parameters defined in the `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: - -describe oracledb_conf(user: 'USER', password: 'PASSWORD') do - its("config item") { should cmp "value" } -end - -### Optional Parameters - -`oracledb_conf` is based on `oracledb_session`, and accepts all parameters that `oracledb_session` accepts. - -## Examples - -The following examples show how to use this Chef InSpec audit resource. - -### Test parameters set within the database view - -describe oracledb_conf(user: 'USER', password: 'PASSWORD') do - its("audit_sys_operations") { should cmp "true" } - its("sql92_security") { should cmp "true" } -end - -## Matchers - -For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). From 7871175d1d44db57c8fd94f0ba17067bb3f2f383 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Tue, 7 Sep 2021 16:58:04 -0700 Subject: [PATCH 396/483] Docs edits Signed-off-by: Ian Maddaus --- docs-chef-io/content/inspec/resources/sybase_conf.md | 8 +++++--- .../content/inspec/resources/sybase_session.md | 10 ++++++++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/sybase_conf.md b/docs-chef-io/content/inspec/resources/sybase_conf.md index bbc2c04b5..93d0a63ed 100644 --- a/docs-chef-io/content/inspec/resources/sybase_conf.md +++ b/docs-chef-io/content/inspec/resources/sybase_conf.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `sybase_conf` Chef InSpec audit resource to test the configuration of a Sybase / SAP ASE database. +Use the `sybase_conf` Chef InSpec audit resource to test the configuration of an SAP Adaptive Server Enterprise (ASE) database. ## Availability @@ -36,13 +36,13 @@ end where -- `sybase_conf` declares a config item, server, and password with permission to run `sp_configure`. +- `sybase_conf` declares a configuration item, server, and password with permission to run `sp_configure`. - `its('run_value') { should cmp 'expected' }` compares the current running value of the configuration item against an expected value. - `its('config_value') { should cmp 'expected' }` compares the saved value of the configuration item against an expected value. ### Optional Parameters -`sybase_conf` is based on `sybase_session`, and accepts all parameters that `sybase_session` accepts, including optional parameters `username`, `database`, `sybase_home`, and `bin`. +The `sybase_conf` resource is based on the `sybase_session` resource and accepts all parameters that `sybase_session` accepts, including optional parameters `username`, `database`, `sybase_home`, and `bin`. In particular: @@ -60,10 +60,12 @@ The following examples show how to use this Chef InSpec audit resource. ### Test for max memory configuration +```ruby describe sybase_session('max memory', server: 'SYBASE', password: 'PASSWORD') do its('run_value') { should cmp 180224 } its('config_value') { should cmp 180224 } end +``` ## Matchers diff --git a/docs-chef-io/content/inspec/resources/sybase_session.md b/docs-chef-io/content/inspec/resources/sybase_session.md index bf9e2bd65..753f67d42 100644 --- a/docs-chef-io/content/inspec/resources/sybase_session.md +++ b/docs-chef-io/content/inspec/resources/sybase_session.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `sybase_session` Chef InSpec audit resource to test the SQL commands run against a Sybase / SAP ASE database. +Use the `sybase_session` Chef InSpec audit resource to test the SQL commands run against an SAP Adaptive Server Enterprise (ASE) database. ## Availability @@ -33,7 +33,7 @@ end where -- `sybase_session` declares a server, database, username and password with permission to run the query. +- `sybase_session` declares a server, database, username, and password with permission to run the query. - `query('QUERY')` contains the query to be run. - `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test. @@ -43,6 +43,7 @@ where You may use the `bin` parameter to specify the path to the `isql` cli tool. +```ruby describe sybase_session(database: 'pubs2', server: 'SYBASE', username: 'USERNAME', @@ -51,11 +52,13 @@ describe sybase_session(database: 'pubs2', ).query('QUERY').row(0).column('RESULT') do its('value') { should eq('EXPECTED') } end +``` #### sybase_home You may use the `sybase_home` parameter to specify the path to the sybase installation. +```ruby describe sybase_session(database: 'pubs2', server: 'SYBASE', username: 'USERNAME', @@ -64,6 +67,7 @@ describe sybase_session(database: 'pubs2', ).query('QUERY').row(0).column('RESULT') do its('value') { should eq('EXPECTED') } end +``` ## Examples @@ -71,11 +75,13 @@ The following examples show how to use this Chef InSpec audit resource. ### Test for matching values in the pubs2 sample database +```ruby sql = sybase_session(database: 'pubs2', server: 'SYBASE', username: 'MY_USER', password: 'PASSWORD') describe sql.query("SELECT au_lname FROM authors").row(0).column('AU_LNAME') do its("value") { should eq 'BENNET' } end +``` ## Matchers From 4deef9313f77e575ed290861d311678a8defc5d0 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 8 Sep 2021 12:28:37 +0530 Subject: [PATCH 397/483] Integrated review comments Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/cli.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 0a0d7fb35..43c69bbf4 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -64,7 +64,7 @@ inspec check PATH This subcommand has additional options: * ``--format=FORMAT`` - The output format to use doc (default), json. If valid format is not provided then it will use the default. + The output format to use. Valid values: `json` and `doc`. Default value: `doc`. * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--vendor-cache=VENDOR_CACHE`` From afc89f3f5452e7229efad72244592a6e6a0ef605 Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Wed, 8 Sep 2021 18:27:34 +0530 Subject: [PATCH 398/483] edit Signed-off-by: Deepa Kumaraswamy --- docs-chef-io/content/inspec/resources/sybase_conf.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/sybase_conf.md b/docs-chef-io/content/inspec/resources/sybase_conf.md index bbc2c04b5..bbef2d216 100644 --- a/docs-chef-io/content/inspec/resources/sybase_conf.md +++ b/docs-chef-io/content/inspec/resources/sybase_conf.md @@ -29,10 +29,10 @@ You must have access to a database user that has access to the `sa` role on the A `sybase_conf` resource block declares the configuration item name, server, and password to use. -describe sybase_session('config item', server: 'SYBASE', password: 'PASSWORD') do - its('run_value') { should cmp 'EXPECTED' } - its('config_value') { should cmp 'EXPECTED' } -end + describe sybase_session('config item', server: 'SYBASE', password: 'PASSWORD') do + its('run_value') { should cmp 'EXPECTED' } + its('config_value') { should cmp 'EXPECTED' } + end where From 371e483cb5f6107f82de922ddbcece02ca70c66f Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Wed, 8 Sep 2021 18:38:53 +0530 Subject: [PATCH 399/483] indent correction Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/oracledb_conf.md | 14 +++++++------- .../inspec/resources/oracledb_listener_conf.md | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/oracledb_conf.md b/docs-chef-io/content/inspec/resources/oracledb_conf.md index 0fe5e5cb0..17f8d620f 100644 --- a/docs-chef-io/content/inspec/resources/oracledb_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_conf.md @@ -25,9 +25,9 @@ You must have access to a database user with `DBA` role. A `oracledb_conf` resource block declares user and password to use. It fetches system parameters which are defined in the `V$SYSTEM_PARAMETER` database view, and then compares those parameters to the values stated in the test: -describe oracledb_conf(user: 'USER', password: 'PASSWORD') do - its("config item") { should cmp "value" } -end + describe oracledb_conf(user: 'USER', password: 'PASSWORD') do + its("config item") { should cmp "value" } + end ### Optional Parameters @@ -39,10 +39,10 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the database view -describe oracledb_conf(user: 'USER', password: 'PASSWORD') do - its("audit_sys_operations") { should cmp "true" } - its("sql92_security") { should cmp "true" } -end + describe oracledb_conf(user: 'USER', password: 'PASSWORD') do + its("audit_sys_operations") { should cmp "true" } + its("sql92_security") { should cmp "true" } + end ## Matchers diff --git a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md index 5fb71d4df..54f8197e1 100644 --- a/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md +++ b/docs-chef-io/content/inspec/resources/oracledb_listener_conf.md @@ -26,9 +26,9 @@ This resource is distributed along with Chef InSpec itself. You can use it autom A `oracledb_listener_conf` resource block fetches listeners settings in the `listener.ora` file, and then compares them with the value stated in the test: -describe oracledb_listener_conf do - its('config item') { should eq 'value' } -end + describe oracledb_listener_conf do + its('config item') { should eq 'value' } + end ## Examples @@ -36,10 +36,10 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the listener file -describe oracledb_listener_conf do - its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } - its('EM_EXPRESS_PORT') { should eq '5500' } -end + describe oracledb_listener_conf do + its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' } + its('EM_EXPRESS_PORT') { should eq '5500' } + end ## Matchers From c8ede95f2e52cd8d317839982e8a5259225d48a2 Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Wed, 8 Sep 2021 18:46:43 +0530 Subject: [PATCH 400/483] indents Signed-off-by: Deepa Kumaraswamy --- .../inspec/resources/google_project_alert_policy.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md index e45fb7832..4faebc004 100644 --- a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md +++ b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md @@ -32,15 +32,15 @@ end ### Test that a GCP alert policy is enabled -describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do - it { should be_enabled } -end + describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do + it { should be_enabled } + end ### Test that a GCP compute alert policy display name is correct -describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do - its('display_name') { should eq 'policy name' } -end + describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do + its('display_name') { should eq 'policy name' } + end ## Properties From a09c2d7c1feb4c1bab3f782567cc1ca4461c95cc Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Wed, 8 Sep 2021 19:46:28 +0530 Subject: [PATCH 401/483] doc edits Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/chrony_conf.md | 62 ++++++++++--------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/chrony_conf.md b/docs-chef-io/content/inspec/resources/chrony_conf.md index ed4f22920..5b929da11 100644 --- a/docs-chef-io/content/inspec/resources/chrony_conf.md +++ b/docs-chef-io/content/inspec/resources/chrony_conf.md @@ -28,46 +28,48 @@ This resource first became available in v of InSpec. --> An `chrony_conf` resource block declares the synchronization settings that should be tested: - describe chrony_conf('path') do - its('setting_name') { should eq 'value' } - end +```ruby +describe chrony_conf('PATH') do + its('setting_name') { should eq 'VALUE' } +end +``` -where +where: -- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file -- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`) -- `{ should eq 'value' }` is the value that is expected +- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file. +- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`). +- `{ should eq 'value' }` is the value that is expected. ## Examples The following examples show how to use this Chef InSpec audit resource. +This resource matches any service listed in the `chrony.conf` file. + ### Test for clock drift against named servers - describe chrony_conf do - its('driftfile') { should cmp '/var/lib/chrony/drift' } - its('server') do - should cmp [ - '0.ubuntu.pool.ntp.org', - '1.ubuntu.pool.ntp.org', - '2.ubuntu.pool.ntp.org' - ] - end +```ruby +describe chrony_conf do + its('driftfile') { should cmp '/var/lib/chrony/drift' } + its('server') do + should cmp [ + '0.ubuntu.pool.ntp.org', + '1.ubuntu.pool.ntp.org', + '2.ubuntu.pool.ntp.org' + ] end +end +``` + +### Test that an NTP server exists and a specific subnet is specified from which NTP clients are accessible + +```ruby +describe chrony_conf do + its('server') { should_not eq nil } + its('allow') { should include '192.168.0.0/16'} +end +``` ## Matchers -This resource matches any service that is listed in the `chrony.conf` file. For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). - - its('server') { should_not eq nil } - -or: - - its('allow') { should include '192.168.0.0/16'} - -For example: - - describe chrony_conf do - its('server') { should_not eq nil } - its('allow') { should include '192.168.0.0/16'} - end + For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). From b71f39e8d0d761032338edaaaeac646dc8fa32da Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Wed, 8 Sep 2021 19:53:48 +0530 Subject: [PATCH 402/483] edits Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/mssql_sys_conf.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md index d00430a60..c0d333248 100644 --- a/docs-chef-io/content/inspec/resources/mssql_sys_conf.md +++ b/docs-chef-io/content/inspec/resources/mssql_sys_conf.md @@ -25,10 +25,10 @@ You must have database access. A `mssql_sys_conf` resource block declares the configuration item name, user, and password to use. -describe mssql_sys_conf("config item", user: 'USER', password: 'PASSWORD') do - its("value_in_use") { should cmp "value" } - its("value_configured") { should cmp "value" } -end + describe mssql_sys_conf("config item", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "value" } + its("value_configured") { should cmp "value" } + end where @@ -50,10 +50,10 @@ The following examples show how to use this Chef InSpec audit resource. ### Test parameters set within the database view -describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do - its("value_in_use") { should cmp "0" } - its("value_configured") { should cmp "0" } -end + describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do + its("value_in_use") { should cmp "0" } + its("value_configured") { should cmp "0" } + end ## Matchers From 03ca7081c1d59a8356fee35a32fe5703f6d75dee Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Wed, 8 Sep 2021 19:59:30 +0530 Subject: [PATCH 403/483] edits Signed-off-by: Deepa Kumaraswamy --- .../content/inspec/resources/ibmdb2_conf.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md index f10ea76b6..68112659b 100644 --- a/docs-chef-io/content/inspec/resources/ibmdb2_conf.md +++ b/docs-chef-io/content/inspec/resources/ibmdb2_conf.md @@ -23,17 +23,17 @@ This resource is distributed along with Chef InSpec itself. You can use it autom A `ibmdb2_conf` resource block declares db2_executable_file_path, db_instance to connect and then runs command to get the configuration values and compares it to the value stated in the test: -describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do - its("output") { should_not be_empty } - its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} -end + describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} + end Windows -describe ibmdb2_conf do - its("output") { should_not be_empty } - its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} -end + describe ibmdb2_conf do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")} + end where @@ -48,10 +48,10 @@ The following examples show how to use this Chef InSpec audit resource. ### Test the audit buffer size configuration settings of IBM Db2 database -describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do - its("output") { should_not be_empty } - its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000")} -end + describe ibmdb2_conf(db2_executable_file_path: "/opt/ibm/db2/V11.5/bin/db2", db_instance: "db2inst1") do + its("output") { should_not be_empty } + its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000")} + end ## Matchers From c94c6aa3bf0ec762210b23c17a32137f97ea6dcc Mon Sep 17 00:00:00 2001 From: Deepa Kumaraswamy Date: Wed, 8 Sep 2021 20:54:13 +0530 Subject: [PATCH 404/483] edits Signed-off-by: Deepa Kumaraswamy --- docs-chef-io/content/inspec/cli.md | 145 +++++++++++++++-------------- 1 file changed, 74 insertions(+), 71 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index 0ddcd218f..e9217509e 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -15,7 +15,7 @@ Use the InSpec CLI to run tests and audits against targets using local, SSH, Win ## archive -Archive a profile to tar.gz (default) or zip +Archive a profile to tar.gz (default) or zip. ### Syntax @@ -27,14 +27,14 @@ inspec archive PATH ### Options -This subcommand has additional options: +This subcommand has the following additional options: * ``--airgap``, ``--no-airgap`` Fallback to using local archives if fetching fails. * ``--ignore-errors``, ``--no-ignore-errors`` Ignore profile warnings. * ``-o``, ``--output=OUTPUT`` - Save the archive to a path + Save the archive to a path. * ``--overwrite``, ``--no-overwrite`` Overwrite existing archive. * ``--profiles-path=PROFILES_PATH`` @@ -42,7 +42,7 @@ This subcommand has additional options: * ``--tar``, ``--no-tar`` Generates a tar.gz archive. * ``--vendor-cache=VENDOR_CACHE`` - Use the given path for caching dependencies. (default: ~/.inspec/cache) + Use the given path for caching dependencies, (default: ~/.inspec/cache). * ``--zip``, ``--no-zip`` Generates a zip archive. @@ -60,8 +60,7 @@ inspec automate SUBCOMMAND ## check -Verify metadata in inspec.yml. Verify control data has fields (title, description, -impact) defined and that all controls have visible tests. +Verify metadata in inspec.yml. Verify control data has fields (title, description, impact) defined and that all controls have visible tests. ### Syntax @@ -73,14 +72,14 @@ inspec check PATH ### Options -This subcommand has additional options: +This subcommand has the following additional options: * ``--format=FORMAT`` * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--vendor-cache=VENDOR_CACHE`` - Use the given path for caching dependencies. (default: ~/.inspec/cache) + Use the given path for caching dependencies, (default: ~/.inspec/cache). ## detect @@ -96,16 +95,16 @@ inspec detect ### Options -This subcommand has additional options: +This subcommand has the following additional options: * ``-b``, ``--backend=BACKEND`` Choose a backend: local, ssh, winrm, docker. * ``--bastion-host=BASTION_HOST`` - Specifies the bastion host if applicable + Specifies the bastion host if applicable. * ``--bastion-port=BASTION_PORT`` - Specifies the bastion port if applicable + Specifies the bastion port if applicable. * ``--bastion-user=BASTION_USER`` - Specifies the bastion user if applicable + Specifies the bastion user if applicable. * ``--config=CONFIG`` Read configuration from JSON file (`-` reads from stdin). * ``--docker-url`` @@ -117,7 +116,7 @@ This subcommand has additional options: * ``--host=HOST`` Specify a remote host which is tested. * ``--insecure``, ``--no-insecure`` - Disable SSL verification on select targets + Disable SSL verification on select targets. * ``-i``, ``--key-files=one two three`` Login key or certificate file for a remote scan. * ``--password=PASSWORD`` @@ -127,7 +126,7 @@ This subcommand has additional options: * ``-p``, ``--port=N`` Specify the login port for a remote scan. * ``--proxy-command=PROXY_COMMAND`` - Specifies the command to use to connect to the server + Specifies the command to use to connect to the server. * ``--self-signed``, ``--no-self-signed`` Allow remote scans with self-signed certificates (WinRM). * ``--shell``, ``--no-shell`` @@ -147,9 +146,9 @@ This subcommand has additional options: * ``--sudo-password=SUDO_PASSWORD`` Specify a sudo password, if it is required. * ``-t``, ``--target=TARGET`` - Simple targeting option using URIs, e.g. ssh://user:pass@host:port + Simple targeting option using URIs, e.g. ssh://user:pass@host:port. * ``--target-id=TARGET_ID`` - Provide a ID which will be included on reports + Provide a ID which will be included on reports. * ``--user=USER`` The login user for a remote scan. * ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only`` @@ -163,7 +162,7 @@ This subcommand has additional options: ## env -Output shell-appropriate completion configuration +Output shell-appropriate completion configuration. ### Syntax @@ -177,11 +176,9 @@ inspec env Run all test files at the specified locations. -The subcommand loads the given profiles, fetches their dependencies if needed, then -connects to the target and executes any controls contained in the profiles. -One or more reporters are used to generate the output. +The subcommand loads the given profiles, fetches their dependencies if needed, then connects to the target and executes any controls contained in the profiles. One or more reporters are used to generate the output. -``` +``` ruby exit codes: 0 normal exit, all tests passed 1 usage or general error @@ -195,44 +192,51 @@ exit codes: Below are some examples of using `exec` with different test locations: Chef Automate: -``` + +``` ruby inspec automate login inspec exec compliance://username/linux-baseline ``` `inspec compliance` is a backwards compatible alias for `inspec automate` and works the same way: -``` +``` ruby inspec compliance login ``` Chef Supermarket: -``` + +``` ruby inspec exec supermarket://username/linux-baseline ``` Local profile (executes all tests in `controls/`): -``` + +``` ruby inspec exec /path/to/profile ``` Local single test (doesn't allow inputs or custom resources): -``` + +``` ruby inspec exec /path/to/a_test.rb ``` Git via SSH: -``` + +``` ruby inspec exec git@github.com:dev-sec/linux-baseline.git ``` Git via HTTPS (.git suffix is required): -``` + +``` ruby inspec exec https://github.com/dev-sec/linux-baseline.git ``` Private Git via HTTPS (.git suffix is required): -``` + +``` ruby inspec exec https://api_token@github.com/dev-sec/linux-baseline.git ``` @@ -253,7 +257,6 @@ Web-hosted file with basic authentication (supports .zip): inspec exec https://username:password@webserver/linux-baseline.tar.gz ``` - ### Syntax This subcommand has the following syntax: @@ -264,20 +267,20 @@ inspec exec LOCATIONS ### Options -This subcommand has additional options: +This subcommand has the following additional options: * ``--attrs=one two three`` Legacy name for --input-file - deprecated. * ``-b``, ``--backend=BACKEND`` Choose a backend: local, ssh, winrm, docker. * ``--backend-cache``, ``--no-backend-cache`` - Allow caching for backend command output. (default: true) + Allow caching for backend command output. (default: true). * ``--bastion-host=BASTION_HOST`` - Specifies the bastion host if applicable + Specifies the bastion host if applicable. * ``--bastion-port=BASTION_PORT`` - Specifies the bastion port if applicable + Specifies the bastion port if applicable. * ``--bastion-user=BASTION_USER`` - Specifies the bastion user if applicable + Specifies the bastion user if applicable. * ``--command-timeout=SECONDS`` Maximum seconds to allow a command to run. * ``--config=CONFIG`` @@ -285,7 +288,7 @@ This subcommand has additional options: * ``--controls=one two three`` A list of control names to run, or a list of /regexes/ to match against control names. Ignore all other tests. * ``--create-lockfile``, ``--no-create-lockfile`` - Write out a lockfile based on this execution (unless one already exists) + Write out a lockfile based on this execution (unless one already exists). * ``--distinct-exit``, ``--no-distinct-exit`` Exit with code 101 if any tests fail, and 100 if any are skipped (default). If disabled, exit 0 on skips and 1 for failures. * ``--docker-url`` @@ -299,9 +302,9 @@ This subcommand has additional options: * ``--input=name1=value1 name2=value2`` Specify one or more inputs directly on the command line, as --input NAME=VALUE. Accepts single-quoted YAML and JSON structures. * ``--input-file=one two three`` - Load one or more input files, a YAML file with values for the profile to use + Load one or more input files, a YAML file with values for the profile to use. * ``--insecure``, ``--no-insecure`` - Disable SSL verification on select targets + Disable SSL verification on select targets. * ``-i``, ``--key-files=one two three`` Login key or certificate file for a remote scan. * ``--password=PASSWORD`` @@ -313,15 +316,15 @@ This subcommand has additional options: * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--proxy-command=PROXY_COMMAND`` - Specifies the command to use to connect to the server + Specifies the command to use to connect to the server. * ``--reporter=one two:/output/file/path`` - Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml + Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit, yaml. * ``--reporter-backtrace-inclusion``, ``--no-reporter-backtrace-inclusion`` - Include a code backtrace in report data (default: true) + Include a code backtrace in report data (default: true). * ``--reporter-include-source`` - Include full source code of controls in the CLI report + Include full source code of controls in the CLI report. * ``--reporter-message-truncation=REPORTER_MESSAGE_TRUNCATION`` - Number of characters to truncate failure messages in report data to (default: no truncation) + Number of characters to truncate failure messages in report data to (default: no truncation). * ``--self-signed``, ``--no-self-signed`` Allow remote scans with self-signed certificates (WinRM). * ``--shell``, ``--no-shell`` @@ -345,15 +348,15 @@ This subcommand has additional options: * ``--sudo-password=SUDO_PASSWORD`` Specify a sudo password, if it is required. * ``-t``, ``--target=TARGET`` - Simple targeting option using URIs, e.g. ssh://user:pass@host:port + Simple targeting option using URIs, e.g. ssh://user:pass@host:port. * ``--target-id=TARGET_ID`` - Provide a ID which will be included on reports + Provide a ID which will be included on reports. * ``--tags=one two three`` A list of tags, a list of regular expressions that match tags, or a hash map where each value is a tag. `exec` will run controls referenced by the listed or matching tags. * ``--user=USER`` The login user for a remote scan. * ``--vendor-cache=VENDOR_CACHE`` - Use the given path for caching dependencies. (default: ~/.inspec/cache) + Use the given path for caching dependencies. (default: ~/.inspec/cache). * ``--waiver-file=one two three`` Load one or more waiver files. * ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only`` @@ -365,7 +368,7 @@ This subcommand has additional options: ## help -Describe available commands or one specific command +Describe available commands or one specific command. ### Syntax @@ -377,7 +380,7 @@ inspec help [COMMAND] ## habitat -Create Chef Habitat package +Create Chef Habitat package. ### Syntax @@ -389,7 +392,7 @@ inspec habitat SUBCOMMAND ## init -Scaffold a new project +Scaffold a new project. ### Syntax @@ -401,7 +404,7 @@ inspec init TEMPLATE ## json -Read all tests in path and generate a json summary +Read all tests in path and generate a json summary. ### Syntax @@ -413,22 +416,22 @@ inspec json PATH ### Options -This subcommand has additional options: +This subcommand has the following additional options: * ``--controls=one two three`` A list of controls to include. Ignore all other tests. * ``-o``, ``--output=OUTPUT`` - Save the created profile to a path + Save the created profile to a path. * ``--profiles-path=PROFILES_PATH`` Folder which contains referenced profiles. * ``--tags=one two three`` A list of tags that reference certain controls. Other controls are ignored. * ``--vendor-cache=VENDOR_CACHE`` - Use the given path for caching dependencies. (default: ~/.inspec/cache) + Use the given path for caching dependencies. (default: ~/.inspec/cache). ## nothing -Does nothing +Does nothing. ### Syntax @@ -440,7 +443,7 @@ inspec nothing ## plugin -Install and manage plugin +Install and manage plugin. ### Syntax @@ -464,7 +467,7 @@ inspec schema NAME ## shell -Open an interactive debugging shell +Open an interactive debugging shell. ### Syntax @@ -476,24 +479,24 @@ inspec shell ### Options -This subcommand has additional options: +This subcommand has the following additional options: * ``-b``, ``--backend=BACKEND`` Choose a backend: local, ssh, winrm, docker. * ``--bastion-host=BASTION_HOST`` - Specifies the bastion host if applicable + Specifies the bastion host if applicable. * ``--bastion-port=BASTION_PORT`` - Specifies the bastion port if applicable + Specifies the bastion port if applicable. * ``--bastion-user=BASTION_USER`` - Specifies the bastion user if applicable + Specifies the bastion user if applicable. * ``-c``, ``--command=COMMAND`` - A single command string to run instead of launching the shell + A single command string to run instead of launching the shell. * ``--command-timeout=SECONDS`` Maximum seconds to allow a command to run. * ``--config=CONFIG`` Read configuration from JSON file (`-` reads from stdin). * ``--depends=one two three`` - A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell + A space-delimited list of local folders containing profiles whose libraries and resources will be loaded into the new shell. * ``--distinct-exit``, ``--no-distinct-exit`` Exit with code 100 if any tests fail, and 101 if any are skipped but none failed (default). If disabled, exit 0 on skips and 1 for failures. * ``--docker-url`` @@ -503,7 +506,7 @@ This subcommand has additional options: * ``--host=HOST`` Specify a remote host which is tested. * ``--insecure``, ``--no-insecure`` - Disable SSL verification on select targets + Disable SSL verification on select targets. * ``--inspect``, ``--no-inspect`` Use verbose/debugging output for resources. * ``-i``, ``--key-files=one two three`` @@ -515,9 +518,9 @@ This subcommand has additional options: * ``-p``, ``--port=N`` Specify the login port for a remote scan. * ``--proxy-command=PROXY_COMMAND`` - Specifies the command to use to connect to the server + Specifies the command to use to connect to the server. * ``--reporter=one two:/output/file/path`` - Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit + Enable one or more output reporters: cli, documentation, html, progress, json, json-min, json-rspec, junit. * ``--self-signed``, ``--no-self-signed`` Allow remote scans with self-signed certificates (WinRM). * ``--shell``, ``--no-shell`` @@ -537,9 +540,9 @@ This subcommand has additional options: * ``--sudo-password=SUDO_PASSWORD`` Specify a sudo password, if it is required. * ``-t``, ``--target=TARGET`` - Simple targeting option using URIs, e.g. ssh://user:pass@host:port + Simple targeting option using URIs, e.g. ssh://user:pass@host:port. * ``--target-id=TARGET_ID`` - Provide a ID which will be included on reports + Provide a ID which will be included on reports. * ``--user=USER`` The login user for a remote scan. * ``--winrm-basic-auth-only``, ``--no-winrm-basic-auth-only`` @@ -551,7 +554,7 @@ This subcommand has additional options: ## supermarket -Supermarket commands +Supermarket commands. ### Syntax @@ -563,7 +566,7 @@ inspec supermarket SUBCOMMAND ... ## vendor -Download all dependencies and generate a lockfile in a `vendor` directory +Download all dependencies and generate a lockfile in a `vendor` directory. ### Syntax @@ -582,7 +585,7 @@ This subcommand has additional options: ## version -Prints the version of this tool +Prints the version of this tool. ### Syntax @@ -594,6 +597,6 @@ inspec version ### Options -This subcommand has additional options: +This subcommand has the following additional options: * ``--format=FORMAT`` From 3aaa402db754f75dd6279924c2f0b49a035eb690 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 8 Sep 2021 20:02:08 +0000 Subject: [PATCH 405/483] Update CHANGELOG.md with details from pull request #5655 Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 140b35f87..1ce79b7e1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## Unreleased + +#### Merged Pull Requests +- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) - + +### Changes since 4.41.20 release + +#### Merged Pull Requests +- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) From 11afb7dc7b4faeef5b6817c5d19beb5e5f52af59 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Fri, 10 Sep 2021 09:52:22 -0700 Subject: [PATCH 406/483] Fix branch name in docs makefile Signed-off-by: Ian Maddaus --- docs-chef-io/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/Makefile b/docs-chef-io/Makefile index f48b497f8..7f6fc5ef9 100644 --- a/docs-chef-io/Makefile +++ b/docs-chef-io/Makefile @@ -14,7 +14,7 @@ serve: chef_web_docs chef_web_docs: if [ -d "chef-web-docs/" ]; then \ - pushd chef-web-docs && git reset HEAD --hard; git clean -fd; git pull --ff-only origin master; rm -rf public && popd; \ + pushd chef-web-docs && git reset HEAD --hard; git clean -fd; git pull --ff-only origin main; rm -rf public && popd; \ else \ git clone https://github.com/chef/chef-web-docs.git; \ fi From 92d4e031dcbc14f19d4e414b9023b027484f0299 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 10 Sep 2021 17:39:01 +0000 Subject: [PATCH 407/483] Bump version to 4.41.21 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 6 ++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ce79b7e1..4b7e226a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,10 @@ # Change Log - -## Unreleased + +## [v4.41.21](https://github.com/inspec/inspec/tree/v4.41.21) (2021-09-10) #### Merged Pull Requests +- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) - Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) @@ -11,6 +12,7 @@ ### Changes since 4.41.20 release #### Merged Pull Requests +- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) - Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index 91f803fc3..ead910073 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.20 \ No newline at end of file +4.41.21 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 8efb12c05..88918138c 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.20".freeze + VERSION = "4.41.21".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 71e706b04..6fef97dba 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.20".freeze + VERSION = "4.41.21".freeze end From 910a674ad66a59e6b9dac915921b32aca2fdaafd Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Fri, 10 Sep 2021 17:45:38 +0000 Subject: [PATCH 408/483] Bump version to 4.41.22 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 8 ++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b7e226a8..3016622e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,17 @@ # Change Log - -## [v4.41.21](https://github.com/inspec/inspec/tree/v4.41.21) (2021-09-10) + +## [v4.41.22](https://github.com/inspec/inspec/tree/v4.41.22) (2021-09-10) #### Merged Pull Requests -- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) -- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) +- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) ### Changes since 4.41.20 release #### Merged Pull Requests +- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) - Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) - Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index ead910073..de5bd063c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.21 \ No newline at end of file +4.41.22 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 88918138c..67e0eeb29 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.21".freeze + VERSION = "4.41.22".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 6fef97dba..721200bfe 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.21".freeze + VERSION = "4.41.22".freeze end From f8684727830d84334e314e4b7176318c9a913531 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 13 Sep 2021 12:30:40 +0530 Subject: [PATCH 409/483] Doc review changes for cli commands Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/cli.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/docs-chef-io/content/inspec/cli.md b/docs-chef-io/content/inspec/cli.md index e9217509e..a2cd67f45 100644 --- a/docs-chef-io/content/inspec/cli.md +++ b/docs-chef-io/content/inspec/cli.md @@ -366,6 +366,18 @@ This subcommand has the following additional options: * ``--winrm-transport=WINRM_TRANSPORT`` Specify which transport to use, defaults to negotiate (WinRM). +## habitat + +Create a Chef Habitat package. + +### Syntax + +This subcommand has the following syntax: + +```bash +inspec habitat SUBCOMMAND +``` + ## help Describe available commands or one specific command. @@ -378,18 +390,6 @@ This subcommand has the following syntax: inspec help [COMMAND] ``` -## habitat - -Create Chef Habitat package. - -### Syntax - -This subcommand has the following syntax: - -```bash -inspec habitat SUBCOMMAND -``` - ## init Scaffold a new project. @@ -443,7 +443,7 @@ inspec nothing ## plugin -Install and manage plugin. +Install and manage [Chef InSpec plugins](/inspec/plugins/). ### Syntax From 2472280feb84ea8fe8ebf6dc9fe11b451bcea494 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:12:33 +0000 Subject: [PATCH 410/483] Bump version to 4.41.23 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3016622e4..40c9faf8c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.22](https://github.com/inspec/inspec/tree/v4.41.22) (2021-09-10) + +## [v4.41.23](https://github.com/inspec/inspec/tree/v4.41.23) (2021-09-13) #### Merged Pull Requests -- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) +- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.20 release #### Merged Pull Requests +- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) - Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) - Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) - Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index de5bd063c..07b42cc7e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.22 \ No newline at end of file +4.41.23 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 67e0eeb29..760fb6c75 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.22".freeze + VERSION = "4.41.23".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 721200bfe..f699ed1da 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.22".freeze + VERSION = "4.41.23".freeze end From baa7b59916d304ef302f2ad9c67f7f10c085a74a Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:18:59 +0000 Subject: [PATCH 411/483] Bump version to 4.42.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40c9faf8c..8ccc8f9c2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.41.23](https://github.com/inspec/inspec/tree/v4.41.23) (2021-09-13) + +## [v4.42.0](https://github.com/inspec/inspec/tree/v4.42.0) (2021-09-13) #### Merged Pull Requests -- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) +- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.20 release #### Merged Pull Requests +- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) - Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) - Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) - Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index 07b42cc7e..7a352792d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.41.23 \ No newline at end of file +4.42.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 760fb6c75..4c68eb790 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.41.23".freeze + VERSION = "4.42.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index f699ed1da..62693e92a 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.41.23".freeze + VERSION = "4.42.0".freeze end From 7d30fa8f243d230380930ca79aceb42791aadf3f Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:24:40 +0000 Subject: [PATCH 412/483] Bump version to 4.43.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ccc8f9c2..b51f65759 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.42.0](https://github.com/inspec/inspec/tree/v4.42.0) (2021-09-13) + +## [v4.43.0](https://github.com/inspec/inspec/tree/v4.43.0) (2021-09-13) -#### Merged Pull Requests -- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) +#### New Features +- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) ### Changes since 4.41.20 release +#### New Features +- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) + #### Merged Pull Requests - Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) - Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 7a352792d..9ae734164 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.42.0 \ No newline at end of file +4.43.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 4c68eb790..e37b1e73b 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.42.0".freeze + VERSION = "4.43.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 62693e92a..a48a93959 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.42.0".freeze + VERSION = "4.43.0".freeze end From 99a6d185a02fe5e38d7e5200130a955d9a36fd54 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:29:38 +0000 Subject: [PATCH 413/483] Bump version to 4.44.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b51f65759..686f9cbfd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.43.0](https://github.com/inspec/inspec/tree/v4.43.0) (2021-09-13) + +## [v4.44.0](https://github.com/inspec/inspec/tree/v4.44.0) (2021-09-13) #### New Features -- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.20 release #### New Features +- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105)) - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests diff --git a/VERSION b/VERSION index 9ae734164..500911991 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.43.0 \ No newline at end of file +4.44.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index e37b1e73b..30fd63168 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.43.0".freeze + VERSION = "4.44.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index a48a93959..549dbacd8 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.43.0".freeze + VERSION = "4.44.0".freeze end From 1e612376576d22d29ad3c61f3759aa26b277e7d7 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:36:28 +0000 Subject: [PATCH 414/483] Bump version to 4.45.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 686f9cbfd..c1f8c10d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.44.0](https://github.com/inspec/inspec/tree/v4.44.0) (2021-09-13) + +## [v4.45.0](https://github.com/inspec/inspec/tree/v4.45.0) (2021-09-13) -#### New Features -- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105)) +#### Merged Pull Requests +- Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) @@ -15,6 +15,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) - Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) - Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) - Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index 500911991..901e96e75 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.44.0 \ No newline at end of file +4.45.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 30fd63168..21c217db3 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.44.0".freeze + VERSION = "4.45.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 549dbacd8..1b84eeafa 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.44.0".freeze + VERSION = "4.45.0".freeze end From f49a2bcfd9a85f29d95ae9fcef9fbd8472043dab Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:41:11 +0000 Subject: [PATCH 415/483] Bump version to 4.46.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c1f8c10d6..21b252b52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.45.0](https://github.com/inspec/inspec/tree/v4.45.0) (2021-09-13) + +## [v4.46.0](https://github.com/inspec/inspec/tree/v4.46.0) (2021-09-13) -#### Merged Pull Requests -- Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) +#### New Features +- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese)) ### Changes since 4.41.20 release #### New Features +- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese)) - Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105)) - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) diff --git a/VERSION b/VERSION index 901e96e75..785854ec7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.45.0 \ No newline at end of file +4.46.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 21c217db3..07e8bb3ef 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.45.0".freeze + VERSION = "4.46.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 1b84eeafa..231d9a1e3 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.45.0".freeze + VERSION = "4.46.0".freeze end From d84f4e746edaac20c5263f1e216e363db49e027f Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:51:49 +0000 Subject: [PATCH 416/483] Bump version to 4.46.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21b252b52..3c690772b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.0](https://github.com/inspec/inspec/tree/v4.46.0) (2021-09-13) + +## [v4.46.1](https://github.com/inspec/inspec/tree/v4.46.1) (2021-09-13) -#### New Features -- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese)) +#### Merged Pull Requests +- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) @@ -16,6 +16,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) - Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) - Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) - Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index 785854ec7..81dcc1e3f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.0 \ No newline at end of file +4.46.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 07e8bb3ef..e690fe498 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.0".freeze + VERSION = "4.46.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 231d9a1e3..6e776f5d9 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.0".freeze + VERSION = "4.46.1".freeze end From a350803137e466e255f3f85d1726da6e43754ca5 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:56:45 +0000 Subject: [PATCH 417/483] Bump version to 4.46.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c690772b..164c30002 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.1](https://github.com/inspec/inspec/tree/v4.46.1) (2021-09-13) + +## [v4.46.2](https://github.com/inspec/inspec/tree/v4.46.2) (2021-09-13) #### Merged Pull Requests -- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) +- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) @@ -16,6 +16,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) - Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) - Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) - Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 81dcc1e3f..d051bbf5e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.1 \ No newline at end of file +4.46.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index e690fe498..d24d1a286 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.1".freeze + VERSION = "4.46.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 6e776f5d9..606e8cb13 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.1".freeze + VERSION = "4.46.2".freeze end From c6150f24cba0667d8162e6229244ea71bc66a046 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 18:59:33 +0000 Subject: [PATCH 418/483] Bump version to 4.46.3 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 164c30002..3fec21943 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.2](https://github.com/inspec/inspec/tree/v4.46.2) (2021-09-13) + +## [v4.46.3](https://github.com/inspec/inspec/tree/v4.46.3) (2021-09-13) #### Merged Pull Requests -- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) +- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) @@ -16,6 +16,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) - Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) - Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) - Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index d051bbf5e..34bb5bc2b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.2 \ No newline at end of file +4.46.3 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index d24d1a286..9b769e71b 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.2".freeze + VERSION = "4.46.3".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 606e8cb13..579097c69 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.2".freeze + VERSION = "4.46.3".freeze end From 19a549096f0a0c342b9227fae3997a83134a58f4 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Mon, 13 Sep 2021 15:53:02 -0700 Subject: [PATCH 419/483] Minor docs fixes. Signed-off-by: Ian Maddaus --- .../content/inspec/resources/chrony_conf.md | 27 ------------------- .../resources/google_project_alert_policy.md | 20 +++++++------- 2 files changed, 10 insertions(+), 37 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/chrony_conf.md b/docs-chef-io/content/inspec/resources/chrony_conf.md index 7857cdbba..5b929da11 100644 --- a/docs-chef-io/content/inspec/resources/chrony_conf.md +++ b/docs-chef-io/content/inspec/resources/chrony_conf.md @@ -46,7 +46,6 @@ The following examples show how to use this Chef InSpec audit resource. This resource matches any service listed in the `chrony.conf` file. -<<<<<<< HEAD ### Test for clock drift against named servers ```ruby @@ -71,32 +70,6 @@ describe chrony_conf do end ``` -======= -### Test for clock drift against named servers. - -```ruby -describe chrony_conf do - its('driftfile') { should cmp '/var/lib/chrony/drift' } - its('server') do - should cmp [ - '0.ubuntu.pool.ntp.org', - '1.ubuntu.pool.ntp.org', - '2.ubuntu.pool.ntp.org' - ] - end -end -``` - -### Test that an NTP server exists and a specific subnet is specified from which NTP clients are allowed access. - -```ruby -describe chrony_conf do - its('server') { should_not eq nil } - its('allow') { should include '192.168.0.0/16'} -end -``` - ->>>>>>> daa9d77766c9283c2e0fd84dedc65263f2df2907 ## Matchers For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md index 104db64d8..58aa6bf9c 100644 --- a/docs-chef-io/content/inspec/resources/google_project_alert_policy.md +++ b/docs-chef-io/content/inspec/resources/google_project_alert_policy.md @@ -32,15 +32,15 @@ end ### Test that a GCP alert policy is enabled -describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do - it { should be_enabled } -end + describe google_project_alert_policy(policy: 'spaterson', name: '9271751234503117449') do + it { should be_enabled } + end ### Test that a GCP compute alert policy display name is correct -describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do - its('display_name') { should eq 'policy name' } -end + describe google_project_alert_policy(policy: 'spaterson-project', name: '9271751234503117449') do + its('display_name') { should eq 'policy name' } + end ## Properties @@ -55,11 +55,11 @@ Properties that can be accessed from the `google_project_alert_policy` resource: `combiner` : How to combine the results of multiple conditions to determine if an incident should be opened. -Possible values: + Possible values: -- AND -- OR -- AND_WITH_MATCHING_RESOURCE + - AND + - OR + - AND_WITH_MATCHING_RESOURCE `creation_record` : A read-only record of the creation of the alerting policy. If provided in a call to create or update, this field will be ignored. From f09d49da6672aa020f93079daf7e73b48aa48624 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Mon, 13 Sep 2021 23:14:10 +0000 Subject: [PATCH 420/483] Bump version to 4.46.4 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fec21943..9f1bc817e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.3](https://github.com/inspec/inspec/tree/v4.46.3) (2021-09-13) + +## [v4.46.4](https://github.com/inspec/inspec/tree/v4.46.4) (2021-09-13) #### Merged Pull Requests -- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) +- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) @@ -16,6 +16,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) - Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) - Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) - Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 34bb5bc2b..477009201 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.3 \ No newline at end of file +4.46.4 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 9b769e71b..1fed4b85c 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.3".freeze + VERSION = "4.46.4".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 579097c69..f46b0662d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.3".freeze + VERSION = "4.46.4".freeze end From a43f646c14e673359e780469af8fa60051d2ac09 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 14 Sep 2021 14:03:36 +0530 Subject: [PATCH 421/483] Code review changes - Improvisation on setting conf value of control eval context from dsl Signed-off-by: Nikita Mathur --- lib/inspec/control_eval_context.rb | 1 + lib/inspec/dsl.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index 678873fae..83acf639b 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -18,6 +18,7 @@ module Inspec attr_accessor :skip_file attr_accessor :profile_context attr_accessor :resources_dsl + attr_accessor :conf def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval) @profile_context = profile_context diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index 8e53dfbd5..c57f57091 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -104,7 +104,7 @@ module Inspec::DSL mock = Inspec::Backend.create(Inspec::Config.mock) include_ctx = Inspec::ProfileContext.for_profile(profile, mock) include_ctx.load(block) if block_given? - include_ctx.control_eval_context.instance_variable_set(:@conf, opts[:conf]) + include_ctx.control_eval_context.conf = opts[:conf] control_eval_ctx = include_ctx.control_eval_context # remove all rules that were not registered context.all_rules.each do |r| From bdde8ffc3b3720adc696e054d5b35889f3171465 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 16 Sep 2021 13:06:05 +0530 Subject: [PATCH 422/483] Add optional parameter to establish socket based connection with postgres Signed-off-by: Nikita Mathur --- .../inspec/resources/postgres_session.md | 9 ++++++--- lib/inspec/resources/postgres_session.rb | 19 +++++++++++++++---- test/unit/resources/postgres_session_test.rb | 5 +++++ 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/postgres_session.md b/docs-chef-io/content/inspec/resources/postgres_session.md index eeadd9702..7aeff7a1f 100644 --- a/docs-chef-io/content/inspec/resources/postgres_session.md +++ b/docs-chef-io/content/inspec/resources/postgres_session.md @@ -28,24 +28,27 @@ This resource first became available in v1.0.0 of InSpec. A `postgres_session` resource block declares the username and password to use for the session, and then the command to be run: # Create a PostgreSQL session: - sql = postgres_session('username', 'password', 'host', 'port') + sql = postgres_session('username', 'password', 'host', 'port', 'socketpath') # default values: # username: 'postgres' # host: 'localhost' # port: 5432 + # socketpath (optional): nil # Run an SQL query with an optional database to execute sql.query('sql_query', ['database_name'])` A full example is: - sql = postgres_session('username', 'password', 'host', 'port') + sql = postgres_session('username', 'password', 'host', 'port', 'socketpath') describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do its('output') { should eq '' } end -where `its('output') { should eq '' }` compares the results of the query against the expected result in the test +where + - `its('output') { should eq '' }` compares the results of the query against the expected result in the test + - `socketpath` is an optional parameter. It can be used to establish socket connection with postgres by specifying one of the postgres unix domain sockets path. Only supported for unix based platforms. ## Examples diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 37b8e3242..c88d2ce6f 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -40,11 +40,12 @@ module Inspec::Resources end EXAMPLE - def initialize(user, pass, host = nil, port = nil) + def initialize(user, pass, host = nil, port = nil, socket_path = nil) @user = user || "postgres" @pass = pass @host = host || "localhost" @port = port || 5432 + @socket_path = socket_path raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil? end @@ -69,10 +70,20 @@ module Inspec::Resources def create_psql_cmd(query, db = []) dbs = db.map { |x| "#{x}" }.join(" ") - if inspec.os.windows? - "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\"" + + if @socket_path && !inspec.os.windows? + # Socket path and empty host in the connection string establishes socket connection + # Socket connection only enabled for non-windows platforms + # Windows does not support unix domain sockets + "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}" else - "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}" + # Host in connection string establishes tcp/ip connection + if inspec.os.windows? + warn "Socket based connection not supported in windows, connecting using host" if @socket_path + "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\"" + else + "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}" + end end end end diff --git a/test/unit/resources/postgres_session_test.rb b/test/unit/resources/postgres_session_test.rb index bcf69ad2f..7595afea3 100644 --- a/test/unit/resources/postgres_session_test.rb +++ b/test/unit/resources/postgres_session_test.rb @@ -37,4 +37,9 @@ describe "Inspec::Resources::PostgresSession" do resource = load_resource("postgres_session", "postgres", "postgres", "localhost", 5432) _(proc { resource.send(:query, "Select 5;", ["mydatabase"]) }).must_raise Inspec::Exceptions::ResourceFailed end + + it "verify postgres_session create_psql_cmd in socket connection" do + resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1", 5432, "/var/run/postgresql") + _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@/testdb?host=/var/run/postgresql -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + end end From cc0d86a185d3e98575fbc24c34ee2f1e0d62cd77 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 16 Sep 2021 15:56:07 +0530 Subject: [PATCH 423/483] Add csv without headers support in csv resource Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/csv.md | 17 +++++++++++- lib/inspec/resources/csv.rb | 29 ++++++++++++++++++-- test/unit/resources/csv_test.rb | 21 +++++++++++++- 3 files changed, 62 insertions(+), 5 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/csv.md b/docs-chef-io/content/inspec/resources/csv.md index ec2cfc2ad..d4e23cf0b 100644 --- a/docs-chef-io/content/inspec/resources/csv.md +++ b/docs-chef-io/content/inspec/resources/csv.md @@ -27,20 +27,35 @@ This resource first became available in v1.0.0 of InSpec. A `csv` resource block declares the configuration data to be tested: - describe csv('file') do + describe csv('file', true) do its('name') { should cmp 'foo' } end +Test ``csv`` without headers + + describe csv('file', false).params do + its([0]) { should cmp 'name' } + end + where - `'file'` is the path to a CSV file +- 'true' is the value for headers by default value is true. If set to false it consider csv file does not have headers, - `name` is a configuration setting in a CSV file - `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test +- `params` when headers are set to false use this method to fetch the data. +- `[0]` is the array element position. ## Examples The following examples show how to use this Chef InSpec audit resource. +### Test a csv file without headers + + describe csv('some_file.csv', false).params do + its([0]) { should eq ["name"] } + end + ### Test a CSV file describe csv('some_file.csv') do diff --git a/lib/inspec/resources/csv.rb b/lib/inspec/resources/csv.rb index 197e7ce0b..243e0d176 100644 --- a/lib/inspec/resources/csv.rb +++ b/lib/inspec/resources/csv.rb @@ -11,14 +11,28 @@ module Inspec::Resources describe csv('example.csv') do its('name') { should eq(['John', 'Alice']) } end + + describe csv('example.csv', false).params do + its[[0]] { should eq (['name', 'col1', 'col2']) } + emd EXAMPLE + def initialize(path, headers = true) + @headers = headers + super(path) + end + # override the parse method from JsonConfig # Assuming a header row of name,col1,col2, it will output an array of hashes like so: # [ # { 'name' => 'row1', 'col1' => 'value1', 'col2' => 'value2' }, # { 'name' => 'row2', 'col1' => 'value3', 'col2' => 'value4' } # ] + # When headers is set to false it will return data as array of array + # [ + # ['name', col1', 'col2'], + # ['row2', 'value3', 'value4'] + # ] def parse(content) require "csv" unless defined?(CSV) @@ -28,10 +42,14 @@ module Inspec::Resources end # implicit conversion of values - csv = CSV.new(content, headers: true, converters: %i{all blank_to_nil}) + csv = CSV.new(content, headers: @headers, converters: %i{all blank_to_nil}) # convert to hash - csv.to_a.map(&:to_hash) + if @headers + csv.to_a.map(&:to_hash) + else + csv.to_a + end rescue => e raise Inspec::Exceptions::ResourceFailed, "Unable to parse CSV: #{e.message}" end @@ -42,7 +60,12 @@ module Inspec::Resources # #value method from JsonConfig (which uses ObjectTraverser.extract_value) # doesn't make sense here. def value(key) - @params.map { |x| x[key.first.to_s] }.compact + if @headers + @params.map { |x| x[key.first.to_s] }.compact + else + # when headers is set to false send the array as it is. + @params + end end private diff --git a/test/unit/resources/csv_test.rb b/test/unit/resources/csv_test.rb index 92970ec58..3172c58a0 100644 --- a/test/unit/resources/csv_test.rb +++ b/test/unit/resources/csv_test.rb @@ -3,7 +3,7 @@ require "inspec/resource" require "inspec/resources/csv" describe "Inspec::Resources::CSV" do - describe "when loading a valid csv" do + describe "when loading a valid csv using default header true" do let(:resource) { load_resource("csv", "example.csv") } let(:params) do {} @@ -33,4 +33,23 @@ describe "Inspec::Resources::CSV" do _(resource.value(["name"])).must_equal(%w{addressable ast astrolabe berkshelf}) end end + + describe "when loading a valid csv using default header false" do + let(:resource) { load_resource("csv", "example.csv", false) } + let(:params) do + {} + end + + it "captures an array of params" do + _(resource.params).must_be_kind_of Array + end + + it "gets all value lines" do + _(resource.params.length).must_equal 5 + end + + it "gets params by row" do + _(resource.params[0]).must_equal(%w{name version license title description}) + end + end end From 886426143ce7d2e3323a09cacc2b1409f12e5fc5 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 16 Sep 2021 16:12:14 +0530 Subject: [PATCH 424/483] Minor doc changes Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/csv.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/csv.md b/docs-chef-io/content/inspec/resources/csv.md index d4e23cf0b..06af12977 100644 --- a/docs-chef-io/content/inspec/resources/csv.md +++ b/docs-chef-io/content/inspec/resources/csv.md @@ -40,7 +40,7 @@ Test ``csv`` without headers where - `'file'` is the path to a CSV file -- 'true' is the value for headers by default value is true. If set to false it consider csv file does not have headers, +- 'true' is the value for headers. Default `true`. If `false` then it considers csv does not have headers. - `name` is a configuration setting in a CSV file - `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test - `params` when headers are set to false use this method to fetch the data. From 450ab79064fa03d090410769a3347afca08e5cba Mon Sep 17 00:00:00 2001 From: Dan Webb Date: Mon, 20 Sep 2021 14:18:31 +0100 Subject: [PATCH 425/483] Change the deprecation warning to mention inputs Attributes are now referred to as Inputs Signed-off-by: Dan Webb --- etc/deprecations.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/deprecations.json b/etc/deprecations.json index f062e40af..0921e5e72 100644 --- a/etc/deprecations.json +++ b/etc/deprecations.json @@ -4,7 +4,7 @@ "groups": { "attrs_value_replaces_default": { "action": "warn", - "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead." + "prefix": "The 'default' option for inputs is being replaced by 'value' - please use it instead." }, "attrs_dsl": { "action": "ignore", From fb2319f49911dacbbb6120e008be5cb9936d6566 Mon Sep 17 00:00:00 2001 From: kagarmoe Date: Mon, 20 Sep 2021 11:12:29 -0700 Subject: [PATCH 426/483] Fix main in expeditor script Signed-off-by: kagarmoe --- .expeditor/buildkite/artifact.habitat.test.sh | 2 +- .expeditor/update_dockerfile.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.expeditor/buildkite/artifact.habitat.test.sh b/.expeditor/buildkite/artifact.habitat.test.sh index 49a1b83be..b930a4224 100755 --- a/.expeditor/buildkite/artifact.habitat.test.sh +++ b/.expeditor/buildkite/artifact.habitat.test.sh @@ -16,7 +16,7 @@ uname -a echo "--- Installing Habitat" id -a -curl https://raw.githubusercontent.com/habitat-sh/habitat/master/components/hab/install.sh | bash +curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | bash echo "--- Generating fake origin key" diff --git a/.expeditor/update_dockerfile.sh b/.expeditor/update_dockerfile.sh index fc137ec49..68b46d6a2 100755 --- a/.expeditor/update_dockerfile.sh +++ b/.expeditor/update_dockerfile.sh @@ -3,7 +3,7 @@ # This file updates the default VERSION build argument in the Dockerfile to the # VERSION passed in to the file via environment variables. # -# This ensures the Dockerfile in inspec master will list the version of the latest +# This ensures the Dockerfile in inspec main will list the version of the latest # stable release for any community member who wishes to build their own container # from scratch. # From b8677ac51f231ae9580d1b7f3278582c53d35b91 Mon Sep 17 00:00:00 2001 From: sspans-sbp <84081351+sspans-sbp@users.noreply.github.com> Date: Thu, 22 Jul 2021 13:38:53 +0200 Subject: [PATCH 427/483] Add rocky and almalinux to service resource Signed-off-by: Sten Spans --- lib/inspec/resources/service.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/inspec/resources/service.rb b/lib/inspec/resources/service.rb index 9edf7ee67..1e7f15f25 100644 --- a/lib/inspec/resources/service.rb +++ b/lib/inspec/resources/service.rb @@ -141,7 +141,7 @@ module Inspec::Resources elsif version > 0 SysV.new(inspec, service_ctl || "/usr/sbin/service") end - when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific" + when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific", "rocky", "almalinux" version = os[:release].to_i systemd = ((platform != "fedora" && version >= 7) || From 63e7eb53953baa956a0025e491b2f31cba06e149 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 22 Sep 2021 16:23:12 +0530 Subject: [PATCH 428/483] Fix opa_api and opa_cli resource to handle empty result Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/opa_api.md | 7 +++++++ docs-chef-io/content/inspec/resources/opa_cli.md | 7 +++++++ lib/inspec/resources/opa.rb | 4 ++++ test/helpers/mock_loader.rb | 2 ++ test/unit/resources/opa_api_test.rb | 6 ++++++ test/unit/resources/opa_cli_test.rb | 6 ++++++ 6 files changed, 32 insertions(+) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index 97d0192dc..e781d5f2d 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -50,6 +50,7 @@ An OPA query as a JSON data file or a string in JSON format. The following examples show how to use this Chef InSpec audit resource. describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do + its["result"] { shoule_not be nil } its(["result"]) { should eq true } its("allow") { should eq "true" } end @@ -62,6 +63,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ## Properties +### result + +The `result` property checks whether query output is nil. + + its('result') { should be nil } + ### allow The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md index ee1bebdc4..d1ba4dfd0 100644 --- a/docs-chef-io/content/inspec/resources/opa_cli.md +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -59,6 +59,7 @@ This is the full path to the OPA binary or EXE file used for running the OPA CLI The following examples show how to use this Chef InSpec audit resource: describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do + its["result"] { shoule_not be nil } its(["result", 0, "expressions", 0, "value"]) { should eq true } its("allow") { should eq "true" } end @@ -71,6 +72,12 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ## Properties +### result + +The `result` property checks whether query output is nil. + + its('result') { should be nil } + ### allow The `allow` property checks if specific input is as per the policy defined in OPA. If `allow` is not defined in the policy file then this matcher will not work. diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb index c8e4cfe34..a8cd0a979 100644 --- a/lib/inspec/resources/opa.rb +++ b/lib/inspec/resources/opa.rb @@ -12,6 +12,10 @@ module Inspec::Resources super({ content: @content }) end + def result + @content == {} || @content["result"].empty? ? nil : @content + end + private def parse(content) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index dc52ae331..61e882ddf 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -586,7 +586,9 @@ class MockLoader "semanage boolean -l -n" => cmd.call("semanage-boolean"), "Get-ChildItem -Path \"C:\\Program Files\\MongoDB\\Server\" -Name" => cmd.call("mongodb-version"), "opa eval -i 'input.json' -d 'example.rego' 'data.example.allow'" => cmd.call("opa-result"), + "opa eval -i 'input.json' -d 'example.rego' 'data.example.voilation'" => cmd.call("opa-empty-result"), "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input.json -H 'Content-Type: application/json'" => cmd.call("opa-api-result"), + "curl -X POST localhost:8181/v1/data/example/violation -d @v1-data-input1.json -H 'Content-Type: application/json'" => cmd.call("opa-api-empty-result"), # ibmdb2 "/opt/ibm/db2/V11.5/bin/db2 attach to db2inst1; /opt/ibm/db2/V11.5/bin/db2 get database manager configuration" => cmd.call("ibmdb2_conf_output"), diff --git a/test/unit/resources/opa_api_test.rb b/test/unit/resources/opa_api_test.rb index f404e8876..fd10460dd 100644 --- a/test/unit/resources/opa_api_test.rb +++ b/test/unit/resources/opa_api_test.rb @@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaApi" do _(resource.params["result"]).must_include "ci" end + it "verify opa api query result parsing when output is empty" do + resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json") + _(resource.result).must_be_nil + _(resource.params["result"]).must_equal([]) + end + it "fails when url or data is nil." do resource = load_resource("opa_api") _(resource.resource_failed?).must_equal true diff --git a/test/unit/resources/opa_cli_test.rb b/test/unit/resources/opa_cli_test.rb index 7d7df9f33..d22a7fdef 100644 --- a/test/unit/resources/opa_cli_test.rb +++ b/test/unit/resources/opa_cli_test.rb @@ -9,6 +9,12 @@ describe "Inspec::Resources::OpaCli" do _(resource.allow).must_equal false end + it "verify opa eval query result parsing when output is empty" do + resource = load_resource("opa_cli", policy: "example.rego", data: "input.json", query: "data.example.voilation") + _(resource.result).must_be_nil + _(resource.params).must_equal({}) + end + it "fails when policy, data or query is nil." do resource = load_resource("opa_cli") _(resource.resource_failed?).must_equal true From 2b9bef28cb93d6ef6100ec01aae0418057782db5 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 22 Sep 2021 16:27:15 +0530 Subject: [PATCH 429/483] test fixturs files for opa_api and opa_cli resource Signed-off-by: Vasu1105 --- test/fixtures/cmd/opa-api-empty-result | 1 + test/fixtures/cmd/opa-empty-result | 1 + 2 files changed, 2 insertions(+) create mode 100644 test/fixtures/cmd/opa-api-empty-result create mode 100644 test/fixtures/cmd/opa-empty-result diff --git a/test/fixtures/cmd/opa-api-empty-result b/test/fixtures/cmd/opa-api-empty-result new file mode 100644 index 000000000..ec1b73f97 --- /dev/null +++ b/test/fixtures/cmd/opa-api-empty-result @@ -0,0 +1 @@ +{"result": []} diff --git a/test/fixtures/cmd/opa-empty-result b/test/fixtures/cmd/opa-empty-result new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/test/fixtures/cmd/opa-empty-result @@ -0,0 +1 @@ +{} From 2c7b72b1bac9dd594cb161adef80a1e4da2ae90b Mon Sep 17 00:00:00 2001 From: Tom Duffield Date: Wed, 22 Sep 2021 09:12:13 -0500 Subject: [PATCH 430/483] Specify promotion actions in .expeditor/config.yml Signed-off-by: Tom Duffield --- .expeditor/config.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.expeditor/config.yml b/.expeditor/config.yml index 9bd9c2bf9..8438d5b05 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -151,6 +151,9 @@ subscriptions: actions: - built_in:promote_docker_images - built_in:promote_habitat_packages + - workload: project_promoted:{{agent_id}}:* + actions: + - built_in:promote_artifactory_artifact - workload: artifact_published:stable:inspec:{{version_constraint}} actions: - bash:.expeditor/update_dockerfile.sh From 5b7f023368cc8baea79409ec18aa3b9681f932a8 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 22 Sep 2021 14:16:35 +0000 Subject: [PATCH 431/483] Bump version to 4.46.5 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f1bc817e..68765a22e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.4](https://github.com/inspec/inspec/tree/v4.46.4) (2021-09-13) + +## [v4.46.5](https://github.com/inspec/inspec/tree/v4.46.5) (2021-09-22) #### Merged Pull Requests -- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) +- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) @@ -16,6 +16,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) - Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) - Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) - Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) diff --git a/VERSION b/VERSION index 477009201..a7079aed9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.4 \ No newline at end of file +4.46.5 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 1fed4b85c..73bee0306 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.4".freeze + VERSION = "4.46.5".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index f46b0662d..4c518ec04 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.4".freeze + VERSION = "4.46.5".freeze end From 079de2a49a76d8d4675f00729c66e4c221650b64 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 22 Sep 2021 14:34:24 +0000 Subject: [PATCH 432/483] Bump version to 4.46.6 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68765a22e..987eabb22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.46.5](https://github.com/inspec/inspec/tree/v4.46.5) (2021-09-22) + +## [v4.46.6](https://github.com/inspec/inspec/tree/v4.46.6) (2021-09-22) -#### Merged Pull Requests -- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) +#### Bug Fixes +- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe)) ### Changes since 4.41.20 release +#### Bug Fixes +- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe)) + #### New Features - adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese)) - Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index a7079aed9..f00675faa 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.5 \ No newline at end of file +4.46.6 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 73bee0306..230863c31 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.5".freeze + VERSION = "4.46.6".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 4c518ec04..bb65acd0a 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.5".freeze + VERSION = "4.46.6".freeze end From 28ad8ed4d001f64d7a4b774038785a3bc877d896 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 22 Sep 2021 16:04:53 +0000 Subject: [PATCH 433/483] Bump version to 4.46.7 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 987eabb22..9fb894a30 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.6](https://github.com/inspec/inspec/tree/v4.46.6) (2021-09-22) + +## [v4.46.7](https://github.com/inspec/inspec/tree/v4.46.7) (2021-09-22) -#### Bug Fixes -- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe)) +#### Merged Pull Requests +- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) @@ -19,6 +19,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) - Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) - Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) - Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index f00675faa..1585acb6b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.6 \ No newline at end of file +4.46.7 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 230863c31..d7da0a87f 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.6".freeze + VERSION = "4.46.7".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index bb65acd0a..4dbbe6115 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.6".freeze + VERSION = "4.46.7".freeze end From bfd59c1b14d9d593de7dc2ed9ccc8255caf553e5 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 23 Sep 2021 15:19:09 +0530 Subject: [PATCH 434/483] Fixed docs review comments Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/opa_api.md | 4 ++-- docs-chef-io/content/inspec/resources/opa_cli.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/opa_api.md b/docs-chef-io/content/inspec/resources/opa_api.md index e781d5f2d..7728d936c 100644 --- a/docs-chef-io/content/inspec/resources/opa_api.md +++ b/docs-chef-io/content/inspec/resources/opa_api.md @@ -50,7 +50,7 @@ An OPA query as a JSON data file or a string in JSON format. The following examples show how to use this Chef InSpec audit resource. describe opa_api(url: "localhost:8181/v1/data/example/allow", data: "input.json") do - its["result"] { shoule_not be nil } + its("result") { shoule_not be nil } its(["result"]) { should eq true } its("allow") { should eq "true" } end @@ -65,7 +65,7 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ### result -The `result` property checks whether query output is nil. +The `result` property checks whether the resource query returns an empty result. its('result') { should be nil } diff --git a/docs-chef-io/content/inspec/resources/opa_cli.md b/docs-chef-io/content/inspec/resources/opa_cli.md index d1ba4dfd0..ac8e095d7 100644 --- a/docs-chef-io/content/inspec/resources/opa_cli.md +++ b/docs-chef-io/content/inspec/resources/opa_cli.md @@ -59,7 +59,7 @@ This is the full path to the OPA binary or EXE file used for running the OPA CLI The following examples show how to use this Chef InSpec audit resource: describe opa_cli(query: "data.example.allow", policy: "example.rego", data: "input.json", opa_executable_path: "./opa") do - its["result"] { shoule_not be nil } + its("result") { shoule_not be nil } its(["result", 0, "expressions", 0, "value"]) { should eq true } its("allow") { should eq "true" } end @@ -74,7 +74,7 @@ For a full list of available matchers, please visit our [matchers page](/inspec/ ### result -The `result` property checks whether query output is nil. +The `result` property checks whether the resource query returns an empty result. its('result') { should be nil } From 442ce711ca3b4651c2eda6a1bdc832d597ee34d7 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 23 Sep 2021 15:32:33 +0530 Subject: [PATCH 435/483] Fix docs review comments Signed-off-by: Vasu1105 --- docs-chef-io/content/inspec/resources/csv.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/csv.md b/docs-chef-io/content/inspec/resources/csv.md index 06af12977..d64a8eea4 100644 --- a/docs-chef-io/content/inspec/resources/csv.md +++ b/docs-chef-io/content/inspec/resources/csv.md @@ -31,7 +31,7 @@ A `csv` resource block declares the configuration data to be tested: its('name') { should cmp 'foo' } end -Test ``csv`` without headers +Test `csv` file without headers describe csv('file', false).params do its([0]) { should cmp 'name' } @@ -40,17 +40,17 @@ Test ``csv`` without headers where - `'file'` is the path to a CSV file -- 'true' is the value for headers. Default `true`. If `false` then it considers csv does not have headers. +- `true` or `false` tests a CSV file with or without headers. Default value: `true`. - `name` is a configuration setting in a CSV file - `should eq 'foo'` tests a value of `name` as read from a CSV file versus the value declared in the test -- `params` when headers are set to false use this method to fetch the data. +- `params` is the method for fetching data from a CSV file without headers. - `[0]` is the array element position. ## Examples The following examples show how to use this Chef InSpec audit resource. -### Test a csv file without headers +### Test a CSV file without headers describe csv('some_file.csv', false).params do its([0]) { should eq ["name"] } From c3587512b74a3b147a7dff02270ea1f7f9597e21 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Sat, 25 Sep 2021 20:14:43 -0700 Subject: [PATCH 436/483] Build packages for debian 11, macos 12, windows 11/2022 Get closer to the same platform suppport as infra client. Signed-off-by: Tim Smith --- .expeditor/release.omnibus.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.expeditor/release.omnibus.yml b/.expeditor/release.omnibus.yml index 8c3afffe5..24c027599 100644 --- a/.expeditor/release.omnibus.yml +++ b/.expeditor/release.omnibus.yml @@ -11,8 +11,10 @@ builder-to-testers-map: debian-9-x86_64: - debian-9-x86_64 - debian-10-x86_64 + - debian-11-x86_64 debian-10-aarch64: - debian-10-aarch64 + - debian-11-aarch64 el-6-x86_64: - el-6-x86_64 el-7-aarch64: @@ -29,8 +31,10 @@ builder-to-testers-map: - mac_os_x-10.14-x86_64 - mac_os_x-10.15-x86_64 - mac_os_x-11-x86_64 + - mac_os_x-12-x86_64 mac_os_x-11-arm64: - mac_os_x-11-arm64 + - mac_os_x-12-arm64 sles-12-x86_64: - sles-12-x86_64 - sles-15-x86_64 @@ -47,5 +51,7 @@ builder-to-testers-map: - windows-2012r2-x86_64 - windows-2016-x86_64 - windows-2019-x86_64 + - windows-2022-x86_64 - windows-8-x86_64 - windows-10-x86_64 + - windows-11-x86_64 From 34ed3d1cb70dc5c1514d1d724194aeda1196d22c Mon Sep 17 00:00:00 2001 From: Pradeep Bhadani Date: Sun, 26 Sep 2021 22:32:15 +0100 Subject: [PATCH 437/483] Update GCS Storage class list Signed-off-by: Pradeep Bhadani --- .../content/inspec/resources/google_storage_bucket.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/google_storage_bucket.md b/docs-chef-io/content/inspec/resources/google_storage_bucket.md index ff6a2a4c7..18107edd2 100644 --- a/docs-chef-io/content/inspec/resources/google_storage_bucket.md +++ b/docs-chef-io/content/inspec/resources/google_storage_bucket.md @@ -180,7 +180,7 @@ Properties that can be accessed from the `google_storage_bucket` resource: `type` : Type of the action. Currently, only Delete and SetStorageClass are supported. - + Possible values: - Delete - SetStorageClass @@ -198,7 +198,7 @@ Properties that can be accessed from the `google_storage_bucket` resource: : Relevant only for versioned objects. If the value is true, this condition matches live objects; if the value is false, it matches archived objects. `matches_storage_class` - : Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, and DURABLE_REDUCED_AVAILABILITY. + : Objects having any of the storage classes specified by this condition will be matched. Values include MULTI_REGIONAL, REGIONAL, NEARLINE, COLDLINE, STANDARD, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY. `num_newer_versions` : Relevant only for versioned objects. If the value is N, this condition is satisfied when there are at least N versions (including the live version) newer than this version of the object. @@ -234,7 +234,7 @@ Properties that can be accessed from the `google_storage_bucket` resource: : The project number of the project the bucket belongs to. `storage_class` -: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes. +: The bucket's default storage class, used whenever no storageClass is specified for a newly-created object. This defines how objects in the bucket are stored and determines the SLA and the cost of storage. Values include MULTI_REGIONAL, REGIONAL, STANDARD, NEARLINE, COLDLINE, ARCHIVE, and DURABLE_REDUCED_AVAILABILITY. If this value is not specified when the bucket is created, it will default to STANDARD. For more information, see storage classes. Possible values: @@ -243,6 +243,7 @@ Properties that can be accessed from the `google_storage_bucket` resource: - STANDARD - NEARLINE - COLDLINE + - ARCHIVE - DURABLE_REDUCED_AVAILABILITY From a49181bd2978adebe7191cb9cd6d94a86d2faf32 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 27 Sep 2021 15:10:37 +0530 Subject: [PATCH 438/483] Doc review changes on postgres session socket option Signed-off-by: Nikita Mathur --- docs-chef-io/content/inspec/resources/postgres_session.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/postgres_session.md b/docs-chef-io/content/inspec/resources/postgres_session.md index 7aeff7a1f..d38171815 100644 --- a/docs-chef-io/content/inspec/resources/postgres_session.md +++ b/docs-chef-io/content/inspec/resources/postgres_session.md @@ -48,7 +48,7 @@ A full example is: where - `its('output') { should eq '' }` compares the results of the query against the expected result in the test - - `socketpath` is an optional parameter. It can be used to establish socket connection with postgres by specifying one of the postgres unix domain sockets path. Only supported for unix based platforms. + - `socketpath` is an optional parameter. Use `socketpath` to establish a socket connection with Postgres by specifying one of the Postgres Unix domain socket paths. Only supported on Unix-based platforms. ## Examples From d51c55c0425d8fac7abdf5f0152e34c8dd0d2336 Mon Sep 17 00:00:00 2001 From: Dishank Tiwari Date: Mon, 27 Sep 2021 17:24:28 +0530 Subject: [PATCH 439/483] replaced /main/ from /master/ Signed-off-by: Dishank Tiwari --- docs-chef-io/README.md | 2 +- docs-chef-io/config.toml | 2 +- docs-chef-io/content/inspec/dsl_resource.md | 2 +- docs-chef-io/content/inspec/plugins.md | 4 ++-- docs-chef-io/content/inspec/profiles.md | 2 +- docs-chef-io/content/inspec/resources/aws_ecr_repository.md | 2 +- .../content/inspec/resources/aws_efs_file_system.md | 2 +- .../content/inspec/resources/aws_elasticache_cluster.md | 2 +- docs-chef-io/content/inspec/resources/aws_nat_gateway.md | 2 +- docs-chef-io/content/inspec/resources/aws_nat_gateways.md | 4 ++-- .../content/inspec/resources/aws_sns_subscription.md | 2 +- .../content/inspec/resources/azure_generic_resource.md | 2 +- .../content/inspec/resources/azure_resource_group.md | 2 +- .../content/inspec/resources/azure_virtual_machine.md | 2 +- .../inspec/resources/azure_virtual_machine_data_disk.md | 6 +++--- docs-chef-io/content/inspec/shell.md | 4 ++-- 16 files changed, 21 insertions(+), 21 deletions(-) diff --git a/docs-chef-io/README.md b/docs-chef-io/README.md index 26451ed35..bfc3bf6f5 100644 --- a/docs-chef-io/README.md +++ b/docs-chef-io/README.md @@ -20,7 +20,7 @@ the top of the page that you want to edit. The link takes you to that topic's Gi page. In GitHub, click on the pencil icon and make your changes. You can preview how they'll look right on the page ("Preview Changes" tab). -We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/master/CONTRIBUTING.md#developer-certification-of-origin-dco) +We also require contributors to include their [DCO signoff](https://github.com/chef/chef/blob/main/CONTRIBUTING.md#developer-certification-of-origin-dco) in the comment section of every pull request, except for obvious fixes. You can add your DCO signoff to the comments by including `Signed-off-by:`, followed by your name and email address, like this: diff --git a/docs-chef-io/config.toml b/docs-chef-io/config.toml index dfa095bd6..329053461 100644 --- a/docs-chef-io/config.toml +++ b/docs-chef-io/config.toml @@ -1,2 +1,2 @@ [params.inspec] -gh_path = "https://github.com/inspec/inspec/tree/master/docs-chef-io/content/" +gh_path = "https://github.com/inspec/inspec/tree/main/docs-chef-io/content/" diff --git a/docs-chef-io/content/inspec/dsl_resource.md b/docs-chef-io/content/inspec/dsl_resource.md index 7eea4e502..73ae2413d 100644 --- a/docs-chef-io/content/inspec/dsl_resource.md +++ b/docs-chef-io/content/inspec/dsl_resource.md @@ -104,7 +104,7 @@ class ExampleConfig < Inspec.resource(1) end ``` -For a full example, see our [example resource](https://github.com/chef/inspec/blob/master/examples/profile/libraries/example_config.rb). +For a full example, see our [example resource](https://github.com/chef/inspec/blob/main/examples/profile/libraries/example_config.rb). ## Lazy Loading diff --git a/docs-chef-io/content/inspec/plugins.md b/docs-chef-io/content/inspec/plugins.md index 4e2354484..d81bbde18 100644 --- a/docs-chef-io/content/inspec/plugins.md +++ b/docs-chef-io/content/inspec/plugins.md @@ -76,9 +76,9 @@ inspec plugin install --source https://my.private.server inspec-private-plugin ### Chef InSpec Plugins For details on how to author a Chef InSpec Plugin, see the -[developer documentation](https://github.com/inspec/inspec/blob/master/dev-docs/plugins.md) +[developer documentation](https://github.com/inspec/inspec/blob/main/dev-docs/plugins.md) ### Train Plugins For details on how to author a Train Plugin, see the -[developer documentation](https://github.com/inspec/train/blob/master/docs/plugins.md) +[developer documentation](https://github.com/inspec/train/blob/main/docs/plugins.md) diff --git a/docs-chef-io/content/inspec/profiles.md b/docs-chef-io/content/inspec/profiles.md index b9ce735e1..dec4e32db 100644 --- a/docs-chef-io/content/inspec/profiles.md +++ b/docs-chef-io/content/inspec/profiles.md @@ -41,7 +41,7 @@ where: - `README.md` should be used to explain the profile, its scope, and usage See a complete example profile in the Chef InSpec open source repository: -[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/master/examples/profile) +[Example Chef InSpec Profile](https://github.com/chef/inspec/tree/main/examples/profile) Also check out [Explore Chef InSpec resources](https://learn.chef.io/modules/explore-inspec-resources#/) on Learn Chef Rally to learn more about how profiles are structured with hands-on-examples. diff --git a/docs-chef-io/content/inspec/resources/aws_ecr_repository.md b/docs-chef-io/content/inspec/resources/aws_ecr_repository.md index 730c48c59..a3821f356 100644 --- a/docs-chef-io/content/inspec/resources/aws_ecr_repository.md +++ b/docs-chef-io/content/inspec/resources/aws_ecr_repository.md @@ -11,7 +11,7 @@ platform = "aws" parent = "inspec/resources/aws" +++ -[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_ecr_repository.md) +[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/aws_ecr_repository.md) Use the `aws_ecr_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards. diff --git a/docs-chef-io/content/inspec/resources/aws_efs_file_system.md b/docs-chef-io/content/inspec/resources/aws_efs_file_system.md index 6653e5422..eb4dae761 100644 --- a/docs-chef-io/content/inspec/resources/aws_efs_file_system.md +++ b/docs-chef-io/content/inspec/resources/aws_efs_file_system.md @@ -11,7 +11,7 @@ platform = "aws" parent = "inspec/resources/aws" +++ -[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/inspec/rources/aws_efs_file_system.md) +[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/inspec/rources/aws_efs_file_system.md) Use the `aws_efs_file_system` InSpec audit resource to test the properties of a single AWS EFS file system. This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions. diff --git a/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md b/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md index b131feaf8..17ac23fac 100644 --- a/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md +++ b/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md @@ -11,7 +11,7 @@ platform = "aws" parent = "inspec/resources/aws" +++ -[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_elasticache_cluster.md) +[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/aws_elasticache_cluster.md) Use the `aws_elasticache_cluster` InSpec audit resource to test the properties of a single AWS ElastiCache cluster. diff --git a/docs-chef-io/content/inspec/resources/aws_nat_gateway.md b/docs-chef-io/content/inspec/resources/aws_nat_gateway.md index f1c5c542e..7fc0a64eb 100644 --- a/docs-chef-io/content/inspec/resources/aws_nat_gateway.md +++ b/docs-chef-io/content/inspec/resources/aws_nat_gateway.md @@ -102,7 +102,7 @@ There are also additional properties available. For a comprehensive list, see [t its('nat_gateway_address_set') { should include(:private_ip => '10.0.1.68') } end -For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/master/test/integration/verify/controls/aws_nat_gateway.rb). +For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateway.rb). ## Matchers diff --git a/docs-chef-io/content/inspec/resources/aws_nat_gateways.md b/docs-chef-io/content/inspec/resources/aws_nat_gateways.md index 721d78025..61216eee4 100644 --- a/docs-chef-io/content/inspec/resources/aws_nat_gateways.md +++ b/docs-chef-io/content/inspec/resources/aws_nat_gateways.md @@ -56,7 +56,7 @@ using `aws_nat_gateway` InSpec singular AWS resource. end end -For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/master/test/integration/verify/controls/aws_nat_gateways.rb). +For more examples, please check the [integration tests](https://github.com/inspec/inspec-aws/blob/main/test/integration/verify/controls/aws_nat_gateways.rb). ## Matchers @@ -77,7 +77,7 @@ Use `should_not` to test the entity should not exist. it { should_not exist } end -Please see [here](https://github.com/inspec/inspec/blob/master/docs/dev/filtertable-usage.md) for more information on how to use filter table. +Please see [here](https://github.com/inspec/inspec/blob/main/docs/dev/filtertable-usage.md) for more information on how to use filter table. ## AWS Permissions diff --git a/docs-chef-io/content/inspec/resources/aws_sns_subscription.md b/docs-chef-io/content/inspec/resources/aws_sns_subscription.md index f2f400730..ea20e4875 100644 --- a/docs-chef-io/content/inspec/resources/aws_sns_subscription.md +++ b/docs-chef-io/content/inspec/resources/aws_sns_subscription.md @@ -11,7 +11,7 @@ platform = "aws" parent = "inspec/resources/aws" +++ -[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/master/docs-chef-io/content/aws_sns_subscription.md) +[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/aws_sns_subscription.md) Use the `aws_sns_subscription` InSpec audit resource to test detailed properties of a AWS SNS Subscription. diff --git a/docs-chef-io/content/inspec/resources/azure_generic_resource.md b/docs-chef-io/content/inspec/resources/azure_generic_resource.md index 6e0f9044a..907c9268d 100644 --- a/docs-chef-io/content/inspec/resources/azure_generic_resource.md +++ b/docs-chef-io/content/inspec/resources/azure_generic_resource.md @@ -178,4 +178,4 @@ This Chef InSpec audit resource has the following special matchers. For a full l Please see the integration tests for in depth examples of how this resource can be used. -[Chef InSpec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/master/test/integration/azure/verify/controls) +[Chef InSpec Integration Tests for Azure Generic Resources](https://github.com/chef/inspec/tree/main/test/integration/azure/verify/controls) diff --git a/docs-chef-io/content/inspec/resources/azure_resource_group.md b/docs-chef-io/content/inspec/resources/azure_resource_group.md index 0fb39c176..27e82e0c4 100644 --- a/docs-chef-io/content/inspec/resources/azure_resource_group.md +++ b/docs-chef-io/content/inspec/resources/azure_resource_group.md @@ -291,5 +291,5 @@ Note: The tag name is case sensitive which makes the test case sensitive. E.g. ` For more information on Azure Ruby SDK resources, see: -- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_resources) +- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_resources) - [Resource Group](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/resource_group.rb) diff --git a/docs-chef-io/content/inspec/resources/azure_virtual_machine.md b/docs-chef-io/content/inspec/resources/azure_virtual_machine.md index 904062566..3da1549d5 100644 --- a/docs-chef-io/content/inspec/resources/azure_virtual_machine.md +++ b/docs-chef-io/content/inspec/resources/azure_virtual_machine.md @@ -348,6 +348,6 @@ Note: The tag name is case sensitive which makes the test case sensitive. E.g. ` ## References -- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_resources) +- [Azure Ruby SDK - Resources](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_resources) - [Virtual Machine External VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_external_vm.rb) - [Virtual Machine Internal VM](https://github.com/chef/inspec/blob/fc990346f2438690f0ac36a9f6606e61574a79b8/test/azure/verify/controls/virtual_machine_internal_vm.rb) diff --git a/docs-chef-io/content/inspec/resources/azure_virtual_machine_data_disk.md b/docs-chef-io/content/inspec/resources/azure_virtual_machine_data_disk.md index aed66a84d..059474ea2 100644 --- a/docs-chef-io/content/inspec/resources/azure_virtual_machine_data_disk.md +++ b/docs-chef-io/content/inspec/resources/azure_virtual_machine_data_disk.md @@ -221,6 +221,6 @@ Returns a boolean stating if the machine has Managed Disks for data disks. ## References -- [Azure Ruby SDK - Compute](https://github.com/Azure/azure-sdk-for-ruby/tree/master/management/azure_mgmt_compute) -- [Linux Internal Data Disks](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_linux_external_vm_datadisk.rb) -- [Windows Internal Data Disk](https://github.com/chef/inspec/blob/master/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb) +- [Azure Ruby SDK - Compute](https://github.com/Azure/azure-sdk-for-ruby/tree/main/management/azure_mgmt_compute) +- [Linux Internal Data Disks](https://github.com/chef/inspec/blob/main/test/azure/verify/controls/virtual_machine_linux_external_vm_datadisk.rb) +- [Windows Internal Data Disk](https://github.com/chef/inspec/blob/main/test/azure/verify/controls/virtual_machine_windows_internal_vm_datadisk.rb) diff --git a/docs-chef-io/content/inspec/shell.md b/docs-chef-io/content/inspec/shell.md index 8e501256a..95e506df4 100644 --- a/docs-chef-io/content/inspec/shell.md +++ b/docs-chef-io/content/inspec/shell.md @@ -57,9 +57,9 @@ Use resource packs to share custom resources with other Chef InSpec users. A resource pack is a Chef InSpec profile that contains only custom resources and no other controls or tests. -For example, the profile in [`examples/profile`](https://github.com/chef/inspec/tree/master/examples/profile) +For example, the profile in [`examples/profile`](https://github.com/chef/inspec/tree/main/examples/profile) in the Chef InSpec GitHub repository defines an -[`example_config` resource](https://github.com/chef/inspec/blob/master/examples/profile/controls/example.rb). +[`example_config` resource](https://github.com/chef/inspec/blob/main/examples/profile/controls/example.rb). To use these resources within the Chef InSpec shell, you will need to download and specify them as a dependency. From b6076e06498402974d43e3cb25f23f8a3fbcfd03 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 28 Sep 2021 04:27:18 +0000 Subject: [PATCH 440/483] Bump version to 4.46.8 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9fb894a30..dc9179234 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.46.7](https://github.com/inspec/inspec/tree/v4.46.7) (2021-09-22) + +## [v4.46.8](https://github.com/inspec/inspec/tree/v4.46.8) (2021-09-28) -#### Merged Pull Requests -- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) +#### Enhancements +- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105)) ### Changes since 4.41.20 release +#### Enhancements +- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105)) + #### Bug Fixes - Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe)) diff --git a/VERSION b/VERSION index 1585acb6b..d4cc917e9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.7 \ No newline at end of file +4.46.8 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index d7da0a87f..cb4c9280d 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.7".freeze + VERSION = "4.46.8".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 4dbbe6115..4f95d1dd6 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.7".freeze + VERSION = "4.46.8".freeze end From 2e23f13d110a52ed567916749811ffab033aba33 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 28 Sep 2021 04:32:22 +0000 Subject: [PATCH 441/483] Bump version to 4.46.9 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dc9179234..0de90ce82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.46.8](https://github.com/inspec/inspec/tree/v4.46.8) (2021-09-28) + +## [v4.46.9](https://github.com/inspec/inspec/tree/v4.46.9) (2021-09-28) #### Enhancements -- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105)) +- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08)) ### Changes since 4.41.20 release #### Enhancements +- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08)) - Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105)) #### Bug Fixes diff --git a/VERSION b/VERSION index d4cc917e9..817462cc5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.8 \ No newline at end of file +4.46.9 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index cb4c9280d..ec811ae86 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.8".freeze + VERSION = "4.46.9".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 4f95d1dd6..ba36198ee 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.8".freeze + VERSION = "4.46.9".freeze end From 7493e26e472a529643a4b03daf67e3bd37586172 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 28 Sep 2021 04:37:02 +0000 Subject: [PATCH 442/483] Bump version to 4.46.10 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0de90ce82..03b7071d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.9](https://github.com/inspec/inspec/tree/v4.46.9) (2021-09-28) + +## [v4.46.10](https://github.com/inspec/inspec/tree/v4.46.10) (2021-09-28) -#### Enhancements -- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08)) +#### Bug Fixes +- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08)) @@ -15,6 +15,7 @@ - Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105)) #### Bug Fixes +- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08)) - Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe)) #### New Features diff --git a/VERSION b/VERSION index 817462cc5..7cea0e998 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.9 \ No newline at end of file +4.46.10 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index ec811ae86..f0e758e48 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.9".freeze + VERSION = "4.46.10".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index ba36198ee..c759d716f 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.9".freeze + VERSION = "4.46.10".freeze end From ac07060c124b33dbe22c957bb4cce51051e7ea10 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 28 Sep 2021 04:40:30 +0000 Subject: [PATCH 443/483] Bump version to 4.46.11 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 03b7071d1..f8bd393b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.10](https://github.com/inspec/inspec/tree/v4.46.10) (2021-09-28) + +## [v4.46.11](https://github.com/inspec/inspec/tree/v4.46.11) (2021-09-28) -#### Bug Fixes -- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08)) +#### Merged Pull Requests +- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50)) @@ -24,6 +24,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50)) - Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) - Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) - Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) diff --git a/VERSION b/VERSION index 7cea0e998..9d909be48 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.10 \ No newline at end of file +4.46.11 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index f0e758e48..bbb654141 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.10".freeze + VERSION = "4.46.11".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index c759d716f..6f5455521 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.10".freeze + VERSION = "4.46.11".freeze end From 761fa4338e4f59d389c13abef9b78a0a490be2e2 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 7 Sep 2021 16:21:22 +0530 Subject: [PATCH 444/483] Fix - controls option was not working for depedent profile Signed-off-by: Vasu1105 --- lib/inspec/control_eval_context.rb | 36 +++++++++++++++++++++++++++++ lib/inspec/dsl.rb | 15 ++++++++++++ test/functional/inspec_exec_test.rb | 34 +++++++++++++++++++++++++++ 3 files changed, 85 insertions(+) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index 83acf639b..353bd4985 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -214,6 +214,18 @@ module Inspec !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty? end + # Check if the given control exist in the --controls option + def control_exist_in_controls_list?(id) + id_exist_in_list = false + if profile_config_exist? + id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion| + # Try to see if the inclusion is a regex, and if it matches + inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id) + end + end + id_exist_in_list + end + private def block_location(block, alternate_caller) @@ -250,5 +262,29 @@ module Inspec end id_exist_in_list end + + def tags_list_empty? + !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty? + end + + # Check if the given control exist in the --tags option + def tag_exist_in_control_tags?(tag_ids) + tag_option_matches_with_list = false + if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist? + tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty? + unless tag_option_matches_with_list + @conf["profile"].include_tags_list.any? do |inclusion| + # Try to see if the inclusion is a regex, and if it matches + if inclusion.is_a?(Regexp) + tag_ids.each do |id| + tag_option_matches_with_list = (inclusion =~ id) + break if tag_option_matches_with_list + end + end + end + end + end + tag_option_matches_with_list + end end end diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index c57f57091..d777f8ab7 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -93,8 +93,12 @@ module Inspec::DSL context = dep_entry.profile.runner_context # if we don't want all the rules, then just make 1 pass to get all rule_IDs # that we want to keep from the original +<<<<<<< HEAD filter_included_controls(context, dep_entry.profile, opts, &block) if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) +======= + filter_included_controls(context, dep_entry.profile, opts, &block) if !opts[:include_all] || !opts[:conf]["profile"].include_controls_list.empty? +>>>>>>> 9b8307fc0 (Fix - controls option was not working for depedent profile) # interpret the block and skip/modify as required context.load(block) if block_given? bind_context.add_subcontext(context) @@ -104,13 +108,24 @@ module Inspec::DSL mock = Inspec::Backend.create(Inspec::Config.mock) include_ctx = Inspec::ProfileContext.for_profile(profile, mock) include_ctx.load(block) if block_given? +<<<<<<< HEAD include_ctx.control_eval_context.conf = opts[:conf] +======= + # this sets the conf variable required in control_exist_in_control_list? method + include_ctx.control_eval_context.instance_variable_set(:@conf, opts[:conf]) +>>>>>>> 9b8307fc0 (Fix - controls option was not working for depedent profile) control_eval_ctx = include_ctx.control_eval_context # remove all rules that were not registered context.all_rules.each do |r| id = Inspec::Rule.rule_id(r) fid = Inspec::Rule.profile_id(r) + "/" + id if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid]) +<<<<<<< HEAD +======= + context.remove_rule(fid) + elsif !control_eval_ctx.control_exist_in_controls_list?(id) + # filter the dependent profile controls which are not in the --controls options list +>>>>>>> 9b8307fc0 (Fix - controls option was not working for depedent profile) context.remove_rule(fid) elsif !control_eval_ctx.tags_list_empty? # filter included controls using --tags diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index ea03b47d2..e2376cf20 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -199,6 +199,40 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 0, out end + # it filters the control from its depedent profile_c + it "executes only specified controls from parent and child profile when selecting the controls by regex" do + inspec("exec " + File.join(profile_path, "dependencies/profile_a") + " --no-create-lockfile --controls '/^profilec/'") + _(out.stdout).must_include "profilec-1" + _(out.stdout).wont_include "profilea-1" + _(out.stdout).wont_include "only-describe" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + # it filters the control from its depedent profile_c + it "executes only specified controls from parent and child profile when selecting the controls by id" do + inspec("exec " + File.join(profile_path, "dependencies/profile_a") + " --no-create-lockfile --controls 'profilec-1'") + _(out.stdout).must_include "profilec-1" + _(out.stdout).wont_include "profilea-1" + _(out.stdout).wont_include "only-describe" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + + # it filters the control from its depedent profile_c + it "executes only specified controls from parent and child profile when selecting the controls by space seprated id" do + inspec("exec " + File.join(profile_path, "dependencies/profile_a") + " --no-create-lockfile --controls 'profilec-1' 'profilea-1'") + _(out.stdout).must_include "profilec-1" + _(out.stdout).must_include "profilea-1" + _(out.stdout).wont_include "profilea-2" + _(out.stdout).wont_include "only-describe" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + it "executes only specified controls when selecting passing controls by literal names" do inspec("exec " + File.join(profile_path, "filter_table") + " --no-create-lockfile --controls 2943_pass_undeclared_field_in_hash 2943_pass_irregular_row_key") From 3e9223d6036629fda4c03ab24d2166e2463affe0 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 7 Sep 2021 16:57:40 +0530 Subject: [PATCH 445/483] Fixed lint and failing test Signed-off-by: Vasu1105 --- lib/inspec/control_eval_context.rb | 46 ++++------------------------- lib/inspec/dsl.rb | 29 +++++++----------- test/functional/inspec_exec_test.rb | 24 +++++++++++---- 3 files changed, 34 insertions(+), 65 deletions(-) diff --git a/lib/inspec/control_eval_context.rb b/lib/inspec/control_eval_context.rb index 353bd4985..fdab2a5dd 100644 --- a/lib/inspec/control_eval_context.rb +++ b/lib/inspec/control_eval_context.rb @@ -226,6 +226,11 @@ module Inspec id_exist_in_list end + # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included + def controls_list_empty? + !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty? + end + private def block_location(block, alternate_caller) @@ -245,46 +250,5 @@ module Inspec def profile_tag_config_exist? !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty? end - - # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included - def controls_list_empty? - !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty? - end - - # Check if the given control exist in the --controls option - def control_exist_in_controls_list?(id) - id_exist_in_list = false - if profile_config_exist? - id_exist_in_list = @conf["profile"].include_controls_list.any? do |inclusion| - # Try to see if the inclusion is a regex, and if it matches - inclusion == id || (inclusion.is_a?(Regexp) && inclusion =~ id) - end - end - id_exist_in_list - end - - def tags_list_empty? - !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_tags_list.empty? || @conf.empty? - end - - # Check if the given control exist in the --tags option - def tag_exist_in_control_tags?(tag_ids) - tag_option_matches_with_list = false - if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist? - tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty? - unless tag_option_matches_with_list - @conf["profile"].include_tags_list.any? do |inclusion| - # Try to see if the inclusion is a regex, and if it matches - if inclusion.is_a?(Regexp) - tag_ids.each do |id| - tag_option_matches_with_list = (inclusion =~ id) - break if tag_option_matches_with_list - end - end - end - end - end - tag_option_matches_with_list - end end end diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index d777f8ab7..9bd826ef4 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -93,12 +93,9 @@ module Inspec::DSL context = dep_entry.profile.runner_context # if we don't want all the rules, then just make 1 pass to get all rule_IDs # that we want to keep from the original -<<<<<<< HEAD - filter_included_controls(context, dep_entry.profile, opts, &block) if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) - -======= - filter_included_controls(context, dep_entry.profile, opts, &block) if !opts[:include_all] || !opts[:conf]["profile"].include_controls_list.empty? ->>>>>>> 9b8307fc0 (Fix - controls option was not working for depedent profile) + if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) || !opts[:conf]["profile"].include_controls_list.empty? + filter_included_controls(context, dep_entry.profile, opts, &block) + end # interpret the block and skip/modify as required context.load(block) if block_given? bind_context.add_subcontext(context) @@ -108,26 +105,22 @@ module Inspec::DSL mock = Inspec::Backend.create(Inspec::Config.mock) include_ctx = Inspec::ProfileContext.for_profile(profile, mock) include_ctx.load(block) if block_given? -<<<<<<< HEAD include_ctx.control_eval_context.conf = opts[:conf] -======= - # this sets the conf variable required in control_exist_in_control_list? method - include_ctx.control_eval_context.instance_variable_set(:@conf, opts[:conf]) ->>>>>>> 9b8307fc0 (Fix - controls option was not working for depedent profile) control_eval_ctx = include_ctx.control_eval_context # remove all rules that were not registered context.all_rules.each do |r| id = Inspec::Rule.rule_id(r) fid = Inspec::Rule.profile_id(r) + "/" + id if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid]) -<<<<<<< HEAD -======= context.remove_rule(fid) - elsif !control_eval_ctx.control_exist_in_controls_list?(id) - # filter the dependent profile controls which are not in the --controls options list ->>>>>>> 9b8307fc0 (Fix - controls option was not working for depedent profile) - context.remove_rule(fid) - elsif !control_eval_ctx.tags_list_empty? + end + + unless control_eval_ctx.controls_list_empty? + # filter the dependent profile controls which are not in the --controls options list + context.remove_rule(fid) unless control_eval_ctx.control_exist_in_controls_list?(id) + end + + unless control_eval_ctx.tags_list_empty? # filter included controls using --tags tag_ids = control_eval_ctx.control_tags(r) context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids) diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index e2376cf20..5173e48ff 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -199,9 +199,9 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 0, out end - # it filters the control from its depedent profile_c + # it filters the control from its dependent profile_c it "executes only specified controls from parent and child profile when selecting the controls by regex" do - inspec("exec " + File.join(profile_path, "dependencies/profile_a") + " --no-create-lockfile --controls '/^profilec/'") + inspec("exec " + File.join(profile_path, "dependencies", "profile_a") + " --no-create-lockfile --controls '/^profilec/'") _(out.stdout).must_include "profilec-1" _(out.stdout).wont_include "profilea-1" _(out.stdout).wont_include "only-describe" @@ -210,9 +210,9 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 0, out end - # it filters the control from its depedent profile_c + # it filters the control from its dependent profile_c it "executes only specified controls from parent and child profile when selecting the controls by id" do - inspec("exec " + File.join(profile_path, "dependencies/profile_a") + " --no-create-lockfile --controls 'profilec-1'") + inspec("exec " + File.join(profile_path, "dependencies", "profile_a") + " --no-create-lockfile --controls 'profilec-1'") _(out.stdout).must_include "profilec-1" _(out.stdout).wont_include "profilea-1" _(out.stdout).wont_include "only-describe" @@ -221,9 +221,9 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 0, out end - # it filters the control from its depedent profile_c + # it filters the control from its dependent profile_c it "executes only specified controls from parent and child profile when selecting the controls by space seprated id" do - inspec("exec " + File.join(profile_path, "dependencies/profile_a") + " --no-create-lockfile --controls 'profilec-1' 'profilea-1'") + inspec("exec " + File.join(profile_path, "dependencies", "profile_a") + " --no-create-lockfile --controls 'profilec-1' 'profilea-1'") _(out.stdout).must_include "profilec-1" _(out.stdout).must_include "profilea-1" _(out.stdout).wont_include "profilea-2" @@ -233,6 +233,18 @@ Test Summary: 0 successful, 0 failures, 0 skipped assert_exit_code 0, out end + # it filters the control from its dependent profile_c + it "executes only specified controls of required dependent profile when selecting the controls by space seprated id" do + inspec("exec " + File.join(profile_path, "dependencies", "require_controls_test") + " --no-create-lockfile --controls 'profileb-2'") + _(out.stdout).must_include "profileb-2" + _(out.stdout).wont_include "profilea-1" + _(out.stdout).wont_include "profilea-2" + _(out.stdout).wont_include "only-describe" + _(stderr).must_equal "" + + assert_exit_code 0, out + end + it "executes only specified controls when selecting passing controls by literal names" do inspec("exec " + File.join(profile_path, "filter_table") + " --no-create-lockfile --controls 2943_pass_undeclared_field_in_hash 2943_pass_irregular_row_key") From 04c1af6a24ae4fb7db1d151ca8a5a0844f9a1b68 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Tue, 28 Sep 2021 12:13:18 +0530 Subject: [PATCH 446/483] Fixed lint Signed-off-by: Vasu1105 --- lib/inspec/resources/opa.rb | 1 - test/unit/resources/opa_api_test.rb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/inspec/resources/opa.rb b/lib/inspec/resources/opa.rb index a8cd0a979..ad1200de2 100644 --- a/lib/inspec/resources/opa.rb +++ b/lib/inspec/resources/opa.rb @@ -6,7 +6,6 @@ module Inspec::Resources supports platform: "unix" supports platform: "windows" - attr_reader :result def initialize(content) @content = content super({ content: @content }) diff --git a/test/unit/resources/opa_api_test.rb b/test/unit/resources/opa_api_test.rb index fd10460dd..75e4700e2 100644 --- a/test/unit/resources/opa_api_test.rb +++ b/test/unit/resources/opa_api_test.rb @@ -10,7 +10,7 @@ describe "Inspec::Resources::OpaApi" do end it "verify opa api query result parsing when output is empty" do - resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json") + resource = load_resource("opa_api", url: "localhost:8181/v1/data/example/violation", data: "v1-data-input1.json") _(resource.result).must_be_nil _(resource.params["result"]).must_equal([]) end From 37a788940734b5e9e7eae4d23a50ccd08a382940 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 28 Sep 2021 12:15:35 +0000 Subject: [PATCH 447/483] Bump version to 4.46.12 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f8bd393b0..fe07e8b43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.11](https://github.com/inspec/inspec/tree/v4.46.11) (2021-09-28) + +## [v4.46.12](https://github.com/inspec/inspec/tree/v4.46.12) (2021-09-28) #### Merged Pull Requests -- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50)) +- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105)) @@ -24,6 +24,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105)) - Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50)) - Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) - Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) diff --git a/VERSION b/VERSION index 9d909be48..dca760291 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.11 \ No newline at end of file +4.46.12 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index bbb654141..5207bb3a9 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.11".freeze + VERSION = "4.46.12".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 6f5455521..8ba5bfc4d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.11".freeze + VERSION = "4.46.12".freeze end From e5b7bcf4b98cad7ee4353b372585ce0835726542 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 28 Sep 2021 12:19:40 +0000 Subject: [PATCH 448/483] Bump version to 4.46.13 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe07e8b43..945fbf616 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.46.12](https://github.com/inspec/inspec/tree/v4.46.12) (2021-09-28) + +## [v4.46.13](https://github.com/inspec/inspec/tree/v4.46.13) (2021-09-28) #### Merged Pull Requests -- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105)) +- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105)) @@ -24,6 +24,7 @@ - Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) #### Merged Pull Requests +- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105)) - Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105)) - Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50)) - Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) diff --git a/VERSION b/VERSION index dca760291..13cdd4fc3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.12 \ No newline at end of file +4.46.13 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 5207bb3a9..550f081f0 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.12".freeze + VERSION = "4.46.13".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8ba5bfc4d..af3130d84 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.12".freeze + VERSION = "4.46.13".freeze end From d3905092a56fde7ed72913c8e8446217c1a812a7 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Tue, 28 Sep 2021 15:15:47 -0700 Subject: [PATCH 449/483] Use a more modern Ubuntu release in the example Signed-off-by: Tim Smith --- docs-chef-io/content/inspec/profiles.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs-chef-io/content/inspec/profiles.md b/docs-chef-io/content/inspec/profiles.md index b9ce735e1..268d61465 100644 --- a/docs-chef-io/content/inspec/profiles.md +++ b/docs-chef-io/content/inspec/profiles.md @@ -132,22 +132,22 @@ supports: - platform-name: debian ``` -To target only Ubuntu version 14.04, use: +To target only Ubuntu version 20.04, use: ```YAML name: ssh supports: - platform-name: ubuntu - release: 14.04 + release: 20.04 ``` -To target the entire release of Ubuntu version 14.x, use: +To target the entire release of Ubuntu version 20.x, use: ```YAML name: ssh supports: - platform-name: ubuntu - release: 14.* + release: 20.* ``` To target the entire RedHat platform (including CentOS and Oracle Linux), use: @@ -181,7 +181,7 @@ name: ssh supports: - platform-name: debian - platform-name: ubuntu - release: 14.04 + release: 20.04 - platform-family: redhat - platform: aws ``` From 9305a18366225beae10b489ca29de65f68405b80 Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Tue, 28 Sep 2021 15:15:53 -0700 Subject: [PATCH 450/483] Fix a typo Signed-off-by: Tim Smith --- docs-chef-io/content/inspec/profiles.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/profiles.md b/docs-chef-io/content/inspec/profiles.md index 268d61465..c1bb39124 100644 --- a/docs-chef-io/content/inspec/profiles.md +++ b/docs-chef-io/content/inspec/profiles.md @@ -158,7 +158,7 @@ supports: - platform-family: redhat ``` -To target the entire Windows 2019 platform family including Datcenter and Core Servers, use: +To target the entire Windows 2019 platform family including Datacenter and Core Servers, use: ```YAML name: ssh From bac643254df523f63566f6bbdd8a2f4c5e47735f Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Tue, 28 Sep 2021 15:16:13 -0700 Subject: [PATCH 451/483] Better describe what platform-family is doing for us Signed-off-by: Tim Smith --- docs-chef-io/content/inspec/profiles.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs-chef-io/content/inspec/profiles.md b/docs-chef-io/content/inspec/profiles.md index c1bb39124..55b0ec6b4 100644 --- a/docs-chef-io/content/inspec/profiles.md +++ b/docs-chef-io/content/inspec/profiles.md @@ -150,7 +150,7 @@ supports: release: 20.* ``` -To target the entire RedHat platform (including CentOS and Oracle Linux), use: +To target the Red Hat and derivitive platforms such as CentOS and Oracle Linux, use: ```YAML name: ssh From fe555a378068b579f6ce4aa07071bb6b69ac9642 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Wed, 29 Sep 2021 12:15:39 +0530 Subject: [PATCH 452/483] Remove the unit test added for Ubuntu using older version i.e 15.04. Signed-off-by: Vasu1105 --- test/helpers/mock_loader.rb | 17 +++-------------- test/unit/resources/apache_conf_test.rb | 4 ++-- test/unit/resources/apt_test.rb | 6 +++--- test/unit/resources/os_test.rb | 4 ++-- test/unit/resources/platform_test.rb | 14 +++++++------- test/unit/resources/service_test.rb | 5 ++--- test/unit/resources/sys_info_test.rb | 2 +- 7 files changed, 20 insertions(+), 32 deletions(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index dc52ae331..1ae52b94b 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -19,9 +19,9 @@ class MockLoader macos10_10: { name: "mac_os_x", family: "darwin", release: "10.10.4", arch: nil }, macos10_16: { name: "darwin", family: "darwin", release: "10.16", arch: nil }, ubuntu1404: { name: "ubuntu", family: "debian", release: "14.04", arch: "x86_64" }, - ubuntu1504: { name: "ubuntu", family: "debian", release: "15.04", arch: "x86_64" }, ubuntu1604: { name: "ubuntu", family: "debian", release: "16.04", arch: "x86_64" }, ubuntu1804: { name: "ubuntu", family: "debian", release: "18.04", arch: "x86_64" }, + ubuntu: { name: "ubuntu", family: "debian", release: "20.04", arch: "x86_64" }, mint17: { name: "linuxmint", family: "debian", release: "17.3", arch: "x86_64" }, mint18: { name: "linuxmint", family: "debian", release: "18", arch: "x86_64" }, windows: { name: "windows", family: "windows", release: "6.2.9200", arch: "x86_64" }, @@ -176,21 +176,10 @@ class MockLoader "/etc/postfix/main.cf" => mockfile.call("main.cf"), "/etc/postfix/other.cf" => mockfile.call("other.cf"), "/etc/selinux/selinux_conf" => mockfile.call("selinux_conf"), + "/etc/apache2/apache2.conf" => mockfile.call("apache2.conf"), + "/etc/test-serverroot/apache2/apache2.conf" => mockfile.call("apache2_server_root_void.conf"), } - if @platform - if @platform[:name] == "ubuntu" && @platform[:release] == "18.04" - mock_files.merge!( - "/etc/apache2/apache2.conf" => mockfile.call("apache2.conf") - ) - elsif @platform[:name] == "ubuntu" && @platform[:release] == "15.04" - # using this ubuntu version to test apache_conf with non configured server root in conf file - mock_files.merge!( - "/etc/apache2/apache2.conf" => mockfile.call("apache2_server_root_void.conf") - ) - end - end - mock.files = mock_files # create all mock commands diff --git a/test/unit/resources/apache_conf_test.rb b/test/unit/resources/apache_conf_test.rb index 1b9e99417..47f1786b0 100644 --- a/test/unit/resources/apache_conf_test.rb +++ b/test/unit/resources/apache_conf_test.rb @@ -6,7 +6,7 @@ require "hashie" describe "Inspec::Resources::ApacheConf" do # debian style apache2 it "reads values in apache2.conf and from Include, IncludeOptional params" do - resource = MockLoader.new(:ubuntu1804).load_resource("apache_conf", + resource = MockLoader.new(:ubuntu).load_resource("apache_conf", "/etc/apache2/apache2.conf") _(resource.params).must_be_kind_of Hash _(resource.content).must_be_kind_of String @@ -22,7 +22,7 @@ describe "Inspec::Resources::ApacheConf" do end it "reads values successfully from apache2.conf and ignores Include, IncludeOptional params when server root is not configured" do - resource = MockLoader.new(:ubuntu1504).load_resource("apache_conf", "/etc/apache2/apache2.conf") + resource = MockLoader.new(:ubuntu).load_resource("apache_conf", "/etc/test-serverroot/apache2/apache2.conf") _(resource.params).must_be_kind_of Hash _(resource.content).must_be_kind_of String _(resource.params("ServerAlias")).must_equal ["inspec.test www.inspec.test io.inspec.test"] diff --git a/test/unit/resources/apt_test.rb b/test/unit/resources/apt_test.rb index 4d02d6ab1..33fa30a3c 100644 --- a/test/unit/resources/apt_test.rb +++ b/test/unit/resources/apt_test.rb @@ -5,19 +5,19 @@ require "inspec/resources/apt" describe "Inspec::Resources::AptRepo" do it "check apt on ubuntu" do - resource = MockLoader.new(:ubuntu1504).load_resource("apt", "http://archive.ubuntu.com/ubuntu/") + resource = MockLoader.new(:ubuntu).load_resource("apt", "http://archive.ubuntu.com/ubuntu/") _(resource.exists?).must_equal true _(resource.enabled?).must_equal true end it "check apt on ubuntu with ppa" do - resource = MockLoader.new(:ubuntu1504).load_resource("apt", "ubuntu-wine/ppa") + resource = MockLoader.new(:ubuntu).load_resource("apt", "ubuntu-wine/ppa") _(resource.exists?).must_equal true _(resource.enabled?).must_equal true end it "check apt on ubuntu with ppa" do - resource = MockLoader.new(:ubuntu1504).load_resource("apt", "ppa:ubuntu-wine/ppa") + resource = MockLoader.new(:ubuntu).load_resource("apt", "ppa:ubuntu-wine/ppa") _(resource.exists?).must_equal true _(resource.enabled?).must_equal true end diff --git a/test/unit/resources/os_test.rb b/test/unit/resources/os_test.rb index f804b866c..8a00d4d77 100644 --- a/test/unit/resources/os_test.rb +++ b/test/unit/resources/os_test.rb @@ -28,10 +28,10 @@ describe "Inspec::Resources::Os" do end it "verify os parsing on Ubuntu" do - resource = MockLoader.new(:ubuntu1504).load_resource("os") + resource = MockLoader.new(:ubuntu).load_resource("os") _(resource.name).must_equal "ubuntu" _(resource.family).must_equal "debian" - _(resource.release).must_equal "15.04" + _(resource.release).must_equal "20.04" _(resource.arch).must_equal "x86_64" end diff --git a/test/unit/resources/platform_test.rb b/test/unit/resources/platform_test.rb index bed9e3ea8..08bafaad5 100644 --- a/test/unit/resources/platform_test.rb +++ b/test/unit/resources/platform_test.rb @@ -3,19 +3,19 @@ require "inspec/resource" require "inspec/resources/platform" describe "Inspec::Resources::Platform" do - let(:resource) { MockLoader.new(:ubuntu1504).load_resource("platform") } + let(:resource) { MockLoader.new(:ubuntu).load_resource("platform") } it "verify platform parsing on Ubuntu" do _(resource.name).must_equal "ubuntu" _(resource.family).must_equal "debian" - _(resource.release).must_equal "15.04" + _(resource.release).must_equal "20.04" _(resource.arch).must_equal "x86_64" end it "verify platform hash parsing on Ubuntu" do _(resource[:name]).must_equal "ubuntu" _(resource[:family]).must_equal "debian" - _(resource[:release]).must_equal "15.04" + _(resource[:release]).must_equal "20.04" _(resource[:arch]).must_equal "x86_64" end @@ -67,18 +67,18 @@ describe "Inspec::Resources::Platform" do _(resource).wont_be :supported?, supports end - it "loads a profile which supports release 15.04" do + it "loads a profile which supports release 20.04" do supports = [ { 'os-family': "windows", 'os-name': "windows_2000" }, - { 'os-name': "ubuntu", 'release': "15.04" }, + { 'os-name': "ubuntu", 'release': "20.04" }, ] _(resource).must_be :supported?, supports end - it "loads a profile which supports release 15.*" do + it "loads a profile which supports release 20.*" do supports = [ { 'os-family': "windows", 'os-name': "windows_2000" }, - { 'os-name': "ubuntu", 'release': "15.*" }, + { 'os-name': "ubuntu", 'release': "20.*" }, ] _(resource).must_be :supported?, supports end diff --git a/test/unit/resources/service_test.rb b/test/unit/resources/service_test.rb index 7f0c28e5e..373db8d19 100644 --- a/test/unit/resources/service_test.rb +++ b/test/unit/resources/service_test.rb @@ -47,9 +47,8 @@ describe "Inspec::Resources::Service" do _(resource.params.UnitFileState).must_be_nil end - # ubuntu 15.04 with systemd it "verify ubuntu service parsing" do - resource = MockLoader.new(:ubuntu1504).load_resource("service", "sshd") + resource = MockLoader.new(:ubuntu).load_resource("service", "sshd") params = Hashie::Mash.new({ "ActiveState" => "active", "Description" => "OpenSSH server daemon", "Id" => "sshd.service", "LoadState" => "loaded", "Names" => "sshd.service", "SubState" => "running", "UnitFileState" => "enabled" }) _(resource.type).must_equal "systemd" _(resource.name).must_equal "sshd.service" @@ -62,7 +61,7 @@ describe "Inspec::Resources::Service" do end it "verify ubuntu service parsing with default systemd_service" do - resource = MockLoader.new(:ubuntu1504).load_resource("systemd_service", "sshd") + resource = MockLoader.new(:ubuntu).load_resource("systemd_service", "sshd") params = Hashie::Mash.new({ "ActiveState" => "active", "Description" => "OpenSSH server daemon", "Id" => "sshd.service", "LoadState" => "loaded", "Names" => "sshd.service", "SubState" => "running", "UnitFileState" => "enabled" }) _(resource.type).must_equal "systemd" _(resource.name).must_equal "sshd.service" diff --git a/test/unit/resources/sys_info_test.rb b/test/unit/resources/sys_info_test.rb index 4d938cde2..db6418b7f 100644 --- a/test/unit/resources/sys_info_test.rb +++ b/test/unit/resources/sys_info_test.rb @@ -5,7 +5,7 @@ require "inspec/resources/sys_info" describe "Inspec::Resources::SysInfo" do describe "sys_info" do it "check sys_info on Ubuntu" do - resource = MockLoader.new(:ubuntu1504).load_resource("sys_info") + resource = MockLoader.new(:ubuntu).load_resource("sys_info") _(resource.hostname).must_equal "example.com" _(resource.manufacturer).must_equal "ACME Corp." _(resource.model).must_equal "Flux Capacitor" From 3f7d40318bf44114f9f8f9b53ef48661ceaa0d5f Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Thu, 30 Sep 2021 02:31:57 +0000 Subject: [PATCH 453/483] Executed '.expeditor/update_dockerfile.sh' Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 73 +++++++++++++++++++++++++--------------------------- Dockerfile | 2 +- 2 files changed, 36 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 945fbf616..f5bc02581 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,47 +1,45 @@ # Change Log - -## [v4.46.13](https://github.com/inspec/inspec/tree/v4.46.13) (2021-09-28) - -#### Merged Pull Requests -- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105)) + - -### Changes since 4.41.20 release - -#### Enhancements -- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08)) -- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105)) - -#### Bug Fixes -- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08)) -- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe)) - -#### New Features -- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese)) -- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105)) -- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) - -#### Merged Pull Requests -- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105)) -- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105)) -- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50)) -- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) -- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) -- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) -- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) -- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) -- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) -- Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) -- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) -- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) -- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) -- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) -- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) + +## [v4.46.13](https://github.com/inspec/inspec/tree/v4.46.13) (2021-09-30) + +#### New Features +- Add support for Sybase databases [#5561](https://github.com/inspec/inspec/pull/5561) ([clintoncwolfe](https://github.com/clintoncwolfe)) +- Add ibmdb2_conf and ibmdb2_session resource [#5614](https://github.com/inspec/inspec/pull/5614) ([Vasu1105](https://github.com/Vasu1105)) +- adds chrony_conf InSpec resource [#5589](https://github.com/inspec/inspec/pull/5589) ([collinmcneese](https://github.com/collinmcneese)) + +#### Enhancements +- Add csv without headers support in csv resource [#5665](https://github.com/inspec/inspec/pull/5665) ([Vasu1105](https://github.com/Vasu1105)) +- Add option in `postgres_session` resource to establish socket connection [#5664](https://github.com/inspec/inspec/pull/5664) ([Nik08](https://github.com/Nik08)) + +#### Bug Fixes +- Fix main in expeditor script [#5669](https://github.com/inspec/inspec/pull/5669) ([kagarmoe](https://github.com/kagarmoe)) +- Fix --tags filter for dependent profiles [#5657](https://github.com/inspec/inspec/pull/5657) ([Nik08](https://github.com/Nik08)) + +#### Merged Pull Requests +- Add labeler workflow with docs label [#5655](https://github.com/inspec/inspec/pull/5655) ([IanMadd](https://github.com/IanMadd)) +- Docs edits [#5654](https://github.com/inspec/inspec/pull/5654) ([IanMadd](https://github.com/IanMadd)) +- Fix branch name in docs makefile [#5660](https://github.com/inspec/inspec/pull/5660) ([IanMadd](https://github.com/IanMadd)) +- Update inspec check docs for --format option [#5617](https://github.com/inspec/inspec/pull/5617) ([Vasu1105](https://github.com/Vasu1105)) +- Add support for Mssql Conf resource [#5574](https://github.com/inspec/inspec/pull/5574) ([Nik08](https://github.com/Nik08)) +- Add support for Oracle Configuration Resources (Oracle Db Conf & Oracle Listener Conf) [#5573](https://github.com/inspec/inspec/pull/5573) ([Nik08](https://github.com/Nik08)) +- Added missing cli commands in cli doc [#5634](https://github.com/inspec/inspec/pull/5634) ([Nik08](https://github.com/Nik08)) +- Fix google_project_alert_policy Examples in the docs [#5426](https://github.com/inspec/inspec/pull/5426) ([wmetaw](https://github.com/wmetaw)) +- Update code to remove ruby 2.4 support [#5645](https://github.com/inspec/inspec/pull/5645) ([Vasu1105](https://github.com/Vasu1105)) +- Minor docs fixes. [#5662](https://github.com/inspec/inspec/pull/5662) ([IanMadd](https://github.com/IanMadd)) +- Add rocky and almalinux to service resource [#5604](https://github.com/inspec/inspec/pull/5604) ([sspans-sbp](https://github.com/sspans-sbp)) +- Change the deprecation warning to mention inputs [#5668](https://github.com/inspec/inspec/pull/5668) ([damacus](https://github.com/damacus)) +- Build packages for debian 11, macos 12, windows 11/2022 [#5675](https://github.com/inspec/inspec/pull/5675) ([tas50](https://github.com/tas50)) +- Fix --controls option was not working for dependent profile [#5656](https://github.com/inspec/inspec/pull/5656) ([Vasu1105](https://github.com/Vasu1105)) +- Fix opa_cli and opa_api resource unable to verify empty result {} [#5671](https://github.com/inspec/inspec/pull/5671) ([Vasu1105](https://github.com/Vasu1105)) + + ## [v4.41.20](https://github.com/inspec/inspec/tree/v4.41.20) (2021-09-01) #### Merged Pull Requests @@ -63,7 +61,6 @@ - Update location of default branch for omnibus and omnibus-software [#5648](https://github.com/inspec/inspec/pull/5648) ([clintoncwolfe](https://github.com/clintoncwolfe)) - Fix url fetcher when default git profile branch is not master [#5638](https://github.com/inspec/inspec/pull/5638) ([Nik08](https://github.com/Nik08)) - Fix tags processing issue in profiles [#5643](https://github.com/inspec/inspec/pull/5643) ([Nik08](https://github.com/Nik08)) - ## [v4.41.2](https://github.com/inspec/inspec/tree/v4.41.2) (2021-08-16) diff --git a/Dockerfile b/Dockerfile index ebaa58b7c..59b86cb60 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM ubuntu:18.04 LABEL maintainer="Chef Software, Inc. " -ARG VERSION=4.41.20 +ARG VERSION=4.46.13 ARG CHANNEL=stable ENV PATH=/opt/inspec/bin:/opt/inspec/embedded/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin From e1c0d2dccc5848746eb1377720a2ac496f1f9919 Mon Sep 17 00:00:00 2001 From: Dishank Tiwari Date: Thu, 30 Sep 2021 12:02:12 +0530 Subject: [PATCH 454/483] Update docs-chef-io/content/inspec/resources/aws_ecr_repository.md Co-authored-by: Ian Maddaus --- docs-chef-io/content/inspec/resources/aws_ecr_repository.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/aws_ecr_repository.md b/docs-chef-io/content/inspec/resources/aws_ecr_repository.md index a3821f356..8168b83f8 100644 --- a/docs-chef-io/content/inspec/resources/aws_ecr_repository.md +++ b/docs-chef-io/content/inspec/resources/aws_ecr_repository.md @@ -11,7 +11,6 @@ platform = "aws" parent = "inspec/resources/aws" +++ -[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/aws_ecr_repository.md) Use the `aws_ecr_repository` InSpec audit resource to test the properties of a single AWS Elastic Container Registry (ECR) repository. This resource is available in InSpec AWS resource pack version **[1.11.0](https://github.com/inspec/inspec-aws/releases/tag/v1.11.0)** onwards. From d1fc83270dd8536aff661fdc6788477e850b7681 Mon Sep 17 00:00:00 2001 From: Dishank Tiwari Date: Thu, 30 Sep 2021 12:04:04 +0530 Subject: [PATCH 455/483] Update docs-chef-io/content/inspec/resources/aws_efs_file_system.md Co-authored-by: Ian Maddaus --- docs-chef-io/content/inspec/resources/aws_efs_file_system.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/aws_efs_file_system.md b/docs-chef-io/content/inspec/resources/aws_efs_file_system.md index eb4dae761..aaa39a9f4 100644 --- a/docs-chef-io/content/inspec/resources/aws_efs_file_system.md +++ b/docs-chef-io/content/inspec/resources/aws_efs_file_system.md @@ -11,7 +11,6 @@ platform = "aws" parent = "inspec/resources/aws" +++ -[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/inspec/rources/aws_efs_file_system.md) Use the `aws_efs_file_system` InSpec audit resource to test the properties of a single AWS EFS file system. This resource is added to InSpec AWS resource pack in version **[1.10.0](https://github.com/inspec/inspec-aws/releases/tag/v1.10.0)** and it is available with InSpec **[4.18.108](https://github.com/inspec/inspec/releases/tag/v4.18.108)** and later versions. From 6e7b44fb4cb17477bf950d2cc5a56f11d6e85eec Mon Sep 17 00:00:00 2001 From: Dishank Tiwari Date: Thu, 30 Sep 2021 12:04:16 +0530 Subject: [PATCH 456/483] Update docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md Co-authored-by: Ian Maddaus --- docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md b/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md index 17ac23fac..fc25f2b1b 100644 --- a/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md +++ b/docs-chef-io/content/inspec/resources/aws_elasticache_cluster.md @@ -11,7 +11,6 @@ platform = "aws" parent = "inspec/resources/aws" +++ -[\[edit on GitHub\]](https://github.com/inspec/inspec/blob/main/docs-chef-io/content/aws_elasticache_cluster.md) Use the `aws_elasticache_cluster` InSpec audit resource to test the properties of a single AWS ElastiCache cluster. From 584bbfa3a3aae1f925abc1943811ee2309e7f455 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 30 Sep 2021 14:26:43 +0530 Subject: [PATCH 457/483] Updated test files to use Ubuntu latest version while mocking the OS instead of Ubuntu1404 whereever required. Signed-off-by: Vasu1105 --- test/helpers/mock_loader.rb | 2 +- test/unit/profiles/metadata_test.rb | 20 ++++++++++---------- test/unit/resources/bond_test.rb | 2 +- test/unit/resources/bridge_test.rb | 2 +- test/unit/resources/file_test.rb | 8 ++++---- test/unit/resources/group_test.rb | 10 +++++----- test/unit/resources/groups_test.rb | 2 +- test/unit/resources/host_test.rb | 6 +++--- test/unit/resources/ini_test.rb | 3 +-- test/unit/resources/interface_test.rb | 6 +++--- test/unit/resources/iptables_test.rb | 4 ++-- test/unit/resources/nginx_conf_test.rb | 12 ++++++------ test/unit/resources/package_test.rb | 4 ++-- test/unit/resources/service_test.rb | 4 ++-- test/unit/resources/user_test.rb | 8 ++++---- test/unit/resources/windows_hotfix_test.rb | 2 +- test/unit/resources/wmi_test.rb | 6 +++--- 17 files changed, 50 insertions(+), 51 deletions(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 1ae52b94b..08dfed73b 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -42,7 +42,7 @@ class MockLoader OPERATING_SYSTEMS[:linux] = OPERATING_SYSTEMS[:ubuntu1604] # pass the os identifier to emulate a specific operating system - def initialize(os = :ubuntu1404) + def initialize(os = :ubuntu) # selects operating system @platform = OPERATING_SYSTEMS[os] end diff --git a/test/unit/profiles/metadata_test.rb b/test/unit/profiles/metadata_test.rb index 7a123d9d8..47921a824 100644 --- a/test/unit/profiles/metadata_test.rb +++ b/test/unit/profiles/metadata_test.rb @@ -13,8 +13,8 @@ describe "metadata with supported operating systems" do res end - describe "running on ubuntu 14.04" do - let(:backend) { MockLoader.new(:ubuntu1404).backend } + describe "running on ubuntu 20.04" do + let(:backend) { MockLoader.new(:ubuntu).backend } it "provides all metadata content" do s = "---\nname: hello #{rand}" @@ -146,8 +146,8 @@ EOF _(m).must_be :supports_platform?, backend end - it "loads a profile which supports release 14.04" do - m = supports_meta({ "release" => "14.04" }) + it "loads a profile which supports release 20.04" do + m = supports_meta({ "release" => "20.04" }) _(m).must_be :supports_platform?, backend end @@ -156,13 +156,13 @@ EOF _(m).wont_be :supports_platform?, backend end - it "loads a profile which supports ubuntu 14.04" do - m = supports_meta({ "os-name" => "ubuntu", "release" => "14.04" }) + it "loads a profile which supports ubuntu 20.04" do + m = supports_meta({ "os-name" => "ubuntu", "release" => "20.04" }) _(m).must_be :supports_platform?, backend end - it "loads a profile which supports ubuntu 14.*" do - m = supports_meta({ "os-name" => "ubuntu", "release" => "14.*" }) + it "loads a profile which supports ubuntu 20.*" do + m = supports_meta({ "os-name" => "ubuntu", "release" => "20.*" }) _(m).must_be :supports_platform?, backend end @@ -176,8 +176,8 @@ EOF _(m).wont_be :supports_platform?, backend end - it "loads a profile which supports ubuntu float 14.04 as parsed by yml" do - m = supports_meta({ "os-name" => "ubuntu", "release" => 14.04 }) + it "loads a profile which supports ubuntu float 20.04 as parsed by yml" do + m = supports_meta({ "os-name" => "ubuntu", "release" => 20.04 }) _(m).must_be :supports_platform?, backend end diff --git a/test/unit/resources/bond_test.rb b/test/unit/resources/bond_test.rb index 89618d16e..670a1d6a2 100644 --- a/test/unit/resources/bond_test.rb +++ b/test/unit/resources/bond_test.rb @@ -5,7 +5,7 @@ require "inspec/resources/bond" describe "Inspec::Resources::Bond" do it "check linux bond on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("bond", "bond0") + resource = MockLoader.new(:ubuntu).load_resource("bond", "bond0") # bond must be available _(resource.exist?).must_equal true # get bonding mode diff --git a/test/unit/resources/bridge_test.rb b/test/unit/resources/bridge_test.rb index 8a91e6b8f..0da748c88 100644 --- a/test/unit/resources/bridge_test.rb +++ b/test/unit/resources/bridge_test.rb @@ -5,7 +5,7 @@ require "inspec/resources/bridge" describe "Inspec::Resources::Bridge" do it "check linux bridge on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("bridge", "br0") + resource = MockLoader.new(:ubuntu).load_resource("bridge", "br0") _(resource.exists?).must_equal true # check network interfaced attached to bridge diff --git a/test/unit/resources/file_test.rb b/test/unit/resources/file_test.rb index ec7c8ee93..de80334e6 100644 --- a/test/unit/resources/file_test.rb +++ b/test/unit/resources/file_test.rb @@ -6,7 +6,7 @@ describe Inspec::Resources::FileResource do let(:file) { stub(unix_mode_mask: 000, mode: 000) } it "responds on Ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("file", "/fakepath/fakefile") + resource = MockLoader.new(:ubuntu).load_resource("file", "/fakepath/fakefile") resource.stubs(:exist?).returns(true) resource.stubs(:mounted?).returns(true) resource.stubs(:source_path).returns("/fakepath/fakefile") @@ -60,7 +60,7 @@ describe Inspec::Resources::FileResource do end it "does not support Windows-style ACL on Ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("file", "/fakepath/fakefile") + resource = MockLoader.new(:ubuntu).load_resource("file", "/fakepath/fakefile") resource.stubs(:exist?).returns(true) _(proc { resource.send("allowed?", "full-control", { by: "by_usergroup", by_user: "by_specific_user" }) }).must_raise(RuntimeError) _(proc { resource.send("allowed?", "modify", { by: "by_usergroup", by_user: "by_specific_user" }) }).must_raise(RuntimeError) @@ -90,7 +90,7 @@ describe Inspec::Resources::FileResource do let(:file) { stub(unix_mode_mask: 000, mode: 644) } it "more_permissive_than?" do - resource = MockLoader.new(:ubuntu1404).load_resource("file", "/fakepath/fakefile") + resource = MockLoader.new(:ubuntu).load_resource("file", "/fakepath/fakefile") # TODO: this is NOT a valid way to test. Please use _actual_ mock files # so we aren't beholden to the CI umask and other trivialities. @@ -106,7 +106,7 @@ describe Inspec::Resources::FileResource do end it "when file does not exist" do - resource = MockLoader.new(:ubuntu1404).load_resource("file", "file_does_not_exist") + resource = MockLoader.new(:ubuntu).load_resource("file", "file_does_not_exist") assert_nil(resource.send(:more_permissive_than?, nil)) end end diff --git a/test/unit/resources/group_test.rb b/test/unit/resources/group_test.rb index 35e562bfb..bc6e72d97 100644 --- a/test/unit/resources/group_test.rb +++ b/test/unit/resources/group_test.rb @@ -5,32 +5,32 @@ describe "Inspec::Resources::Group" do # ubuntu 14.04 it "verify group on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("group", "root") + resource = MockLoader.new(:ubuntu).load_resource("group", "root") _(resource.exists?).must_equal true _(resource.gid).must_equal 0 end it "verify group on ubuntu with mixed case" do - resource = MockLoader.new(:ubuntu1404).load_resource("group", "GroupWithCaps") + resource = MockLoader.new(:ubuntu).load_resource("group", "GroupWithCaps") _(resource.exists?).must_equal true _(resource.gid).must_equal 999 end it "verify group on ubuntu with members" do - resource = MockLoader.new(:ubuntu1404).load_resource("group", "www-data") + resource = MockLoader.new(:ubuntu).load_resource("group", "www-data") _(resource.exists?).must_equal true _(resource.members).must_equal "www-data,root" end it "verify group on ubuntu with members_array" do - resource = MockLoader.new(:ubuntu1404).load_resource("group", "www-data") + resource = MockLoader.new(:ubuntu).load_resource("group", "www-data") _(resource.exists?).must_equal true _(resource.members_array).must_equal %w{www-data root} end # ubuntu with non-existent group it "verify group on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("group", "nogroup") + resource = MockLoader.new(:ubuntu).load_resource("group", "nogroup") _(resource.exists?).must_equal false _(resource.gid).must_be_nil end diff --git a/test/unit/resources/groups_test.rb b/test/unit/resources/groups_test.rb index 2dda3a9fc..b48e6b3f2 100644 --- a/test/unit/resources/groups_test.rb +++ b/test/unit/resources/groups_test.rb @@ -3,7 +3,7 @@ require "inspec/resource" require "inspec/resources/groups" describe "groups resource on unix platform" do - let(:resource) { MockLoader.new(:ubuntu1404).load_resource("groups") } + let(:resource) { MockLoader.new(:ubuntu).load_resource("groups") } describe "no arguments" do it "finds all group names" do diff --git a/test/unit/resources/host_test.rb b/test/unit/resources/host_test.rb index cd127cd8a..4e8775a28 100644 --- a/test/unit/resources/host_test.rb +++ b/test/unit/resources/host_test.rb @@ -5,7 +5,7 @@ require "inspec/resources/host" describe "Inspec::Resources::Host" do it "check host ping on ubuntu with dig" do - resource = MockLoader.new(:ubuntu1404).load_resource("host", "example.com") + resource = MockLoader.new(:ubuntu).load_resource("host", "example.com") _(resource.resolvable?).must_equal true _(resource.reachable?).must_equal true _(resource.ipaddress).must_equal ["12.34.56.78", "2606:2800:220:1:248:1893:25c8:1946"] @@ -45,7 +45,7 @@ describe "Inspec::Resources::Host" do end it "check host tcp on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("host", "example.com", port: 1234, protocol: "tcp") + resource = MockLoader.new(:ubuntu).load_resource("host", "example.com", port: 1234, protocol: "tcp") _(resource.resolvable?).must_equal true _(resource.reachable?).must_equal true _(resource.ipaddress).must_equal ["12.34.56.78", "2606:2800:220:1:248:1893:25c8:1946"] @@ -53,7 +53,7 @@ describe "Inspec::Resources::Host" do end it "check host udp on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("host", "example.com", port: 1234, protocol: "udp") + resource = MockLoader.new(:ubuntu).load_resource("host", "example.com", port: 1234, protocol: "udp") _(resource.resolvable?).must_equal true _(resource.reachable?).must_equal true _(resource.ipaddress).must_equal ["12.34.56.78", "2606:2800:220:1:248:1893:25c8:1946"] diff --git a/test/unit/resources/ini_test.rb b/test/unit/resources/ini_test.rb index 08e1f6830..c1f1ec8d8 100644 --- a/test/unit/resources/ini_test.rb +++ b/test/unit/resources/ini_test.rb @@ -3,9 +3,8 @@ require "inspec/resource" require "inspec/resources/ini" describe "Inspec::Resources::Ini" do - it "check ini parsing on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("ini", "rootwrap.conf") + resource = MockLoader.new(:ubuntu).load_resource("ini", "rootwrap.conf") result = { "DEFAULT" => { "filters_path" => "/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap", "exec_dirs" => "/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin" } } _(resource.params).must_equal result _(resource.value(%w{DEFAULT exec_dirs})).must_equal "/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin" diff --git a/test/unit/resources/interface_test.rb b/test/unit/resources/interface_test.rb index b461f9910..03e48d716 100644 --- a/test/unit/resources/interface_test.rb +++ b/test/unit/resources/interface_test.rb @@ -4,9 +4,9 @@ require "inspec/resources/interface" describe "Inspec::Resources::Interface" do - # ubuntu 14.04 + # ubuntu it "verify interface on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("interface", "eth0") + resource = MockLoader.new(:ubuntu).load_resource("interface", "eth0") _(resource.exists?).must_equal true _(resource.up?).must_equal true _(resource.speed).must_equal 10000 @@ -23,7 +23,7 @@ describe "Inspec::Resources::Interface" do end it "verify invalid interface on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("interface", "eth1") + resource = MockLoader.new(:ubuntu).load_resource("interface", "eth1") _(resource.exists?).must_equal false _(resource.up?).must_equal false _(resource.name).must_be_nil diff --git a/test/unit/resources/iptables_test.rb b/test/unit/resources/iptables_test.rb index ce641b298..5a430daf8 100644 --- a/test/unit/resources/iptables_test.rb +++ b/test/unit/resources/iptables_test.rb @@ -6,13 +6,13 @@ describe "Inspec::Resources::Iptables" do # ubuntu 14.04 it "verify iptables on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("iptables") + resource = MockLoader.new(:ubuntu).load_resource("iptables") _(resource.has_rule?("-P OUTPUT ACCEPT")).must_equal true _(resource.has_rule?("-P OUTPUT DROP")).must_equal false end it "verify iptables with comments on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("iptables") + resource = MockLoader.new(:ubuntu).load_resource("iptables") _(resource.has_rule?('-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m comment --comment "http like its 1990" -j ACCEPT')).must_equal true end diff --git a/test/unit/resources/nginx_conf_test.rb b/test/unit/resources/nginx_conf_test.rb index 274775f01..e21b71afa 100644 --- a/test/unit/resources/nginx_conf_test.rb +++ b/test/unit/resources/nginx_conf_test.rb @@ -7,27 +7,27 @@ describe "Inspec::Resources::NginxConf" do # nginx_conf toplevel comment. next if Gem.win_platform? - let(:nginx_conf) { MockLoader.new(:ubuntu1404).load_resource("nginx_conf") } + let(:nginx_conf) { MockLoader.new(:ubuntu).load_resource("nginx_conf") } it "doesnt fail with a missing file" do # This path is not mocked because we cannot mock File.exist? # ...As far as I know - nginx_conf = MockLoader.new(:ubuntu1404).load_resource("nginx_conf", "/this/path/does/not/exist") + nginx_conf = MockLoader.new(:ubuntu).load_resource("nginx_conf", "/this/path/does/not/exist") _(nginx_conf.params).must_equal({}) end it "does not fail with an empty file" do - nginx_conf = MockLoader.new(:ubuntu1404).load_resource("nginx_conf", "/etc/nginx/conf.d/empty.conf") + nginx_conf = MockLoader.new(:ubuntu).load_resource("nginx_conf", "/etc/nginx/conf.d/empty.conf") _(nginx_conf.params).must_equal({}) end it "does not fail with a file that all lines are commented out" do - nginx_conf = MockLoader.new(:ubuntu1404).load_resource("nginx_conf", "/etc/nginx/conf.d/comments_only.conf") + nginx_conf = MockLoader.new(:ubuntu).load_resource("nginx_conf", "/etc/nginx/conf.d/comments_only.conf") _(nginx_conf.params).must_equal({}) end it "doesnt fail with an incorrect file" do - nginx_conf = MockLoader.new(:ubuntu1404).load_resource("nginx_conf", "/etc/passwd") + nginx_conf = MockLoader.new(:ubuntu).load_resource("nginx_conf", "/etc/passwd") _(nginx_conf.params).must_equal({}) end @@ -111,7 +111,7 @@ describe "Inspec::Resources::NginxConf" do end it "skips the resource if it cannot parse the config" do - resource = MockLoader.new(:ubuntu1404).load_resource("nginx_conf", "/etc/nginx/failed.conf") + resource = MockLoader.new(:ubuntu).load_resource("nginx_conf", "/etc/nginx/failed.conf") _(resource.params).must_equal({}) _(resource.resource_exception_message).must_equal "Cannot parse NginX config in /etc/nginx/failed.conf." end diff --git a/test/unit/resources/package_test.rb b/test/unit/resources/package_test.rb index a17452db2..959b00d2c 100644 --- a/test/unit/resources/package_test.rb +++ b/test/unit/resources/package_test.rb @@ -14,7 +14,7 @@ describe "Inspec::Resources::Package" do # ubuntu it "verify ubuntu package parsing" do - resource = MockLoader.new(:ubuntu1404).load_resource("package", "curl") + resource = MockLoader.new(:ubuntu).load_resource("package", "curl") pkg = { name: "curl", installed: true, held: false, version: "7.35.0-1ubuntu2", type: "deb" } _(resource.installed?).must_equal true _(resource.held?).must_equal false @@ -23,7 +23,7 @@ describe "Inspec::Resources::Package" do end it "verify ubuntu package which is held" do - resource = MockLoader.new(:ubuntu1404).load_resource("package", "held-package") + resource = MockLoader.new(:ubuntu).load_resource("package", "held-package") pkg = { name: "held-package", installed: true, held: true, version: "1.2.3-1", type: "deb" } _(resource.installed?).must_equal true _(resource.held?).must_equal true diff --git a/test/unit/resources/service_test.rb b/test/unit/resources/service_test.rb index 373db8d19..9de46c9a6 100644 --- a/test/unit/resources/service_test.rb +++ b/test/unit/resources/service_test.rb @@ -21,7 +21,7 @@ describe "Inspec::Resources::Service" do _(resource.params).must_equal params end - # ubuntu 14.04 with upstart + # ubuntu it "verify ubuntu service parsing" do resource = MockLoader.new(:ubuntu1404).load_resource("service", "ssh") params = Hashie::Mash.new({}) @@ -35,7 +35,7 @@ describe "Inspec::Resources::Service" do end it "verify ubuntu service parsing with default upstart_service" do - resource = MockLoader.new(:ubuntu1404).load_resource("upstart_service", "ssh") + resource = MockLoader.new(:ubuntu).load_resource("upstart_service", "ssh") params = Hashie::Mash.new({}) _(resource.type).must_equal "upstart" _(resource.name).must_equal "ssh" diff --git a/test/unit/resources/user_test.rb b/test/unit/resources/user_test.rb index 73abccf0b..e1a869373 100644 --- a/test/unit/resources/user_test.rb +++ b/test/unit/resources/user_test.rb @@ -5,9 +5,9 @@ require "inspec/resources/command" describe "Inspec::Resources::User" do - # ubuntu 14.04 with upstart + # ubuntu it "read user on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("user", "root") + resource = MockLoader.new(:ubuntu).load_resource("user", "root") _(resource.exists?).must_equal true _(resource.group).must_equal "root" _(resource.groups).must_equal ["root"] @@ -20,7 +20,7 @@ describe "Inspec::Resources::User" do # ubuntu 14.04 test with ldap user it "read user on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("user", "jfolmer") + resource = MockLoader.new(:ubuntu).load_resource("user", "jfolmer") _(resource.exists?).must_equal true _(resource.group).must_equal "domain users" _(resource.groups).must_equal ["domain users", "domain admins", "denied rodc password replication group"] @@ -33,7 +33,7 @@ describe "Inspec::Resources::User" do # serverspec compatibility tests (do not test matcher) it "returns deprecation notices" do - resource = MockLoader.new(:ubuntu1404).load_resource("user", "root") + resource = MockLoader.new(:ubuntu).load_resource("user", "root") expect_deprecation(:resource_user_serverspec_compat) do _(resource.has_uid?(0)).must_equal true diff --git a/test/unit/resources/windows_hotfix_test.rb b/test/unit/resources/windows_hotfix_test.rb index 2acc7f46c..261324478 100644 --- a/test/unit/resources/windows_hotfix_test.rb +++ b/test/unit/resources/windows_hotfix_test.rb @@ -6,7 +6,7 @@ describe "Inspec::Resources::WindowsHotfix" do # ubuntu 14.04 it "fail windows_hotfix fails on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("windows_hotfix", "KB4019215") + resource = MockLoader.new(:ubuntu).load_resource("windows_hotfix", "KB4019215") _(resource.installed?).must_equal false end diff --git a/test/unit/resources/wmi_test.rb b/test/unit/resources/wmi_test.rb index 04e0e8838..afc79dab3 100644 --- a/test/unit/resources/wmi_test.rb +++ b/test/unit/resources/wmi_test.rb @@ -19,11 +19,11 @@ describe "Inspec::Resources::WMI" do _(resource.send("DisplayName")).must_equal "Windows Remote Management (WS-Management)" end - # ubuntu 14.04 with upstart + # ubuntu it "fail wmi on ubuntu" do - resource = MockLoader.new(:ubuntu1404).load_resource("wmi", { class: "win32_service", filter: "name like '%winrm%'" }) + resource = MockLoader.new(:ubuntu).load_resource("wmi", { class: "win32_service", filter: "name like '%winrm%'" }) _(resource.resource_failed?).must_equal true _(resource.resource_exception_message) - .must_equal "Resource `wmi` is not supported on platform ubuntu/14.04." + .must_equal "Resource `wmi` is not supported on platform ubuntu/20.04." end end From 86391be836af9aeb11eea364c7e89e1f92ab9036 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 30 Sep 2021 14:50:03 +0530 Subject: [PATCH 458/483] Updated test files to use Ubuntu latest version while mocking the OS instead of Ubuntu1604 Signed-off-by: Vasu1105 --- test/helpers/mock_loader.rb | 1 - test/unit/resources/interfaces_test.rb | 4 ++-- test/unit/resources/packages_test.rb | 16 ++++++++-------- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 08dfed73b..d77870877 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -19,7 +19,6 @@ class MockLoader macos10_10: { name: "mac_os_x", family: "darwin", release: "10.10.4", arch: nil }, macos10_16: { name: "darwin", family: "darwin", release: "10.16", arch: nil }, ubuntu1404: { name: "ubuntu", family: "debian", release: "14.04", arch: "x86_64" }, - ubuntu1604: { name: "ubuntu", family: "debian", release: "16.04", arch: "x86_64" }, ubuntu1804: { name: "ubuntu", family: "debian", release: "18.04", arch: "x86_64" }, ubuntu: { name: "ubuntu", family: "debian", release: "20.04", arch: "x86_64" }, mint17: { name: "linuxmint", family: "debian", release: "17.3", arch: "x86_64" }, diff --git a/test/unit/resources/interfaces_test.rb b/test/unit/resources/interfaces_test.rb index 1551d6dc0..8cac5ddfb 100644 --- a/test/unit/resources/interfaces_test.rb +++ b/test/unit/resources/interfaces_test.rb @@ -4,9 +4,9 @@ require "inspec/resources/interfaces" describe "Inspec::Resources::Interfaces" do - # ubuntu 16.04 + # ubuntu it "verify interface on ubuntu" do - resource = MockLoader.new(:ubuntu1604).load_resource("interfaces") + resource = MockLoader.new(:ubuntu).load_resource("interfaces") _(resource.exist?).must_equal true _(resource.names).must_equal %w{eth0 lo} _(resource.ipv4_address).must_equal "127.0.0.1" diff --git a/test/unit/resources/packages_test.rb b/test/unit/resources/packages_test.rb index dd00dfcd4..3cc2d8bdc 100644 --- a/test/unit/resources/packages_test.rb +++ b/test/unit/resources/packages_test.rb @@ -4,7 +4,7 @@ require "inspec/resources/packages" describe "Inspec::Resources::Packages" do it "verify packages resource" do - resource = MockLoader.new(:ubuntu1604).load_resource("packages", /^vim$/) + resource = MockLoader.new(:ubuntu).load_resource("packages", /^vim$/) _(resource.entries.length).must_equal 1 _(resource.entries[0].to_h).must_equal({ status: "installed", @@ -15,12 +15,12 @@ describe "Inspec::Resources::Packages" do end it "package name matches with output (string)" do - resource = MockLoader.new(:ubuntu1604).load_resource("packages", "xserver-xorg") + resource = MockLoader.new(:ubuntu).load_resource("packages", "xserver-xorg") _(resource.to_s).must_equal 'Packages /xserver\\-xorg/' end it "packages using where filters" do - resource = MockLoader.new(:ubuntu1604).load_resource("packages", /.+root$/) + resource = MockLoader.new(:ubuntu).load_resource("packages", /.+root$/) _(resource.entries.length).must_equal 3 _(resource.where { status != "installed" }.names).must_equal(%w{fakeroot libfakeroot}) _(resource.where { version =~ /^0\.2.+/ }.entries[0].to_h).must_equal({ @@ -32,23 +32,23 @@ describe "Inspec::Resources::Packages" do end it "package name matches with output (regex)" do - resource = MockLoader.new(:ubuntu1604).load_resource("packages", /vim/) + resource = MockLoader.new(:ubuntu).load_resource("packages", /vim/) _(resource.to_s).must_equal "Packages /vim/" end it "returns a list of packages with a wildcard" do - resource = MockLoader.new(:ubuntu1604).load_resource("packages", /^xserver-xorg.*/) + resource = MockLoader.new(:ubuntu).load_resource("packages", /^xserver-xorg.*/) _(resource.statuses).must_equal ["installed"] _(resource.entries.length).must_equal 3 end it "all packages on Ubuntu" do - resource = MockLoader.new(:ubuntu1604).load_resource("packages", /.+/) + resource = MockLoader.new(:ubuntu).load_resource("packages", /.+/) _(resource.entries.length).must_equal 14 end it "can find packages with same name but different architectures on Ubuntu" do - resource = MockLoader.new(:ubuntu1604).load_resource("packages", /libc6/) + resource = MockLoader.new(:ubuntu).load_resource("packages", /libc6/) _(resource.architectures).must_include "amd64" _(resource.architectures).must_include "i386" end @@ -84,7 +84,7 @@ describe "Inspec::Resources::Packages" do # rubocop:disable Style/BlockDelimiters it "fails if the packages name is not a string or regexp" do _ { - resources = MockLoader.new(:ubuntu1604).load_resource("packages", %i{a b}) + resources = MockLoader.new(:ubuntu).load_resource("packages", %i{a b}) resources.send(:entries, nil) }.must_raise(RuntimeError) end From ff65112ab552a134fa548ddaa9f80051fa8299e6 Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Thu, 30 Sep 2021 15:03:11 +0530 Subject: [PATCH 459/483] Updated test files to use Ubuntu latest version while mocking the OS instead of Ubuntu1804 Signed-off-by: Vasu1105 --- test/helpers/mock_loader.rb | 3 +-- test/unit/resources/port_test.rb | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index d77870877..6345c6420 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -19,7 +19,6 @@ class MockLoader macos10_10: { name: "mac_os_x", family: "darwin", release: "10.10.4", arch: nil }, macos10_16: { name: "darwin", family: "darwin", release: "10.16", arch: nil }, ubuntu1404: { name: "ubuntu", family: "debian", release: "14.04", arch: "x86_64" }, - ubuntu1804: { name: "ubuntu", family: "debian", release: "18.04", arch: "x86_64" }, ubuntu: { name: "ubuntu", family: "debian", release: "20.04", arch: "x86_64" }, mint17: { name: "linuxmint", family: "debian", release: "17.3", arch: "x86_64" }, mint18: { name: "linuxmint", family: "debian", release: "18", arch: "x86_64" }, @@ -38,7 +37,7 @@ class MockLoader undefined: { name: nil, family: nil, release: nil, arch: nil }, } - OPERATING_SYSTEMS[:linux] = OPERATING_SYSTEMS[:ubuntu1604] + OPERATING_SYSTEMS[:linux] = OPERATING_SYSTEMS[:ubuntu] # pass the os identifier to emulate a specific operating system def initialize(os = :ubuntu) diff --git a/test/unit/resources/port_test.rb b/test/unit/resources/port_test.rb index a0614ff6f..aa5ea3a8f 100644 --- a/test/unit/resources/port_test.rb +++ b/test/unit/resources/port_test.rb @@ -3,8 +3,8 @@ require "inspec/resource" require "inspec/resources/port" describe "Inspec::Resources::Port" do - it "verify port on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1804).load_resource("port", 22) + it "verify port on Ubuntu" do + resource = MockLoader.new(:ubuntu).load_resource("port", 22) _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ tcp tcp6 } _(resource.pids).must_equal [1222] @@ -13,7 +13,7 @@ describe "Inspec::Resources::Port" do end it "lists all ports" do - resource = MockLoader.new(:ubuntu1804).load_resource("port") + resource = MockLoader.new(:ubuntu).load_resource("port") _(resource.entries.length).must_equal 9 _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ udp tcp tcp6 } @@ -23,7 +23,7 @@ describe "Inspec::Resources::Port" do end it "filter ports by conditions" do - resource = MockLoader.new(:ubuntu1804).load_resource("port").where { protocol =~ /udp/i } + resource = MockLoader.new(:ubuntu).load_resource("port").where { protocol =~ /udp/i } _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -32,8 +32,8 @@ describe "Inspec::Resources::Port" do _(resource.addresses).must_equal ["0.0.0.0"] end - it "verify UDP port on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1804).load_resource("port", 68) + it "verify UDP port on Ubuntu" do + resource = MockLoader.new(:ubuntu).load_resource("port", 68) _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -43,7 +43,7 @@ describe "Inspec::Resources::Port" do end it "accepts the port as a string" do - resource = MockLoader.new(:ubuntu1804).load_resource("port", "68") + resource = MockLoader.new(:ubuntu).load_resource("port", "68") _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["udp"] @@ -53,7 +53,7 @@ describe "Inspec::Resources::Port" do end it "properly handles multiple processes using one fd" do - resource = MockLoader.new(:ubuntu1804).load_resource("port", "80") + resource = MockLoader.new(:ubuntu).load_resource("port", "80") _(resource.entries.length).must_equal 1 _(resource.listening?).must_equal true _(resource.protocols).must_equal ["tcp"] @@ -63,7 +63,7 @@ describe "Inspec::Resources::Port" do end it "properly handles a IPv4 address in a v6 listing" do - resource = MockLoader.new(:ubuntu1804).load_resource("port", 9200) + resource = MockLoader.new(:ubuntu).load_resource("port", 9200) _(resource.protocols).must_equal %w{ tcp tcp6 } _(resource.addresses).must_equal ["10.0.2.15", "fe80::a00:27ff:fe32:ed09"] end @@ -185,7 +185,7 @@ describe "Inspec::Resources::Port" do end it "verify port and interface on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1804).load_resource("port", "0.0.0.0", 22) + resource = MockLoader.new(:ubuntu).load_resource("port", "0.0.0.0", 22) _(resource.listening?).must_equal true _(resource.protocols).must_equal %w{ tcp } _(resource.pids).must_equal [1222] @@ -194,7 +194,7 @@ describe "Inspec::Resources::Port" do end it "verify not listening port on interface on Ubuntu 14.04" do - resource = MockLoader.new(:ubuntu1804).load_resource("port", "127.0.0.1", 22) + resource = MockLoader.new(:ubuntu).load_resource("port", "127.0.0.1", 22) _(resource.listening?).must_equal false _(resource.addresses).must_equal [] end From b4ca1914c4417bf189f352576feb055eca9c96b8 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 30 Sep 2021 16:09:05 +0530 Subject: [PATCH 460/483] Add support for Cassandra DB resources Signed-off-by: Nikita Mathur --- .../inspec/resources/cassandradb_conf.md | 45 +++++++++++ .../inspec/resources/cassandradb_session.md | 76 +++++++++++++++++++ lib/inspec/resources.rb | 3 + lib/inspec/resources/cassandra.rb | 64 ++++++++++++++++ lib/inspec/resources/cassandradb_conf.rb | 47 ++++++++++++ lib/inspec/resources/cassandradb_session.rb | 69 +++++++++++++++++ test/fixtures/cmd/cassandra-connection-error | 1 + .../fixtures/cmd/cassandra-connection-success | 1 + test/fixtures/cmd/env | 1 + .../cmd/fetch-cassandra-conf-in-windows | 1 + test/fixtures/files/cassandra.yaml | 6 ++ test/helpers/mock_loader.rb | 3 + test/unit/resources/cassandradb_conf_test.rb | 33 ++++++++ .../resources/cassandradb_session_test.rb | 51 +++++++++++++ 14 files changed, 401 insertions(+) create mode 100644 docs-chef-io/content/inspec/resources/cassandradb_conf.md create mode 100644 docs-chef-io/content/inspec/resources/cassandradb_session.md create mode 100644 lib/inspec/resources/cassandra.rb create mode 100644 lib/inspec/resources/cassandradb_conf.rb create mode 100644 lib/inspec/resources/cassandradb_session.rb create mode 100644 test/fixtures/cmd/cassandra-connection-error create mode 100644 test/fixtures/cmd/cassandra-connection-success create mode 100644 test/fixtures/cmd/fetch-cassandra-conf-in-windows create mode 100644 test/fixtures/files/cassandra.yaml create mode 100644 test/unit/resources/cassandradb_conf_test.rb create mode 100644 test/unit/resources/cassandradb_session_test.rb diff --git a/docs-chef-io/content/inspec/resources/cassandradb_conf.md b/docs-chef-io/content/inspec/resources/cassandradb_conf.md new file mode 100644 index 000000000..0aaf92422 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/cassandradb_conf.md @@ -0,0 +1,45 @@ ++++ +title = "cassandradb_conf resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "cassandradb_conf" + identifier = "inspec/resources/os/cassandradb_conf.md cassandradb_conf resource" + parent = "inspec/resources/os" ++++ + +Use the `cassandradb_conf` Chef InSpec audit resource to test the configurations of Cassandra DB, typically located at `$CASSANDRA_HOME/cassandra.yaml` or `$CASSANDRA_HOME\conf\cassandra.yaml` depending upon the platform. + +## Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Requirements + +- Value for environment variable `CASSANDRA_HOME` should be set in the system. + +## Syntax + +A `cassandradb_conf` resource block fetches configurations in the `cassandra.yaml` file, and then compares them with the value stated in the test: + + describe cassandradb_conf do + its('config item') { should eq 'value' } + end + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test parameters set within the configuration file + + describe cassandradb_conf do + its('listen_address') { should eq 'localhost' } + its('num_tokens') { should eq 16 } + end + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/docs-chef-io/content/inspec/resources/cassandradb_session.md b/docs-chef-io/content/inspec/resources/cassandradb_session.md new file mode 100644 index 000000000..2e724bbe9 --- /dev/null +++ b/docs-chef-io/content/inspec/resources/cassandradb_session.md @@ -0,0 +1,76 @@ ++++ +title = "cassandradb_session resource" +draft = false +gh_repo = "inspec" +platform = "os" + +[menu] + [menu.inspec] + title = "cassandradb_session" + identifier = "inspec/resources/os/cassandradb_session.md cassandradb_session resource" + parent = "inspec/resources/os" ++++ + +Use the `cassandradb_session` Chef InSpec audit resource to test CQL commands run against a Cassandra database. + +## Availability + +### Installation + +This resource is distributed along with Chef InSpec itself. You can use it automatically. + +## Syntax + +A `cassandradb_session` resource block declares the server, database, username and password to use for the session, and then the command to be run: + + describe cassandradb_session(user: 'USERNAME', password: 'PASSWORD', host: 'localhost', port: 9042).query('QUERY') do + its('value') { should eq('EXPECTED') } + end + +where + +- `cassandradb_session` declares a username, password, host and port to run the query. +- `query('QUERY')` contains the query to be run. +- `its('value') { should eq('expected') }` compares the results of the query against the expected result in the test. + +### Optional Parameters + +The `cassandradb_session` InSpec resource accepts `user`, `password`, `host` and `port` parameters. + +In Particular: + +#### `user` + +Default value: `cassandra`. + +#### `password` + +Default value: `cassandra`. + +## Examples + +The following examples show how to use this Chef InSpec audit resource. + +### Test for matching values using cassandra query + +```ruby +cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042) + +describe cql.query("SELECT cluster_name FROM system.local") do + its('output') { should match /Test Cluster/ } +end +``` + +### Test for matching values using cassandra query from a sample database + +```ruby +cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042) + +describe cql.query("use SAMPLEDB; SELECT name FROM SAMPLETABLE") do + its('output') { should match /Test Name/ } +end +``` + +## Matchers + +For a full list of available matchers, please visit our [matchers page](/inspec/matchers/). diff --git a/lib/inspec/resources.rb b/lib/inspec/resources.rb index 7b780221e..486a19947 100644 --- a/lib/inspec/resources.rb +++ b/lib/inspec/resources.rb @@ -37,6 +37,9 @@ require "inspec/resources/chocolatey_package" require "inspec/resources/command" require "inspec/resources/cran" require "inspec/resources/cpan" +require "inspec/resources/cassandradb_session" +require "inspec/resources/cassandradb_conf" +require "inspec/resources/cassandra" require "inspec/resources/crontab" require "inspec/resources/dh_params" require "inspec/resources/directory" diff --git a/lib/inspec/resources/cassandra.rb b/lib/inspec/resources/cassandra.rb new file mode 100644 index 000000000..1c1d4e0d2 --- /dev/null +++ b/lib/inspec/resources/cassandra.rb @@ -0,0 +1,64 @@ +module Inspec::Resources + class Cassandra < Inspec.resource(1) + name "cassandra" + supports platform: "unix" + supports platform: "windows" + + desc "The 'cassandra' resource is a helper for the 'cql_conf'" + + attr_reader :conf_path + + def initialize + case inspec.os[:family] + when "debian", "redhat", "linux", "suse" + determine_conf_dir_and_path_in_linux + when "windows" + determine_conf_dir_and_path_in_windows + end + end + + def to_s + "CassandraDB" + end + + private + + def determine_conf_dir_and_path_in_linux + cassandra_home = inspec.os_env("CASSANDRA_HOME").content + + if cassandra_home.nil? || cassandra_home.empty? + warn "$CASSANDRA_HOME env value not set in the system" + nil + else + conf_path = "#{cassandra_home}/cassandra.yaml" + if !inspec.file(conf_path).exist? + warn "No cassandra conf file found in CASSANDRA_HOME directory" + nil + else + @conf_path = conf_path + end + end + rescue => e + fail_resource "Errors reading cassandra conf file: #{e}" + end + + def determine_conf_dir_and_path_in_windows + cassandra_home = inspec.os_env("CASSANDRA_HOME").content + + if cassandra_home.nil? || cassandra_home.empty? + warn "CASSANDRA_HOME env value not set in the system" + nil + else + conf_path = "#{cassandra_home}\\conf\\cassandra.yaml" + if !inspec.file(conf_path).exist? + warn "No cassandra conf file found in CASSANDRA_HOME\\conf" + nil + else + @conf_path = conf_path + end + end + rescue => e + fail_resource "Errors reading cassandra conf file: #{e}" + end + end +end diff --git a/lib/inspec/resources/cassandradb_conf.rb b/lib/inspec/resources/cassandradb_conf.rb new file mode 100644 index 000000000..da3f84cd8 --- /dev/null +++ b/lib/inspec/resources/cassandradb_conf.rb @@ -0,0 +1,47 @@ +require "inspec/resources/json" +require "inspec/resources/cassandra" + +module Inspec::Resources + class CassandradbConf < JsonConfig + name "cassandradb_conf" + supports platform: "unix" + supports platform: "windows" + desc "Use the cql_conf InSpec audit resource to test the contents of the configuration file for Cassandra DB" + example <<~EXAMPLE + describe cassandradb_conf do + its('listen_address') { should eq '0.0.0.0' } + end + EXAMPLE + + def initialize(conf_path = nil) + cassandra = nil + if conf_path.nil? + cassandra = inspec.cassandra + @conf_path = cassandra.conf_path + else + @conf_path = conf_path + end + + if cassandra && cassandra.resource_failed? + raise cassandra.resource_exception_message + elsif @conf_path.nil? + return skip_resource "Cassandra db conf path is not set" + end + + super(@conf_path) + end + + private + + def parse(content) + YAML.load(content) + rescue => e + raise Inspec::Exceptions::ResourceFailed, "Unable to parse `cassandra.yaml` file: #{e.message}" + end + + def resource_base_name + "Cassandra Configuration" + end + + end +end diff --git a/lib/inspec/resources/cassandradb_session.rb b/lib/inspec/resources/cassandradb_session.rb new file mode 100644 index 000000000..8991b4214 --- /dev/null +++ b/lib/inspec/resources/cassandradb_session.rb @@ -0,0 +1,69 @@ +module Inspec::Resources + class Lines + attr_reader :output, :exit_status + + def initialize(raw, desc, exit_status) + @output = raw + @desc = desc + @exit_status = exit_status + end + + def to_s + @desc + end + end + + class CassandradbSession < Inspec.resource(1) + name "cassandradb_session" + supports platform: "unix" + supports platform: "windows" + desc "Use the cassandradb_session InSpec resource to test commands against an Cassandra database" + example <<~EXAMPLE + cql = cassandradb_session(user: 'my_user', password: 'password', host: 'host', port: 'port') + describe cql.query("SELECT cluster_name FROM system.local") do + its('output') { should match /Test Cluster/ } + end + EXAMPLE + + attr_reader :user, :password, :host, :port + + def initialize(opts = {}) + @user = opts[:user] || "cassandra" + @password = opts[:password] || "cassandra" + @host = opts[:host] + @port = opts[:port] + end + + def query(q) + cassandra_cmd = create_cassandra_cmd(q) + cmd = inspec.command(cassandra_cmd) + out = cmd.stdout + "\n" + cmd.stderr + if cmd.exit_status != 0 || out =~ /Unable to connect to any servers/ || out.downcase =~ /^error:.*/ + raise Inspec::Exceptions::ResourceFailed, "Cassandra query with errors: #{out}" + else + Lines.new(cmd.stdout.strip, "Cassandra query: #{q}", cmd.exit_status) + end + end + + def to_s + "Cassandra DB Session" + end + + private + + def create_cassandra_cmd(q) + # TODO: simple escape, must be handled by a library + # that does this securely + escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '\\"').gsub(/\$/, '\\$') + + # construct the query + command = "cqlsh" + command += " #{@host}" unless @host.nil? + command += " #{@port}" unless @port.nil? + command += " -u #{@user}" + command += " -p #{@password}" + command += " --execute '#{escaped_query}'" + command + end + end +end diff --git a/test/fixtures/cmd/cassandra-connection-error b/test/fixtures/cmd/cassandra-connection-error new file mode 100644 index 000000000..f3fa5c8a5 --- /dev/null +++ b/test/fixtures/cmd/cassandra-connection-error @@ -0,0 +1 @@ +Unable to connect to any servers \ No newline at end of file diff --git a/test/fixtures/cmd/cassandra-connection-success b/test/fixtures/cmd/cassandra-connection-success new file mode 100644 index 000000000..687392fcd --- /dev/null +++ b/test/fixtures/cmd/cassandra-connection-success @@ -0,0 +1 @@ +\r\n cluster_name\r\n--------------\r\n Test Cluster\r\n\r\n(1 rows)\r\n\n \ No newline at end of file diff --git a/test/fixtures/cmd/env b/test/fixtures/cmd/env index bf82033b2..e1f840fde 100644 --- a/test/fixtures/cmd/env +++ b/test/fixtures/cmd/env @@ -1,2 +1,3 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ORACLE_HOME=/opt/oracle/product/18c/dbhomeXE +CASSANDRA_HOME=/etc/cassandra diff --git a/test/fixtures/cmd/fetch-cassandra-conf-in-windows b/test/fixtures/cmd/fetch-cassandra-conf-in-windows new file mode 100644 index 000000000..6a7078206 --- /dev/null +++ b/test/fixtures/cmd/fetch-cassandra-conf-in-windows @@ -0,0 +1 @@ +C:\Program Files\apache-cassandra-3.11.4-bin\apache-cassandra-3.11.4 \ No newline at end of file diff --git a/test/fixtures/files/cassandra.yaml b/test/fixtures/files/cassandra.yaml new file mode 100644 index 000000000..6fce6baaf --- /dev/null +++ b/test/fixtures/files/cassandra.yaml @@ -0,0 +1,6 @@ +cluster_name: 'Test Cluster' +num_tokens: 16 +listen_address: localhost +native_transport_port: 9042 +audit_logging_options: + enabled: false \ No newline at end of file diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index dc52ae331..8566d2972 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -115,6 +115,8 @@ class MockLoader "/etc/mongod.conf" => mockfile.call("mongod.conf"), "/opt/oracle/product/18c/dbhomeXE/network/admin/listener.ora" => mockfile.call("listener.ora"), "C:\\app\\Administrator\\product\\18.0.0\\dbhomeXE\\network\\admin\\listener.ora" => mockfile.call("listener.ora"), + "/etc/cassandra/cassandra.yaml" => mockfile.call("cassandra.yaml"), + "C:\\Program Files\\apache-cassandra-3.11.4-bin\\apache-cassandra-3.11.4\\conf\\cassandra.yaml" => mockfile.call("cassandra.yaml"), "/etc/rabbitmq/rabbitmq.config" => mockfile.call("rabbitmq.config"), "kitchen.yml" => mockfile.call("kitchen.yml"), "example.csv" => mockfile.call("example.csv"), @@ -502,6 +504,7 @@ class MockLoader "sh -c 'type \"sqlplus\"'" => cmd.call("oracle-cmd"), "1998da5bc0f09bd5258fad51f45447556572b747f631661831d6fcb49269a448" => cmd.call("oracle-result"), "${Env:ORACLE_HOME}" => cmd.call("fetch-oracle-listener-in-windows"), + "${Env:CASSANDRA_HOME}" => cmd.call("fetch-cassandra-conf-in-windows"), # nginx mock cmd %{nginx -V 2>&1} => cmd.call("nginx-v"), %{/usr/sbin/nginx -V 2>&1} => cmd.call("nginx-v"), diff --git a/test/unit/resources/cassandradb_conf_test.rb b/test/unit/resources/cassandradb_conf_test.rb new file mode 100644 index 000000000..c542b7a9c --- /dev/null +++ b/test/unit/resources/cassandradb_conf_test.rb @@ -0,0 +1,33 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/cassandradb_conf" + +describe "Inspec::Resources::CassandradbConf" do + it "verify configurations of cassandra DB in linux when conf path is passed" do + resource = MockLoader.new(:centos7).load_resource("cassandradb_conf", "/etc/cassandra/cassandra.yaml") + _(resource.params["listen_address"]).must_equal "localhost" + _(resource.params["native_transport_port"]).must_equal 9042 + _(resource.params["audit_logging_options"]["enabled"]).must_equal false + end + + it "verify configurations of cassandra DB in windows when conf path is passed" do + resource = MockLoader.new(:windows).load_resource("cassandradb_conf", "C:\\Program Files\\apache-cassandra-3.11.4-bin\\apache-cassandra-3.11.4\\conf\\cassandra.yaml") + _(resource.params["listen_address"]).must_equal "localhost" + _(resource.params["native_transport_port"]).must_equal 9042 + _(resource.params["audit_logging_options"]["enabled"]).must_equal false + end + + it "verify configurations of cassandra DB in linux when conf path is not passed" do + resource = MockLoader.new(:centos7).load_resource("cassandradb_conf", nil) + _(resource.params["listen_address"]).must_equal "localhost" + _(resource.params["native_transport_port"]).must_equal 9042 + _(resource.params["audit_logging_options"]["enabled"]).must_equal false + end + + it "verify configurations of cassandra DB in windows when conf path is not passed" do + resource = MockLoader.new(:windows).load_resource("cassandradb_conf", nil) + _(resource.params["listen_address"]).must_equal "localhost" + _(resource.params["native_transport_port"]).must_equal 9042 + _(resource.params["audit_logging_options"]["enabled"]).must_equal false + end +end diff --git a/test/unit/resources/cassandradb_session_test.rb b/test/unit/resources/cassandradb_session_test.rb new file mode 100644 index 000000000..46b45e2cf --- /dev/null +++ b/test/unit/resources/cassandradb_session_test.rb @@ -0,0 +1,51 @@ +require "helper" +require "inspec/resource" +require "inspec/resources/cassandradb_session" + +describe "Inspec::Resources::CassandradbSession" do + it "verify cassandradb_session configuration" do + resource = load_resource("cassandradb_session", host: "localhost", port: 9042) + _(resource.resource_failed?).must_equal false + _(resource.user).must_equal "cassandra" + _(resource.password).must_equal "cassandra" + _(resource.host).must_equal "localhost" + _(resource.port).must_equal 9042 + end + + it "success when connection is estalished" do + resource = quick_resource(:cassandradb_session, :linux, user: "USER", password: "rightpassword", host: "localhost", port: 9042) do |cmd| + cmd.strip! + case cmd + when "cqlsh localhost 9042 -u USER -p rightpassword --execute 'SELECT cluster_name FROM system.local'" then + stdout_file "test/fixtures/cmd/cassandra-connection-success" + else + raise cmd.inspect + end + end + + _(resource.resource_failed?).must_equal false + query = resource.query("SELECT cluster_name FROM system.local") + _(query.exit_status).must_equal 0 + _(query.output).must_match(/Test Cluster/) + end + + it "fails when no connection established" do + resource = quick_resource(:cassandradb_session, :linux, user: "USER", password: "wrongpassword", host: "localhost", port: 1234) do |cmd| + cmd.strip! + case cmd + when "cqlsh localhost 1234 -u USER -p wrongpassword --execute 'SELECT cluster_name FROM system.local'" then + stdout_file "test/fixtures/cmd/cassandra-connection-error" + else + raise cmd.inspect + end + ex = assert_raises(Inspec::Exceptions::ResourceFailed) { resource.query("SELECT cluster_name FROM system.local") } + _(ex.message).must_include("Cassandra query with errors") + end + end + + it "does not fails auth when no user or no password is provided" do + resource = quick_resource(:cassandradb_session, :linux) + _(resource.resource_failed?).must_equal false + end + +end From 8546595f30d3c68af79b875737b9da7abcef2105 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 1 Oct 2021 14:43:35 +0530 Subject: [PATCH 461/483] Review changes and build fix Signed-off-by: Nikita Mathur --- .../content/inspec/resources/cassandradb_conf.md | 4 ++-- .../content/inspec/resources/cassandradb_session.md | 10 +++++----- lib/inspec/resources/cassandra.rb | 8 ++++---- lib/inspec/resources/cassandradb_session.rb | 7 +++---- test/unit/resources/cassandradb_session_test.rb | 1 - 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/cassandradb_conf.md b/docs-chef-io/content/inspec/resources/cassandradb_conf.md index 0aaf92422..2580939c0 100644 --- a/docs-chef-io/content/inspec/resources/cassandradb_conf.md +++ b/docs-chef-io/content/inspec/resources/cassandradb_conf.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `cassandradb_conf` Chef InSpec audit resource to test the configurations of Cassandra DB, typically located at `$CASSANDRA_HOME/cassandra.yaml` or `$CASSANDRA_HOME\conf\cassandra.yaml` depending upon the platform. +Use the `cassandradb_conf` Chef InSpec audit resource to test the configuration of a Cassandra database, which is typically located at `$CASSANDRA_HOME/cassandra.yaml` or `$CASSANDRA_HOME\conf\cassandra.yaml` depending upon the platform. ## Installation @@ -19,7 +19,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ## Requirements -- Value for environment variable `CASSANDRA_HOME` should be set in the system. +- The value of the `CASSANDRA_HOME` environment variable must be set in the system. ## Syntax diff --git a/docs-chef-io/content/inspec/resources/cassandradb_session.md b/docs-chef-io/content/inspec/resources/cassandradb_session.md index 2e724bbe9..187b9c945 100644 --- a/docs-chef-io/content/inspec/resources/cassandradb_session.md +++ b/docs-chef-io/content/inspec/resources/cassandradb_session.md @@ -11,7 +11,7 @@ platform = "os" parent = "inspec/resources/os" +++ -Use the `cassandradb_session` Chef InSpec audit resource to test CQL commands run against a Cassandra database. +Use the `cassandradb_session` Chef InSpec audit resource to test Cassandra Query Language (CQL) commands run against a Cassandra database. ## Availability @@ -21,7 +21,7 @@ This resource is distributed along with Chef InSpec itself. You can use it autom ## Syntax -A `cassandradb_session` resource block declares the server, database, username and password to use for the session, and then the command to be run: +A `cassandradb_session` resource block declares the username, password, host, and port to use for the session, and then the command to be run: describe cassandradb_session(user: 'USERNAME', password: 'PASSWORD', host: 'localhost', port: 9042).query('QUERY') do its('value') { should eq('EXPECTED') } @@ -35,7 +35,7 @@ where ### Optional Parameters -The `cassandradb_session` InSpec resource accepts `user`, `password`, `host` and `port` parameters. +The `cassandradb_session` InSpec resource accepts `user`, `password`, `host`, and `port` parameters. In Particular: @@ -51,7 +51,7 @@ Default value: `cassandra`. The following examples show how to use this Chef InSpec audit resource. -### Test for matching values using cassandra query +### Test for matching values using a Cassandra query ```ruby cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042) @@ -61,7 +61,7 @@ describe cql.query("SELECT cluster_name FROM system.local") do end ``` -### Test for matching values using cassandra query from a sample database +### Test for matching values using a Cassandra query from a sample database ```ruby cql = cassandradb_session(user: 'MY_USER', password: 'PASSWORD', host: 'localhost', port: 9042) diff --git a/lib/inspec/resources/cassandra.rb b/lib/inspec/resources/cassandra.rb index 1c1d4e0d2..fe9bd13f3 100644 --- a/lib/inspec/resources/cassandra.rb +++ b/lib/inspec/resources/cassandra.rb @@ -27,12 +27,12 @@ module Inspec::Resources cassandra_home = inspec.os_env("CASSANDRA_HOME").content if cassandra_home.nil? || cassandra_home.empty? - warn "$CASSANDRA_HOME env value not set in the system" + warn "$CASSANDRA_HOME environment variable not set in the system" nil else conf_path = "#{cassandra_home}/cassandra.yaml" if !inspec.file(conf_path).exist? - warn "No cassandra conf file found in CASSANDRA_HOME directory" + warn "Cassandra conf file not found in #{cassandra_home} directory." nil else @conf_path = conf_path @@ -46,12 +46,12 @@ module Inspec::Resources cassandra_home = inspec.os_env("CASSANDRA_HOME").content if cassandra_home.nil? || cassandra_home.empty? - warn "CASSANDRA_HOME env value not set in the system" + warn "CASSANDRA_HOME environment variable not set in the system" nil else conf_path = "#{cassandra_home}\\conf\\cassandra.yaml" if !inspec.file(conf_path).exist? - warn "No cassandra conf file found in CASSANDRA_HOME\\conf" + warn "Cassandra conf file not found in #{cassandra_home}\\conf directory." nil else @conf_path = conf_path diff --git a/lib/inspec/resources/cassandradb_session.rb b/lib/inspec/resources/cassandradb_session.rb index 8991b4214..c32c4b84f 100644 --- a/lib/inspec/resources/cassandradb_session.rb +++ b/lib/inspec/resources/cassandradb_session.rb @@ -1,11 +1,10 @@ module Inspec::Resources class Lines - attr_reader :output, :exit_status + attr_reader :output - def initialize(raw, desc, exit_status) + def initialize(raw, desc) @output = raw @desc = desc - @exit_status = exit_status end def to_s @@ -41,7 +40,7 @@ module Inspec::Resources if cmd.exit_status != 0 || out =~ /Unable to connect to any servers/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "Cassandra query with errors: #{out}" else - Lines.new(cmd.stdout.strip, "Cassandra query: #{q}", cmd.exit_status) + Lines.new(cmd.stdout.strip, "Cassandra query: #{q}") end end diff --git a/test/unit/resources/cassandradb_session_test.rb b/test/unit/resources/cassandradb_session_test.rb index 46b45e2cf..36cf53a50 100644 --- a/test/unit/resources/cassandradb_session_test.rb +++ b/test/unit/resources/cassandradb_session_test.rb @@ -25,7 +25,6 @@ describe "Inspec::Resources::CassandradbSession" do _(resource.resource_failed?).must_equal false query = resource.query("SELECT cluster_name FROM system.local") - _(query.exit_status).must_equal 0 _(query.output).must_match(/Test Cluster/) end From 19f74c9c88f377dcc7794fc6e6916dea60ff715b Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Sat, 2 Oct 2021 16:33:23 -0700 Subject: [PATCH 462/483] Update OpenSSL on macOS to 1.1.l 1.1.1k is no longer there Signed-off-by: Tim Smith --- omnibus_overrides.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/omnibus_overrides.rb b/omnibus_overrides.rb index 953cf2b04..8cb985481 100644 --- a/omnibus_overrides.rb +++ b/omnibus_overrides.rb @@ -6,4 +6,4 @@ override "train", version: "v#{train_stable}" override "ruby", version: "2.7.4" # Mac m1 -override "openssl", version: "1.1.1k" if mac_os_x? +override "openssl", version: "1.1.1l" if mac_os_x? From bcc98feada9b1694e282f39ec863719caf52898a Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Sat, 2 Oct 2021 16:39:55 -0700 Subject: [PATCH 463/483] Enable repeatable builds by bundling Gemfile.lock This way changes to omnibus-software or omnibus don't change the builds. This is important for us, but also for cinc. It also makes sure that we're tracking bumps to the omnibus-software in the InSpec changelog so we can build release notes that reflect key dep changes like openssl. We recently added the same thing to Infra Server to better track deps there and we've done this in infra client for many years. Signed-off-by: Tim Smith --- .github/dependabot.yml | 10 +- .gitignore | 4 +- omnibus/Gemfile.lock | 477 +++++++++++++++++++++++++++++++++++++++++ omnibus/kitchen.yml | 29 +-- 4 files changed, 491 insertions(+), 29 deletions(-) create mode 100644 omnibus/Gemfile.lock diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2780fafdc..7ea7a051a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,8 +5,8 @@ updates: schedule: interval: daily open-pull-requests-limit: 10 - ignore: - - dependency-name: chefstyle - versions: - - 1.6.1 - - 1.6.2 +- package-ecosystem: bundler + directory: "/omnibus" + schedule: + interval: daily + open-pull-requests-limit: 10 \ No newline at end of file diff --git a/.gitignore b/.gitignore index f5835ba99..9baf2d883 100644 --- a/.gitignore +++ b/.gitignore @@ -36,6 +36,4 @@ results/ terraform.tfstate* terraform.tfstate.backup terraform.tfvars -test/**/*.lock -www/Gemfile.lock -www/source/index.html.slim +test/**/*.lock \ No newline at end of file diff --git a/omnibus/Gemfile.lock b/omnibus/Gemfile.lock new file mode 100644 index 000000000..e59a977ba --- /dev/null +++ b/omnibus/Gemfile.lock @@ -0,0 +1,477 @@ +GIT + remote: https://github.com/chef/omnibus-software.git + revision: 24f508c7f2e3a20debdf5d19ced27757fed7f7fb + branch: main + specs: + omnibus-software (4.0.0) + omnibus (>= 8.0.0) + +GIT + remote: https://github.com/chef/omnibus.git + revision: 37897ade4832490b2480726c66ca8d282d115cbf + branch: main + specs: + omnibus (8.2.2) + aws-sdk-s3 (~> 1) + chef-cleanroom (~> 1.0) + chef-utils (>= 15.4) + contracts (>= 0.16.0, < 0.17.0) + ffi-yajl (~> 2.2) + license_scout (~> 1.0) + mixlib-shellout (>= 2.0, < 4.0) + mixlib-versioning + ohai (>= 15, < 17) + pedump + ruby-progressbar (~> 1.7) + thor (>= 0.18, < 2.0) + +GEM + remote: https://rubygems.org/ + specs: + addressable (2.8.0) + public_suffix (>= 2.0.2, < 5.0) + artifactory (3.0.15) + awesome_print (1.9.2) + aws-eventstream (1.2.0) + aws-partitions (1.510.0) + aws-sdk-core (3.121.1) + aws-eventstream (~> 1, >= 1.0.2) + aws-partitions (~> 1, >= 1.239.0) + aws-sigv4 (~> 1.1) + jmespath (~> 1.0) + aws-sdk-kms (1.48.0) + aws-sdk-core (~> 3, >= 3.120.0) + aws-sigv4 (~> 1.1) + aws-sdk-s3 (1.103.0) + aws-sdk-core (~> 3, >= 3.120.0) + aws-sdk-kms (~> 1) + aws-sigv4 (~> 1.4) + aws-sigv4 (1.4.0) + aws-eventstream (~> 1, >= 1.0.2) + bcrypt_pbkdf (1.1.0) + bcrypt_pbkdf (1.1.0-x64-mingw32) + bcrypt_pbkdf (1.1.0-x86-mingw32) + berkshelf (7.2.2) + chef (>= 15.7.32) + chef-config + cleanroom (~> 1.0) + concurrent-ruby (~> 1.0) + minitar (>= 0.6) + mixlib-archive (>= 1.1.4, < 2.0) + mixlib-config (>= 2.2.5) + mixlib-shellout (>= 2.0, < 4.0) + octokit (~> 4.0) + retryable (>= 2.0, < 4.0) + solve (~> 4.0) + thor (>= 0.20) + builder (3.2.4) + chef (16.16.13) + addressable + bcrypt_pbkdf (~> 1.1) + bundler (>= 1.10) + chef-config (= 16.16.13) + chef-utils (= 16.16.13) + chef-vault + chef-zero (>= 14.0.11) + diff-lcs (>= 1.2.4, < 1.4.0) + ed25519 (~> 1.2) + erubis (~> 2.7) + ffi (>= 1.9.25) + ffi-libarchive (~> 1.0, >= 1.0.3) + ffi-yajl (~> 2.2) + highline (>= 1.6.9, < 3) + iniparse (~> 1.4) + inspec-core (~> 4.23) + license-acceptance (>= 1.0.5, < 3) + mixlib-archive (>= 0.4, < 2.0) + mixlib-authentication (>= 2.1, < 4) + mixlib-cli (>= 2.1.1, < 3.0) + mixlib-log (>= 2.0.3, < 4.0) + mixlib-shellout (>= 3.1.1, < 4.0) + net-sftp (>= 2.1.2, < 4.0) + net-ssh (>= 5.1, < 7) + net-ssh-multi (~> 1.2, >= 1.2.1) + ohai (~> 16.0) + pastel + plist (~> 3.2) + proxifier (~> 1.0) + syslog-logger (~> 1.6) + train-core (~> 3.2, >= 3.2.28) + train-winrm (>= 0.2.5) + tty-prompt (~> 0.21) + tty-screen (~> 0.6) + tty-table (~> 0.11) + uuidtools (>= 2.1.5, < 3.0) + chef (16.16.13-universal-mingw32) + addressable + bcrypt_pbkdf (~> 1.1) + bundler (>= 1.10) + chef-config (= 16.16.13) + chef-utils (= 16.16.13) + chef-vault + chef-zero (>= 14.0.11) + diff-lcs (>= 1.2.4, < 1.4.0) + ed25519 (~> 1.2) + erubis (~> 2.7) + ffi (>= 1.9.25) + ffi-libarchive (~> 1.0, >= 1.0.3) + ffi-yajl (~> 2.2) + highline (>= 1.6.9, < 3) + iniparse (~> 1.4) + inspec-core (~> 4.23) + iso8601 (>= 0.12.1, < 0.14) + license-acceptance (>= 1.0.5, < 3) + mixlib-archive (>= 0.4, < 2.0) + mixlib-authentication (>= 2.1, < 4) + mixlib-cli (>= 2.1.1, < 3.0) + mixlib-log (>= 2.0.3, < 4.0) + mixlib-shellout (>= 3.1.1, < 4.0) + net-sftp (>= 2.1.2, < 4.0) + net-ssh (>= 5.1, < 7) + net-ssh-multi (~> 1.2, >= 1.2.1) + ohai (~> 16.0) + pastel + plist (~> 3.2) + proxifier (~> 1.0) + syslog-logger (~> 1.6) + train-core (~> 3.2, >= 3.2.28) + train-winrm (>= 0.2.5) + tty-prompt (~> 0.21) + tty-screen (~> 0.6) + tty-table (~> 0.11) + uuidtools (>= 2.1.5, < 3.0) + win32-api (~> 1.5.3) + win32-certstore (~> 0.5.0) + win32-event (~> 0.6.1) + win32-eventlog (= 0.6.3) + win32-mmap (~> 0.4.1) + win32-mutex (~> 0.4.2) + win32-process (~> 0.9) + win32-service (>= 2.1.5, < 3.0) + win32-taskscheduler (~> 2.0) + wmi-lite (~> 1.0) + chef-cleanroom (1.0.4) + chef-config (16.16.13) + addressable + chef-utils (= 16.16.13) + fuzzyurl + mixlib-config (>= 2.2.12, < 4.0) + mixlib-shellout (>= 2.0, < 4.0) + tomlrb (~> 1.2) + chef-telemetry (1.1.1) + chef-config + concurrent-ruby (~> 1.0) + chef-utils (16.16.13) + chef-vault (4.1.4) + chef-zero (15.0.9) + ffi-yajl (~> 2.2) + hashie (>= 2.0, < 5.0) + mixlib-log (>= 2.0, < 4.0) + rack (~> 2.0, >= 2.0.6) + uuidtools (~> 2.1) + webrick + citrus (3.0.2) + cleanroom (1.0.0) + coderay (1.1.3) + concurrent-ruby (1.1.9) + contracts (0.16.1) + diff-lcs (1.3) + ed25519 (1.2.4) + erubi (1.10.0) + erubis (2.7.0) + faraday (1.4.3) + faraday-em_http (~> 1.0) + faraday-em_synchrony (~> 1.0) + faraday-excon (~> 1.1) + faraday-net_http (~> 1.0) + faraday-net_http_persistent (~> 1.1) + multipart-post (>= 1.2, < 3) + ruby2_keywords (>= 0.0.4) + faraday-em_http (1.0.0) + faraday-em_synchrony (1.0.0) + faraday-excon (1.1.0) + faraday-net_http (1.0.1) + faraday-net_http_persistent (1.2.0) + faraday_middleware (1.1.0) + faraday (~> 1.0) + ffi (1.15.4) + ffi (1.15.4-x64-mingw32) + ffi (1.15.4-x86-mingw32) + ffi-libarchive (1.1.3) + ffi (~> 1.0) + ffi-win32-extensions (1.0.4) + ffi + ffi-yajl (2.4.0) + libyajl2 (>= 1.2) + fuzzyurl (0.9.0) + gssapi (1.3.1) + ffi (>= 1.0.1) + gyoku (1.3.1) + builder (>= 2.1.2) + hashie (4.1.0) + highline (2.0.3) + httpclient (2.8.3) + iniparse (1.5.0) + inspec-core (4.46.13) + addressable (~> 2.4) + chef-telemetry (~> 1.0, >= 1.0.8) + faraday (>= 0.9.0, < 1.5) + faraday_middleware (~> 1.0) + hashie (>= 3.4, < 5.0) + license-acceptance (>= 0.2.13, < 3.0) + method_source (>= 0.8, < 2.0) + mixlib-log (~> 3.0) + multipart-post (~> 2.0) + parallel (~> 1.9) + parslet (>= 1.5, < 2.0) + pry (~> 0.13) + rspec (>= 3.9, < 3.11) + rspec-its (~> 1.2) + rubyzip (>= 1.2.2, < 3.0) + semverse (~> 3.0) + sslshake (~> 1.2) + thor (>= 0.20, < 2.0) + tomlrb (>= 1.2, < 2.1) + train-core (~> 3.0) + tty-prompt (~> 0.17) + tty-table (~> 0.10) + iostruct (0.0.4) + ipaddress (0.8.3) + iso8601 (0.13.0) + jmespath (1.4.0) + json (2.5.1) + kitchen-vagrant (1.10.0) + test-kitchen (>= 1.4, < 4) + libyajl2 (2.1.0) + license-acceptance (2.1.13) + pastel (~> 0.7) + tomlrb (>= 1.2, < 3.0) + tty-box (~> 0.6) + tty-prompt (~> 0.20) + license_scout (1.2.13) + ffi-yajl (~> 2.2) + mixlib-shellout (>= 2.2, < 4.0) + toml-rb (>= 1, < 3) + little-plugger (1.1.4) + logging (2.3.0) + little-plugger (~> 1.1) + multi_json (~> 1.14) + method_source (1.0.0) + minitar (0.9) + mixlib-archive (1.1.7) + mixlib-log + mixlib-archive (1.1.7-universal-mingw32) + mixlib-log + mixlib-authentication (3.0.10) + mixlib-cli (2.1.8) + mixlib-config (3.0.9) + tomlrb + mixlib-install (3.12.16) + mixlib-shellout + mixlib-versioning + thor + mixlib-log (3.0.9) + mixlib-shellout (3.2.5) + chef-utils + mixlib-shellout (3.2.5-universal-mingw32) + chef-utils + ffi-win32-extensions (~> 1.0.3) + win32-process (~> 0.9) + wmi-lite (~> 1.0) + mixlib-versioning (1.2.12) + molinillo (0.8.0) + multi_json (1.15.0) + multipart-post (2.1.1) + net-scp (3.0.0) + net-ssh (>= 2.6.5, < 7.0.0) + net-sftp (3.0.0) + net-ssh (>= 5.0.0, < 7.0.0) + net-ssh (6.1.0) + net-ssh-gateway (2.0.0) + net-ssh (>= 4.0.0) + net-ssh-multi (1.2.1) + net-ssh (>= 2.6.5) + net-ssh-gateway (>= 1.2.0) + nori (2.6.0) + octokit (4.21.0) + faraday (>= 0.9) + sawyer (~> 0.8.0, >= 0.5.3) + ohai (16.13.0) + chef-config (>= 12.8, < 17) + chef-utils (>= 16.0, < 17) + ffi (~> 1.9) + ffi-yajl (~> 2.2) + ipaddress + mixlib-cli (>= 1.7.0) + mixlib-config (>= 2.0, < 4.0) + mixlib-log (>= 2.0.1, < 4.0) + mixlib-shellout (>= 2.0, < 4.0) + plist (~> 3.1) + train-core + wmi-lite (~> 1.0) + parallel (1.21.0) + parslet (1.8.2) + pastel (0.8.0) + tty-color (~> 0.5) + pedump (0.6.2) + awesome_print + iostruct (>= 0.0.4) + multipart-post (>= 2.0.0) + rainbow + zhexdump (>= 0.0.2) + plist (3.6.0) + proxifier (1.0.3) + pry (0.14.1) + coderay (~> 1.1) + method_source (~> 1.0) + public_suffix (4.0.6) + rack (2.2.3) + rainbow (3.0.0) + retryable (3.0.5) + rspec (3.10.0) + rspec-core (~> 3.10.0) + rspec-expectations (~> 3.10.0) + rspec-mocks (~> 3.10.0) + rspec-core (3.10.1) + rspec-support (~> 3.10.0) + rspec-expectations (3.10.1) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.10.0) + rspec-its (1.3.0) + rspec-core (>= 3.0.0) + rspec-expectations (>= 3.0.0) + rspec-mocks (3.10.2) + diff-lcs (>= 1.2.0, < 2.0) + rspec-support (~> 3.10.0) + rspec-support (3.10.2) + ruby-progressbar (1.11.0) + ruby2_keywords (0.0.5) + rubyntlm (0.6.3) + rubyzip (2.3.2) + sawyer (0.8.2) + addressable (>= 2.3.5) + faraday (> 0.8, < 2.0) + semverse (3.0.0) + solve (4.0.4) + molinillo (~> 0.6) + semverse (>= 1.1, < 4.0) + sslshake (1.3.1) + strings (0.2.1) + strings-ansi (~> 0.2) + unicode-display_width (>= 1.5, < 3.0) + unicode_utils (~> 1.4) + strings-ansi (0.2.0) + structured_warnings (0.4.0) + syslog-logger (1.6.8) + test-kitchen (3.1.0) + bcrypt_pbkdf (~> 1.0) + chef-utils (>= 16.4.35) + ed25519 (~> 1.2) + license-acceptance (>= 1.0.11, < 3.0) + mixlib-install (~> 3.6) + mixlib-shellout (>= 1.2, < 4.0) + net-scp (>= 1.1, < 4.0) + net-ssh (>= 2.9, < 7.0) + net-ssh-gateway (>= 1.2, < 3.0) + thor (>= 0.19, < 2.0) + winrm (~> 2.0) + winrm-elevated (~> 1.0) + winrm-fs (~> 1.1) + thor (1.1.0) + toml-rb (2.0.1) + citrus (~> 3.0, > 3.0) + tomlrb (1.3.0) + train-core (3.8.1) + addressable (~> 2.5) + ffi (!= 1.13.0) + json (>= 1.8, < 3.0) + mixlib-shellout (>= 2.0, < 4.0) + net-scp (>= 1.2, < 4.0) + net-ssh (>= 2.9, < 7.0) + train-winrm (0.2.12) + winrm (>= 2.3.6, < 3.0) + winrm-elevated (~> 1.2.2) + winrm-fs (~> 1.0) + tty-box (0.7.0) + pastel (~> 0.8) + strings (~> 0.2.0) + tty-cursor (~> 0.7) + tty-color (0.6.0) + tty-cursor (0.7.1) + tty-prompt (0.23.1) + pastel (~> 0.8) + tty-reader (~> 0.8) + tty-reader (0.9.0) + tty-cursor (~> 0.7) + tty-screen (~> 0.8) + wisper (~> 2.0) + tty-screen (0.8.1) + tty-table (0.12.0) + pastel (~> 0.8) + strings (~> 0.2.0) + tty-screen (~> 0.8) + unicode-display_width (2.1.0) + unicode_utils (1.4.0) + uuidtools (2.2.0) + webrick (1.7.0) + win32-api (1.5.3-universal-mingw32) + win32-certstore (0.5.3) + ffi + mixlib-shellout + win32-event (0.6.3) + win32-ipc (>= 0.6.0) + win32-eventlog (0.6.3) + ffi + win32-ipc (0.7.0) + ffi + win32-mmap (0.4.2) + ffi + win32-mutex (0.4.3) + win32-ipc (>= 0.6.0) + win32-process (0.9.0) + ffi (>= 1.0.0) + win32-service (2.2.0) + ffi + ffi-win32-extensions + win32-taskscheduler (2.0.4) + ffi + structured_warnings + winrm (2.3.6) + builder (>= 2.1.2) + erubi (~> 1.8) + gssapi (~> 1.2) + gyoku (~> 1.0) + httpclient (~> 2.2, >= 2.2.0.2) + logging (>= 1.6.1, < 3.0) + nori (~> 2.0) + rubyntlm (~> 0.6.0, >= 0.6.3) + winrm-elevated (1.2.3) + erubi (~> 1.8) + winrm (~> 2.0) + winrm-fs (~> 1.0) + winrm-fs (1.3.5) + erubi (~> 1.8) + logging (>= 1.6.1, < 3.0) + rubyzip (~> 2.0) + winrm (~> 2.0) + wisper (2.0.1) + wmi-lite (1.0.5) + zhexdump (0.0.2) + +PLATFORMS + ruby + x64-mingw32 + x86-mingw32 + +DEPENDENCIES + artifactory + berkshelf (>= 7.0) + ffi (>= 1.9.14, != 1.13.0) + kitchen-vagrant (>= 1.3.1) + omnibus! + omnibus-software! + test-kitchen (>= 1.23) + winrm-fs (~> 1.0) + +BUNDLED WITH + 2.2.22 diff --git a/omnibus/kitchen.yml b/omnibus/kitchen.yml index 2a666a72c..b32dfc80a 100644 --- a/omnibus/kitchen.yml +++ b/omnibus/kitchen.yml @@ -29,8 +29,14 @@ platforms: run_list: apt::default - name: ubuntu-16.04 run_list: apt::default - - name: ubuntu-18.04 - run_list: apt::default + - name: macos-11.15 + driver: + box: tas50/macos_10.15 + synced_folders: + - ['..', '/Users/vagrant/chef'] + - ['../../omnibus', '/Users/vagrant/omnibus'] + - ['../../omnibus-software', '/Users/vagrant/omnibus-software'] + # The following (private) boxes are shared via Vagrant Cloud and are only # available to users working for Chef. Sorry, it's about software licensing. # @@ -46,25 +52,6 @@ platforms: # KITCHEN_LOCAL_YAML=kitchen.vmware.yml kitchen converge chef-macosx-1011 # - # OSX - <% %w( - macosx-10.11 - macos-10.12 - macos-10.13 - ).each do |mac_version| %> - - name: <%= mac_version %> - driver: - provider: vmware_fusion - customize: - numvcpus: 4 - memsize: 4096 - box: chef/macosx-<%= mac_version %> # private - synced_folders: - - ['..', '/Users/vagrant/chef'] - - ['../../omnibus', '/Users/vagrant/omnibus'] - - ['../../omnibus-software', '/Users/vagrant/omnibus-software'] - <% end %> - # By adding an `i386` to the name the Omnibus cookbook's `load-omnibus-toolchain.bat` # will load the 32-bit version of the MinGW toolchain. <% [ '', '-i386' ].each do |win_suffix| %> From 8c0d6b0ef0aee1588dc715861d1ef3ae34b1f2bf Mon Sep 17 00:00:00 2001 From: Tim Smith Date: Sat, 2 Oct 2021 16:56:53 -0700 Subject: [PATCH 464/483] Add back Ubuntu 16.04 packages + testing Ubuntu 16.04 is no longer EOL. They've extended support for a full 10 years so it goes EOL in 2026 now. Signed-off-by: Tim Smith --- .expeditor/integration.resources.yml | 19 +++++++++++++++++++ .expeditor/release.omnibus.yml | 3 ++- kitchen.dokken.yml | 8 ++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/.expeditor/integration.resources.yml b/.expeditor/integration.resources.yml index ff0d12972..9f9b4fb60 100644 --- a/.expeditor/integration.resources.yml +++ b/.expeditor/integration.resources.yml @@ -71,6 +71,7 @@ steps: linux: privileged: true single-use: true + - label: "Kitchen: resources-debian-10" commands: - .expeditor/buildkite/bk_linux_exec.sh @@ -118,6 +119,7 @@ steps: linux: privileged: true single-use: true + - label: "Kitchen: resources-oraclelinux-8" commands: - .expeditor/buildkite/bk_linux_exec.sh @@ -150,6 +152,22 @@ steps: privileged: true single-use: true + - label: "Kitchen: resources-ubuntu-1604" + commands: + - .expeditor/buildkite/bk_linux_exec.sh + - . /var/lib/buildkite-agent/.asdf/asdf.sh + - bundle exec kitchen test resources-ubuntu-1604 + artifact_paths: + - $PWD/.kitchen/logs/kitchen.log + env: + KITCHEN_YAML: kitchen.dokken.yml + DOCKER: 1 + expeditor: + executor: + linux: + privileged: true + single-use: true + - label: "Kitchen: resources-ubuntu-1804" commands: - .expeditor/buildkite/bk_linux_exec.sh @@ -165,6 +183,7 @@ steps: linux: privileged: true single-use: true + - label: "Kitchen: resources-ubuntu-2004" commands: - .expeditor/buildkite/bk_linux_exec.sh diff --git a/.expeditor/release.omnibus.yml b/.expeditor/release.omnibus.yml index 24c027599..683b160a0 100644 --- a/.expeditor/release.omnibus.yml +++ b/.expeditor/release.omnibus.yml @@ -43,7 +43,8 @@ builder-to-testers-map: ubuntu-18.04-aarch64: - ubuntu-18.04-aarch64 - ubuntu-20.04-aarch64 - ubuntu-18.04-x86_64: + ubuntu-16.04-x86_64: + - ubuntu-16.04-x86_64 - ubuntu-18.04-x86_64 - ubuntu-20.04-x86_64 windows-2012r2-x86_64: diff --git a/kitchen.dokken.yml b/kitchen.dokken.yml index ec9f6ecfe..49800e777 100644 --- a/kitchen.dokken.yml +++ b/kitchen.dokken.yml @@ -66,12 +66,20 @@ platforms: image: dokken/opensuse-leap-15 pid_one_command: /bin/systemd +- name: ubuntu-16.04 + driver: + image: dokken/ubuntu-16.04 + pid_one_command: /bin/systemd + intermediate_instructions: + - RUN /usr/bin/apt-get update -y + - name: ubuntu-18.04 driver: image: dokken/ubuntu-18.04 pid_one_command: /bin/systemd intermediate_instructions: - RUN /usr/bin/apt-get update -y + - name: ubuntu-20.04 driver: image: dokken/ubuntu-20.04 From 964fdacbeefec3f3b479b7d1af68e1db413c5b0e Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 17 Sep 2021 12:20:24 +0530 Subject: [PATCH 465/483] Resolve case sensitivity issues with group name in group resource for windows platform Signed-off-by: Nikita Mathur --- lib/inspec/resources/groups.rb | 6 +++++- test/unit/resources/group_test.rb | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/inspec/resources/groups.rb b/lib/inspec/resources/groups.rb index 13e4b22c5..527d8eabb 100644 --- a/lib/inspec/resources/groups.rb +++ b/lib/inspec/resources/groups.rb @@ -150,7 +150,11 @@ module Inspec::Resources def group_info # we need a local copy for the block group = @group.dup - @groups_cache ||= inspec.groups.where { name == group } + if inspec.os.windows? + @groups_cache ||= inspec.groups.where { name.casecmp?(group) } + else + @groups_cache ||= inspec.groups.where { name == group } + end end def empty_value_for_members diff --git a/test/unit/resources/group_test.rb b/test/unit/resources/group_test.rb index 35e562bfb..fb83a02dd 100644 --- a/test/unit/resources/group_test.rb +++ b/test/unit/resources/group_test.rb @@ -66,6 +66,13 @@ describe "Inspec::Resources::Group" do _(resource.members).must_equal ["Administrators", "Domain Admins"] end + it "verify administrator group with case insensitivity handling on windows" do + resource = MockLoader.new(:windows).load_resource("group", "administrators") + _(resource.exists?).must_equal true + _(resource.gid).must_equal "S-1-5-32-544" + _(resource.members).must_equal ["Administrators", "Domain Admins"] + end + it "verify power users group on windows" do resource = MockLoader.new(:windows).load_resource("group", "Power Users") _(resource.exists?).must_equal true From eb7e7305f4884f41fc91a2631f62754285059332 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 4 Oct 2021 18:01:20 +0530 Subject: [PATCH 466/483] Members and members array made case insensitive for group resources Signed-off-by: Nikita Mathur --- lib/inspec/resources/groups.rb | 19 +++++++++++++++++-- test/unit/resources/group_test.rb | 15 ++++++++++++++- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/lib/inspec/resources/groups.rb b/lib/inspec/resources/groups.rb index 527d8eabb..f56dbfd71 100644 --- a/lib/inspec/resources/groups.rb +++ b/lib/inspec/resources/groups.rb @@ -22,6 +22,18 @@ module Inspec::Resources end end + # Class defined to check for members without case-sensitivity + class Members < Array + def initialize(group_members) + @group_members = group_members + super + end + + def include?(user) + !(@group_members.select { |group_member| group_member.casecmp?(user) }.empty?) + end + end + class Groups < Inspec.resource(1) include GroupManagementSelector @@ -82,6 +94,7 @@ module Inspec::Resources # its('gid') { should eq 0 } # end # + class Group < Inspec.resource(1) include GroupManagementSelector @@ -118,11 +131,13 @@ module Inspec::Resources end def members - flatten_entry(group_info, "members") || empty_value_for_members + members_list = flatten_entry(group_info, "members") || empty_value_for_members + inspec.os.windows? ? Members.new(members_list) : members_list end def members_array - flatten_entry(group_info, "members_array") || [] + members_list = flatten_entry(group_info, "members_array") || [] + inspec.os.windows? ? Members.new(members_list) : members_list end def local diff --git a/test/unit/resources/group_test.rb b/test/unit/resources/group_test.rb index fb83a02dd..ba17d2d71 100644 --- a/test/unit/resources/group_test.rb +++ b/test/unit/resources/group_test.rb @@ -69,10 +69,23 @@ describe "Inspec::Resources::Group" do it "verify administrator group with case insensitivity handling on windows" do resource = MockLoader.new(:windows).load_resource("group", "administrators") _(resource.exists?).must_equal true - _(resource.gid).must_equal "S-1-5-32-544" _(resource.members).must_equal ["Administrators", "Domain Admins"] end + it "verify members insensitivity on windows" do + resource = MockLoader.new(:windows).load_resource("group", "administrators") + _(resource.exists?).must_equal true + _(resource.members).must_include "administrators" + _(resource.members).must_include "domain admins" + end + + it "verify members_array insensitivity on windows" do + resource = MockLoader.new(:windows).load_resource("group", "administrators") + _(resource.exists?).must_equal true + _(resource.members_array).must_include "administrators" + _(resource.members_array).must_include "domain admins" + end + it "verify power users group on windows" do resource = MockLoader.new(:windows).load_resource("group", "Power Users") _(resource.exists?).must_equal true From 62b0d211fa9d6ae4b87d9fcdf5dc28bf31d560de Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 5 Oct 2021 15:34:15 +0530 Subject: [PATCH 467/483] Windows user fetched in user resource without case sensitivity Signed-off-by: Nikita Mathur --- lib/inspec/resources/users.rb | 2 +- test/unit/resources/user_test.rb | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/inspec/resources/users.rb b/lib/inspec/resources/users.rb index e7ed67e82..02ab238ca 100644 --- a/lib/inspec/resources/users.rb +++ b/lib/inspec/resources/users.rb @@ -622,7 +622,7 @@ module Inspec::Resources name, _domain = parse_windows_account(username) return if collect_user_details.nil? - res = collect_user_details.select { |user| user[:username] == name } + res = collect_user_details.select { |user| user[:username].casecmp? name } res[0] unless res.empty? end diff --git a/test/unit/resources/user_test.rb b/test/unit/resources/user_test.rb index 73abccf0b..ee3ea5c16 100644 --- a/test/unit/resources/user_test.rb +++ b/test/unit/resources/user_test.rb @@ -186,4 +186,12 @@ describe "Inspec::Resources::User" do _(resource.maxdays).must_be_nil _(resource.warndays).must_be_nil end + + it "read user on Windows without case-sensitivity" do + resource = MockLoader.new(:windows).load_resource("user", "administrator") + _(resource.exists?).must_equal true + _(resource.uid).wont_be_nil + _(resource.group).must_be_nil + _(resource.groups).must_equal %w{Administrators Users} + end end From 4f4cfeb2fcb2a061963c2a8e71b19d6231652a76 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 6 Oct 2021 00:28:33 +0000 Subject: [PATCH 468/483] Bump version to 4.46.14 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 12 ++++++++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5bc02581..af432951e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,17 @@ # Change Log - + +## [v4.46.14](https://github.com/inspec/inspec/tree/v4.46.14) (2021-10-06) + +#### Merged Pull Requests +- Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) - + +### Changes since 4.46.13 release + +#### Merged Pull Requests +- Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) diff --git a/VERSION b/VERSION index 13cdd4fc3..39ab59531 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.13 \ No newline at end of file +4.46.14 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 550f081f0..8e698b876 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.13".freeze + VERSION = "4.46.14".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index af3130d84..8e9ac616c 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.13".freeze + VERSION = "4.46.14".freeze end From 1bf5275aad8465cb9705e12a440141c58a81f27b Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 6 Oct 2021 01:58:49 +0000 Subject: [PATCH 469/483] Bump version to 4.46.15 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index af432951e..e1be95c73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,17 @@ # Change Log - -## [v4.46.14](https://github.com/inspec/inspec/tree/v4.46.14) (2021-10-06) + +## [v4.46.15](https://github.com/inspec/inspec/tree/v4.46.15) (2021-10-06) #### Merged Pull Requests -- Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) +- Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) ### Changes since 4.46.13 release #### Merged Pull Requests +- Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) - Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) diff --git a/VERSION b/VERSION index 39ab59531..696bd1bb9 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.14 \ No newline at end of file +4.46.15 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 8e698b876..0a28080ec 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.14".freeze + VERSION = "4.46.15".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8e9ac616c..ac1ff0d9a 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.14".freeze + VERSION = "4.46.15".freeze end From 62a1e24a2c088ecdbb429a8853a358deca46e298 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 6 Oct 2021 02:13:32 +0000 Subject: [PATCH 470/483] Bump version to 4.47.0 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 11 +++++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1be95c73..a9c6b634c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,18 @@ # Change Log - -## [v4.46.15](https://github.com/inspec/inspec/tree/v4.46.15) (2021-10-06) + +## [v4.47.0](https://github.com/inspec/inspec/tree/v4.47.0) (2021-10-06) -#### Merged Pull Requests -- Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) +#### New Features +- Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) ### Changes since 4.46.13 release +#### New Features +- Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) + #### Merged Pull Requests - Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) - Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) diff --git a/VERSION b/VERSION index 696bd1bb9..7d3101885 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.46.15 \ No newline at end of file +4.47.0 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 0a28080ec..6a622d8f3 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.46.15".freeze + VERSION = "4.47.0".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index ac1ff0d9a..2cc43dd78 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.46.15".freeze + VERSION = "4.47.0".freeze end From b9f5b52f6914d0722cb5c2f257059e7c57c85ccc Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 6 Oct 2021 02:27:53 +0000 Subject: [PATCH 471/483] Update CHANGELOG.md with details from pull request #5687 Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9c6b634c..bbef659ff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.47.0](https://github.com/inspec/inspec/tree/v4.47.0) (2021-10-06) + +## Unreleased -#### New Features -- Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) +#### Merged Pull Requests +- Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) @@ -14,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) - Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) - Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) From be800bd741cc5cac0327b585164178870990dd41 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 6 Oct 2021 02:39:57 +0000 Subject: [PATCH 472/483] Bump version to 4.47.1 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 6 ++++-- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bbef659ff..f4cf22ea9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,10 @@ # Change Log - -## Unreleased + +## [v4.47.1](https://github.com/inspec/inspec/tree/v4.47.1) (2021-10-06) #### Merged Pull Requests +- Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) - Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) @@ -14,6 +15,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) - Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) - Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) - Replaced /main/ from /master/ [#5678](https://github.com/inspec/inspec/pull/5678) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) diff --git a/VERSION b/VERSION index 7d3101885..9117a0adf 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.0 \ No newline at end of file +4.47.1 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 6a622d8f3..16e65e4e8 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.0".freeze + VERSION = "4.47.1".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 2cc43dd78..7c910165d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.0".freeze + VERSION = "4.47.1".freeze end From c86031c237b8e0e015c7b68afe6619ad00d7cbdb Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 6 Oct 2021 02:54:48 +0000 Subject: [PATCH 473/483] Bump version to 4.47.2 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 8 ++++---- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4cf22ea9..c5c4c5b08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,10 @@ # Change Log - -## [v4.47.1](https://github.com/inspec/inspec/tree/v4.47.1) (2021-10-06) + +## [v4.47.2](https://github.com/inspec/inspec/tree/v4.47.2) (2021-10-06) #### Merged Pull Requests -- Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) -- Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) +- Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) @@ -15,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) - Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) - Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) - Add back Ubuntu 16.04 packages + testing [#5689](https://github.com/inspec/inspec/pull/5689) ([tas50](https://github.com/tas50)) diff --git a/VERSION b/VERSION index 9117a0adf..07be79bf8 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.1 \ No newline at end of file +4.47.2 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 16e65e4e8..dc8fe288a 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.1".freeze + VERSION = "4.47.2".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 7c910165d..8ea70a0bc 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.1".freeze + VERSION = "4.47.2".freeze end From 9a78b1dbe05a11c0c36c099e6ce5d6b81f2c9006 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 6 Oct 2021 03:08:29 +0000 Subject: [PATCH 474/483] Bump version to 4.47.3 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c5c4c5b08..c37ad5b37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.47.2](https://github.com/inspec/inspec/tree/v4.47.2) (2021-10-06) + +## [v4.47.3](https://github.com/inspec/inspec/tree/v4.47.3) (2021-10-06) #### Merged Pull Requests -- Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) +- Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) @@ -14,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) - Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) - Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) - Update OpenSSL on macOS to 1.1.1l [#5687](https://github.com/inspec/inspec/pull/5687) ([tas50](https://github.com/tas50)) diff --git a/VERSION b/VERSION index 07be79bf8..d84d43492 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.2 \ No newline at end of file +4.47.3 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index dc8fe288a..2b9e5c7b3 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.2".freeze + VERSION = "4.47.3".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8ea70a0bc..ce41f7222 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.2".freeze + VERSION = "4.47.3".freeze end From 09550ed7f35e51cb4b99d5ef0b7b3cc31b4e8854 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 7 Oct 2021 13:32:34 +0530 Subject: [PATCH 475/483] User groups made case insensitive for user resource for include matcher Signed-off-by: Nikita Mathur --- lib/inspec/resources/users.rb | 16 +++++++++++++++- test/unit/resources/group_test.rb | 6 +++--- test/unit/resources/user_test.rb | 9 +++++++++ 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/inspec/resources/users.rb b/lib/inspec/resources/users.rb index 02ab238ca..f4336c479 100644 --- a/lib/inspec/resources/users.rb +++ b/lib/inspec/resources/users.rb @@ -204,7 +204,9 @@ module Inspec::Resources alias group groupname def groups - identity[:groups] unless identity.nil? + unless identity.nil? + inspec.os.windows? ? UserGroups.new(identity[:groups]) : identity[:groups] + end end def home @@ -314,6 +316,18 @@ module Inspec::Resources end end + # Class defined to compare for groups without case-sensitivity + class UserGroups < Array + def initialize(user_groups) + @user_groups = user_groups + super + end + + def include?(group) + !(@user_groups.select { |user_group| user_group.casecmp?(group) }.empty?) + end + end + # This is an abstract class that every user provoider has to implement. # A user provider implements a system abstracts and helps the InSpec resource # hand-over system specific behavior to those providers diff --git a/test/unit/resources/group_test.rb b/test/unit/resources/group_test.rb index ba17d2d71..11ef14d00 100644 --- a/test/unit/resources/group_test.rb +++ b/test/unit/resources/group_test.rb @@ -66,20 +66,20 @@ describe "Inspec::Resources::Group" do _(resource.members).must_equal ["Administrators", "Domain Admins"] end - it "verify administrator group with case insensitivity handling on windows" do + it "verify administrator group name case insensitivity handling on windows" do resource = MockLoader.new(:windows).load_resource("group", "administrators") _(resource.exists?).must_equal true _(resource.members).must_equal ["Administrators", "Domain Admins"] end - it "verify members insensitivity on windows" do + it "verify members insensitivity on windows using include matcher" do resource = MockLoader.new(:windows).load_resource("group", "administrators") _(resource.exists?).must_equal true _(resource.members).must_include "administrators" _(resource.members).must_include "domain admins" end - it "verify members_array insensitivity on windows" do + it "verify members_array insensitivity on windows using include matcher" do resource = MockLoader.new(:windows).load_resource("group", "administrators") _(resource.exists?).must_equal true _(resource.members_array).must_include "administrators" diff --git a/test/unit/resources/user_test.rb b/test/unit/resources/user_test.rb index ee3ea5c16..11960436a 100644 --- a/test/unit/resources/user_test.rb +++ b/test/unit/resources/user_test.rb @@ -194,4 +194,13 @@ describe "Inspec::Resources::User" do _(resource.group).must_be_nil _(resource.groups).must_equal %w{Administrators Users} end + + it "read user groups on Windows without case-sensitivity using include matcher" do + resource = MockLoader.new(:windows).load_resource("user", "administrator") + _(resource.exists?).must_equal true + _(resource.uid).wont_be_nil + _(resource.group).must_be_nil + _(resource.groups).must_include "Administrators" + _(resource.groups).must_include "administrators" + end end From 85a42f1ee455eef70718cfb19a916899bf2012ed Mon Sep 17 00:00:00 2001 From: Dishank Tiwari Date: Fri, 8 Oct 2021 13:20:32 +0530 Subject: [PATCH 476/483] renamed Inspec DSL to Inspec Language Signed-off-by: Dishank Tiwari --- docs-chef-io/content/inspec/dsl_inspec.md | 10 +++++----- docs-chef-io/content/inspec/glossary.md | 4 ++-- docs-chef-io/content/inspec/shell.md | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs-chef-io/content/inspec/dsl_inspec.md b/docs-chef-io/content/inspec/dsl_inspec.md index c16705ec4..dcc4c7466 100644 --- a/docs-chef-io/content/inspec/dsl_inspec.md +++ b/docs-chef-io/content/inspec/dsl_inspec.md @@ -1,12 +1,12 @@ +++ -title = "Chef InSpec DSL" +title = "Chef InSpec Language" draft = false gh_repo = "inspec" [menu] [menu.inspec] - title = "Chef InSpec DSL" - identifier = "inspec/reference/dsl_inspec.md Chef InSpec DSL" + title = "Chef InSpec Language" + identifier = "inspec/reference/dsl_inspec.md Chef InSpec Language" parent = "inspec/reference" weight = 70 +++ @@ -17,7 +17,7 @@ you write auditing controls quickly and easily. The syntax used by both open sou and [Chef compliance](/compliance/) auditing is the same. The open source [Chef InSpec resource](/inspec/resources/) framework is compatible with [Chef compliance](/compliance/). -The Chef InSpec DSL is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke. +The Chef InSpec Language is a Ruby DSL for writing audit controls, which includes audit resources that you can invoke. The following sections describe the syntax and show some simple examples of using the Chef InSpec resources. @@ -336,7 +336,7 @@ end ## Using Ruby in InSpec -The Chef InSpec DSL is a Ruby based language. This allows you to be flexible with +The Chef InSpec Language is a Ruby based language. This allows you to be flexible with Ruby code in controls: ```ruby diff --git a/docs-chef-io/content/inspec/glossary.md b/docs-chef-io/content/inspec/glossary.md index 46da628ef..796d374bd 100644 --- a/docs-chef-io/content/inspec/glossary.md +++ b/docs-chef-io/content/inspec/glossary.md @@ -152,9 +152,9 @@ end ### DSL -_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec DSL page](/inspec/dsl_inspec/) for details about keywords available to control authors. +_DSL_ is an acronym for _Domain Specific Language_. It refers to the language extensions Chef InSpec provides to make authoring resources and controls easier. While Chef InSpec control files are use Ruby, the _Control DSL_ makes it easy to write controls without knowledge of Ruby by providing DSL keywords such as [describe](#describe), [control](#control), [it](#it) and [its](#its). See the [Chef InSpec Language page](/inspec/dsl_inspec/) for details about keywords available to control authors. -For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource DSL page](/inspec/dsl_resource/). +For [custom resource](#custom-resource) authors, an additional DSL is available - see the [Resource Language page](/inspec/dsl_resource/). ### Expected Result diff --git a/docs-chef-io/content/inspec/shell.md b/docs-chef-io/content/inspec/shell.md index 95e506df4..f14449b4c 100644 --- a/docs-chef-io/content/inspec/shell.md +++ b/docs-chef-io/content/inspec/shell.md @@ -14,7 +14,7 @@ gh_repo = "inspec" The Chef InSpec interactive shell is a pry based REPL that can be used to quickly run Chef InSpec controls and tests without having to write it to a file. Its functionality is similar to [chef-shell](/chef_shell/) as it provides a way -to exercise the Chef InSpec DSL, its resources, tests, and plugins without +to exercise the Chef InSpec Language, its resources, tests, and plugins without having to create a profile or write a test file. See [http://pryrepl.org/](http://pryrepl.org/) for an introduction to what pry is and what it can do. @@ -94,7 +94,7 @@ inspec> 1 + 2 inspec> exit ``` -## Using Chef InSpec DSL in Chef InSpec shell +## Using Chef InSpec Language in Chef InSpec shell Chef InSpec shell will automatically evaluate the result of every command as if it were a test file. If you type in a Ruby command that is not an From ad3f128486293737d7a934001b878235fcdffee3 Mon Sep 17 00:00:00 2001 From: Pradeep Bhadani Date: Tue, 12 Oct 2021 22:50:09 +0100 Subject: [PATCH 477/483] Fix examples and doc formatting. --- .../resources/google_container_node_pool.md | 64 +++++++++---------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/docs-chef-io/content/inspec/resources/google_container_node_pool.md b/docs-chef-io/content/inspec/resources/google_container_node_pool.md index c7d2bccfe..ff71e90af 100644 --- a/docs-chef-io/content/inspec/resources/google_container_node_pool.md +++ b/docs-chef-io/content/inspec/resources/google_container_node_pool.md @@ -41,19 +41,19 @@ end ### Test GCP container node pool disk size in GB is as expected describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do - its('node_config.disk_size_gb'){should eq 100} + its('config.disk_size_gb'){should eq 100} end ### Test GCP container node pool machine type is as expected describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do - its('node_config.machine_type'){should eq "n1-standard-1"} + its('config.machine_type'){should eq "n1-standard-1"} end ### Test GCP container node pool node image type is as expected describe google_container_node_pool(project: 'chef-inspec-gcp', locations: 'europe-west2-a', cluster_name: 'inspec-gcp-kube-cluster', nodepool_name: 'inspec-gcp-kube-node-pool') do - its('node_config.image_type'){should eq "COS"} + its('config.image_type'){should eq "COS"} end ### Test GCP container node pool initial node count is as expected @@ -72,61 +72,61 @@ Properties that can be accessed from the `google_container_node_pool` resource: `config` : The node configuration of the pool. -`machine_type` +* `machine_type` : The name of a Google Compute Engine machine type (e.g. n1-standard-1). If unspecified, the default machine type is n1-standard-1. -`disk_size_gb` +* `disk_size_gb` : Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB. If unspecified, the default disk size is 100GB. -`oauth_scopes` +* `oauth_scopes` : The set of Google API scopes to be made available on all of the node VMs under the "default" service account. The following scopes are recommended, but not required, and by default are not included: https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes. https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry). If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added. -`service_account` +* `service_account` : The Google Cloud Platform Service Account to be used by the node VMs. If no Service Account is specified, the "default" service account is used. -`metadata` +* `metadata` : The metadata key/value pairs assigned to instances in the cluster. Keys must conform to the regexp [a-zA-Z0-9-_]+ and be less than 128 bytes in length. These are reflected as part of a URL in the metadata server. Additionally, to avoid ambiguity, keys must not conflict with any other metadata keys for the project or be one of the four reserved keys: "instance-template", "kube-env", "startup-script", and "user-data" Values are free-form strings, and only have meaning as interpreted by the image running in the instance. The only restriction placed on them is that each value's size must be less than or equal to 32 KB. The total size of all keys and values must be less than 512 KB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. -`image_type` +* `image_type` : The image type to use for this node. Note that for a given image type, the latest version of it will be used. -`labels` +* `labels` : The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node. In case of conflict in label keys, the applied set may differ depending on the Kubernetes version -- it's best to assume the behavior is undefined and conflicts should be avoided. For more information, including usage and the valid values, see: http://kubernetes.io/v1.1/docs/user-guide/labels.html An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. -`local_ssd_count` +* `local_ssd_count` : The number of local SSD disks to be attached to the node. The limit for this value is dependant upon the maximum number of disks available on a machine per zone. See: https://cloud.google.com/compute/docs/disks/local-ssd#local_ssd_limits for more information. -`tags` +* `tags` : The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster or node pool creation. Each tag within the list must comply with RFC1035. -`preemptible` +* `preemptible` : Whether the nodes are created as preemptible VM instances. See: https://cloud.google.com/compute/docs/instances/preemptible for more information about preemptible VM instances. -`accelerators` +* `accelerators` : A list of hardware accelerators to be attached to each node - `accelerator_count` + * `accelerator_count` : The number of the accelerator cards exposed to an instance. - `accelerator_type` + * `accelerator_type` : The accelerator type resource name -`disk_type` +* `disk_type` : Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') If unspecified, the default disk type is 'pd-standard' -`min_cpu_platform` +* `min_cpu_platform` : Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform -`taints` +* `taints` : List of kubernetes taints to be applied to each node. - `key` + * `key` : Key for taint - `value` + * `value` : Value for taint - `effect` + * `effect` : Effect for taint `initial_node_count` @@ -144,43 +144,43 @@ Properties that can be accessed from the `google_container_node_pool` resource: `autoscaling` : Autoscaler configuration for this NodePool. Autoscaler is enabled only if a valid configuration is present. -`enabled` +* `enabled` : Is autoscaling enabled for this node pool. -`min_node_count` +* `min_node_count` : Minimum number of nodes in the NodePool. Must be >= 1 and <= maxNodeCount. -`max_node_count` +* `max_node_count` : Maximum number of nodes in the NodePool. Must be >= minNodeCount. There has to enough quota to scale up the cluster. `management` : Management configuration for this NodePool. -`auto_upgrade` +* `auto_upgrade` : A flag that specifies whether node auto-upgrade is enabled for the node pool. If enabled, node auto-upgrade helps keep the nodes in your node pool up to date with the latest release version of Kubernetes. -`auto_repair` +* `auto_repair` : A flag that specifies whether the node auto-repair is enabled for the node pool. If enabled, the nodes in this node pool will be monitored and, if they fail health checks too many times, an automatic repair action will be triggered. -`upgrade_options` +* `upgrade_options` : Specifies the Auto Upgrade knobs for the node pool. - `auto_upgrade_start_time` + * `auto_upgrade_start_time` : This field is set when upgrades are about to commence with the approximate start time for the upgrades, in RFC3339 text format. - `description` + * `description` : This field is set when upgrades are about to commence with the description of the upgrade. `max_pods_constraint` : The constraint on the maximum number of pods that can be run simultaneously on a node in the node pool. -`max_pods_per_node` +* `max_pods_per_node` : Constraint enforced on the max num of pods per node. `conditions` : Which conditions caused the current node pool state. -`code` +* `code` : Machine-friendly representation of the condition. Possible values: From d37b123bf6b6ed172be5244ac56e137ea0d09afe Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 13 Oct 2021 01:07:19 +0000 Subject: [PATCH 478/483] Bump version to 4.47.4 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c37ad5b37..566f0a1cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.47.3](https://github.com/inspec/inspec/tree/v4.47.3) (2021-10-06) + +## [v4.47.4](https://github.com/inspec/inspec/tree/v4.47.4) (2021-10-13) #### Merged Pull Requests -- Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) +- Group & User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) @@ -14,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Group & User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) - Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) - Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) - Update the unit test files to use latest versions of OS rather than the older. [#5681](https://github.com/inspec/inspec/pull/5681) ([Vasu1105](https://github.com/Vasu1105)) diff --git a/VERSION b/VERSION index d84d43492..316f458fa 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.3 \ No newline at end of file +4.47.4 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 2b9e5c7b3..04cab8954 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.3".freeze + VERSION = "4.47.4".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index ce41f7222..e5617953d 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.3".freeze + VERSION = "4.47.4".freeze end From 8dc23ce7e15b056ff8122e02a29affddc3621b79 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 13 Oct 2021 01:11:03 +0000 Subject: [PATCH 479/483] Bump version to 4.47.5 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 566f0a1cc..3095ffa4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.47.4](https://github.com/inspec/inspec/tree/v4.47.4) (2021-10-13) + +## [v4.47.5](https://github.com/inspec/inspec/tree/v4.47.5) (2021-10-13) #### Merged Pull Requests -- Group & User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) +- Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) @@ -14,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) - Group & User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) - Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) - Improvements to the inspec.yml docs [#5679](https://github.com/inspec/inspec/pull/5679) ([tas50](https://github.com/tas50)) diff --git a/VERSION b/VERSION index 316f458fa..9c63b8e5b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.4 \ No newline at end of file +4.47.5 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 04cab8954..b716d1aab 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.4".freeze + VERSION = "4.47.5".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index e5617953d..d63def3c4 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.4".freeze + VERSION = "4.47.5".freeze end From 134ddfcbb574f035baf0fc853828603168b89c17 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 13 Oct 2021 01:13:30 +0000 Subject: [PATCH 480/483] Bump version to 4.47.6 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3095ffa4e..aed4f8d6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.47.5](https://github.com/inspec/inspec/tree/v4.47.5) (2021-10-13) + +## [v4.47.6](https://github.com/inspec/inspec/tree/v4.47.6) (2021-10-13) #### Merged Pull Requests -- Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) +- Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani)) @@ -14,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani)) - Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) - Group & User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) - Update GCS Storage class list [#5676](https://github.com/inspec/inspec/pull/5676) ([pradeepbhadani](https://github.com/pradeepbhadani)) diff --git a/VERSION b/VERSION index 9c63b8e5b..5387cb3f3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.5 \ No newline at end of file +4.47.6 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index b716d1aab..0c2159011 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.5".freeze + VERSION = "4.47.6".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index d63def3c4..3c4540ac7 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.5".freeze + VERSION = "4.47.6".freeze end From 648afbb6fa3cc49132b3ed61aa6591a898b1150b Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Wed, 13 Oct 2021 01:15:56 +0000 Subject: [PATCH 481/483] Bump version to 4.47.7 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index aed4f8d6f..a5f98b636 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.47.6](https://github.com/inspec/inspec/tree/v4.47.6) (2021-10-13) + +## [v4.47.7](https://github.com/inspec/inspec/tree/v4.47.7) (2021-10-13) #### Merged Pull Requests -- Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani)) +- Enable repeatable builds by bundling Gemfile.lock [#5688](https://github.com/inspec/inspec/pull/5688) ([tas50](https://github.com/tas50)) @@ -14,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Enable repeatable builds by bundling Gemfile.lock [#5688](https://github.com/inspec/inspec/pull/5688) ([tas50](https://github.com/tas50)) - Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani)) - Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) - Group & User Resources - Resolve name case-sensitivity issue for windows [#5667](https://github.com/inspec/inspec/pull/5667) ([Nik08](https://github.com/Nik08)) diff --git a/VERSION b/VERSION index 5387cb3f3..bce7e32fd 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.6 \ No newline at end of file +4.47.7 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 0c2159011..453b97472 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.6".freeze + VERSION = "4.47.7".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 3c4540ac7..8c5b2f675 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.6".freeze + VERSION = "4.47.7".freeze end From e5f2ede38981b8a10129b3039c703ba2f0f71d2b Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Tue, 19 Oct 2021 14:43:49 +0530 Subject: [PATCH 482/483] Oracle fix when invoking query using os user and db role Signed-off-by: Nikita Mathur --- lib/inspec/resources/oracledb_session.rb | 16 ++++++++++++---- test/unit/resources/oracledb_session_test.rb | 17 +++++++++++++++++ 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/lib/inspec/resources/oracledb_session.rb b/lib/inspec/resources/oracledb_session.rb index 4da2de5e4..cb6f7d5c8 100644 --- a/lib/inspec/resources/oracledb_session.rb +++ b/lib/inspec/resources/oracledb_session.rb @@ -42,6 +42,7 @@ module Inspec::Resources end def query(sql) + raise Inspec::Exceptions::ResourceSkipped, "#{resource_exception_message}" if resource_skipped? raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? if @sqlcl_bin && inspec.command(@sqlcl_bin).exist? @@ -78,7 +79,14 @@ module Inspec::Resources # using a db_role # su, using a db_role def command_builder(format_options, query) - verified_query = verify_query(query) + if @db_role.nil? || @su_user.nil? + verified_query = verify_query(query) + else + escaped_query = query.gsub(/\\/, "\\\\").gsub(/"/, '\\"') + escaped_query = escaped_query.gsub("$", '\\$') + verified_query = verify_query(escaped_query) + end + sql_prefix, sql_postfix = "", "" if inspec.os.windows? sql_prefix = %{@'\n#{format_options}\n#{verified_query}\nEXIT\n'@ | } @@ -87,11 +95,11 @@ module Inspec::Resources end if @db_role.nil? - "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}" + %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}} elsif @su_user.nil? - "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}" + %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}} else - "su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}" + %{su - #{@su_user} -c "env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"} end end diff --git a/test/unit/resources/oracledb_session_test.rb b/test/unit/resources/oracledb_session_test.rb index eeca847ec..74d5ff820 100644 --- a/test/unit/resources/oracledb_session_test.rb +++ b/test/unit/resources/oracledb_session_test.rb @@ -20,6 +20,23 @@ describe "Inspec::Resources::OracledbSession" do _(query.row(0).column("value").value).must_equal "ORCL" end + it "sqlplus Linux with os user and db role" do + resource = quick_resource(:oracledb_session, :linux, as_os_user: "OSUSER", as_db_role: "DBA", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "/bin/sqlplus") do |cmd| + cmd.strip! + case cmd + when "su - OSUSER -c \"env ORACLE_SID=ORCL /bin/sqlplus -S / as DBA <<'EOC'\nSET PAGESIZE 32000\nSET FEEDBACK OFF\nSET UNDERLINE OFF\nSELECT NAME AS VALUE FROM v\\$database;\nEXIT\nEOC\"" then + stdout_file "test/fixtures/cmd/oracle-result" + else + raise cmd.inspect + end + end + + _(resource.resource_skipped?).must_equal false + query = resource.query("SELECT NAME AS VALUE FROM v$database;") + _(query.size).must_equal 1 + _(query.row(0).column("value").value).must_equal "ORCL" + end + it "sqlplus Windows" do resource = quick_resource(:oracledb_session, :windows, user: "USER", password: "password", host: "localhost", service: "ORCL", port: 1527, sqlplus_bin: "C:/sqlplus.exe") do |cmd| cmd.strip! From c391ca349b593311dbf9e1b111fb9c735abbed17 Mon Sep 17 00:00:00 2001 From: Chef Expeditor Date: Tue, 19 Oct 2021 13:14:38 +0000 Subject: [PATCH 483/483] Bump version to 4.47.8 by Chef Expeditor Obvious fix; these changes are the result of automation not creative thinking. --- CHANGELOG.md | 7 ++++--- VERSION | 2 +- inspec-bin/lib/inspec-bin/version.rb | 2 +- lib/inspec/version.rb | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a5f98b636..9fac85e9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,10 @@ # Change Log - -## [v4.47.7](https://github.com/inspec/inspec/tree/v4.47.7) (2021-10-13) + +## [v4.47.8](https://github.com/inspec/inspec/tree/v4.47.8) (2021-10-19) #### Merged Pull Requests -- Enable repeatable builds by bundling Gemfile.lock [#5688](https://github.com/inspec/inspec/pull/5688) ([tas50](https://github.com/tas50)) +- Oracle db session resource fix - when invoking query using os user and db role [#5702](https://github.com/inspec/inspec/pull/5702) ([Nik08](https://github.com/Nik08)) @@ -14,6 +14,7 @@ - Add support for Cassandra DB [#5683](https://github.com/inspec/inspec/pull/5683) ([Nik08](https://github.com/Nik08)) #### Merged Pull Requests +- Oracle db session resource fix - when invoking query using os user and db role [#5702](https://github.com/inspec/inspec/pull/5702) ([Nik08](https://github.com/Nik08)) - Enable repeatable builds by bundling Gemfile.lock [#5688](https://github.com/inspec/inspec/pull/5688) ([tas50](https://github.com/tas50)) - Fix google_container_node_pool.md [#5696](https://github.com/inspec/inspec/pull/5696) ([pradeepbhadani](https://github.com/pradeepbhadani)) - Renamed Inspec DSL to Inspec Language [#5694](https://github.com/inspec/inspec/pull/5694) ([dishanktiwari2501](https://github.com/dishanktiwari2501)) diff --git a/VERSION b/VERSION index bce7e32fd..0b517bf1d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.47.7 \ No newline at end of file +4.47.8 \ No newline at end of file diff --git a/inspec-bin/lib/inspec-bin/version.rb b/inspec-bin/lib/inspec-bin/version.rb index 453b97472..bbde640d3 100644 --- a/inspec-bin/lib/inspec-bin/version.rb +++ b/inspec-bin/lib/inspec-bin/version.rb @@ -1,5 +1,5 @@ # This file managed by automation - do not edit manually module InspecBin INSPECBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "4.47.7".freeze + VERSION = "4.47.8".freeze end diff --git a/lib/inspec/version.rb b/lib/inspec/version.rb index 8c5b2f675..fbfb64dcc 100644 --- a/lib/inspec/version.rb +++ b/lib/inspec/version.rb @@ -1,3 +1,3 @@ module Inspec - VERSION = "4.47.7".freeze + VERSION = "4.47.8".freeze end