From 8527d213cb3914e4421de0ee966e16be0c575f54 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 20 May 2022 19:19:33 +0530 Subject: [PATCH 01/11] Fix for dependent profiles with same name but different version to run and display Signed-off-by: Nikita Mathur --- lib/inspec/dependencies/dependency_set.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/inspec/dependencies/dependency_set.rb b/lib/inspec/dependencies/dependency_set.rb index 85f6ed62a..03978735a 100644 --- a/lib/inspec/dependencies/dependency_set.rb +++ b/lib/inspec/dependencies/dependency_set.rb @@ -39,7 +39,8 @@ module Inspec def self.flatten_dep_tree(dep_tree) dep_list = {} dep_tree.each do |d| - dep_list[d.name] = d + key_name = "#{d.name}-#{d.source_version}" + dep_list[key_name] = d dep_list.merge!(flatten_dep_tree(d.dependencies)) end dep_list From d43b1c2f436c69021c3764f27f48f649e15be99f Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 8 Jun 2022 17:53:26 +0530 Subject: [PATCH 02/11] Dsl using dependency with version to fetch dependency Signed-off-by: Nikita Mathur --- lib/inspec/dependencies/dependency_set.rb | 3 ++- lib/inspec/dsl.rb | 21 +++++++++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/lib/inspec/dependencies/dependency_set.rb b/lib/inspec/dependencies/dependency_set.rb index 03978735a..1de5d76a2 100644 --- a/lib/inspec/dependencies/dependency_set.rb +++ b/lib/inspec/dependencies/dependency_set.rb @@ -25,7 +25,8 @@ module Inspec def self.from_array(dependencies, cwd, cache, backend) dep_list = {} dependencies.each do |d| - dep_list[d.name] = d + key_name = "#{d.name}-#{d.source_version}" + dep_list[key_name] = d end new(cwd, cache, dep_list, backend) end diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index d5af0e59b..be25e4b37 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -6,13 +6,13 @@ require "inspec/utils/deprecated_cloud_resources_list" module Inspec::DSL attr_accessor :backend - def require_controls(id, &block) - opts = { profile_id: id, include_all: false, backend: @backend, conf: @conf, dependencies: @dependencies } + def require_controls(id, version = nil, &block) + opts = { profile_id: id, include_all: false, backend: @backend, conf: @conf, dependencies: @dependencies, profile_version: version } ::Inspec::DSL.load_spec_files_for_profile(self, opts, &block) end - def include_controls(id, &block) - opts = { profile_id: id, include_all: true, backend: @backend, conf: @conf, dependencies: @dependencies } + def include_controls(id, version = nil, &block) + opts = { profile_id: id, include_all: true, backend: @backend, conf: @conf, dependencies: @dependencies, profile_version: version } ::Inspec::DSL.load_spec_files_for_profile(self, opts, &block) end @@ -85,6 +85,19 @@ module Inspec::DSL def self.load_spec_files_for_profile(bind_context, opts, &block) dependencies = opts[:dependencies] profile_id = opts[:profile_id] + profile_version = opts[:profile_version] + + if profile_version + profile_id = "#{profile_id}-#{profile_version}" + else + profile_id_key = nil + dependencies.list.keys.each do |key| + profile_id_key = key.split("-") + profile_id_key.pop + profile_id_key = key if profile_id_key.join("-") == profile_id + end + profile_id = profile_id_key + end dep_entry = dependencies.list[profile_id] if dep_entry.nil? From 58d4a816f32dc3577000f0666390cedd4e0bc8e9 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Wed, 8 Jun 2022 19:47:20 +0530 Subject: [PATCH 03/11] Fix related to new profile id generation for fetching dependencies in dsl logic Signed-off-by: Nikita Mathur --- lib/inspec/dsl.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index be25e4b37..fc3d00f03 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -90,13 +90,13 @@ module Inspec::DSL if profile_version profile_id = "#{profile_id}-#{profile_version}" else - profile_id_key = nil + new_profile_id = nil dependencies.list.keys.each do |key| profile_id_key = key.split("-") profile_id_key.pop - profile_id_key = key if profile_id_key.join("-") == profile_id + new_profile_id = key if profile_id_key.join("-") == profile_id end - profile_id = profile_id_key + profile_id = new_profile_id end dep_entry = dependencies.list[profile_id] From 8e32d90349fd6dc1aefaeffb7afb12abc8f976c4 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 9 Jun 2022 11:54:52 +0530 Subject: [PATCH 04/11] Fix build issue Signed-off-by: Nikita Mathur --- lib/inspec/dependencies/dependency_set.rb | 4 ++-- lib/inspec/dsl.rb | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/inspec/dependencies/dependency_set.rb b/lib/inspec/dependencies/dependency_set.rb index 1de5d76a2..75d6d0ca3 100644 --- a/lib/inspec/dependencies/dependency_set.rb +++ b/lib/inspec/dependencies/dependency_set.rb @@ -25,7 +25,7 @@ module Inspec def self.from_array(dependencies, cwd, cache, backend) dep_list = {} dependencies.each do |d| - key_name = "#{d.name}-#{d.source_version}" + key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : d.name) rescue d.name dep_list[key_name] = d end new(cwd, cache, dep_list, backend) @@ -40,7 +40,7 @@ module Inspec def self.flatten_dep_tree(dep_tree) dep_list = {} dep_tree.each do |d| - key_name = "#{d.name}-#{d.source_version}" + key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : d.name) rescue d.name dep_list[key_name] = d dep_list.merge!(flatten_dep_tree(d.dependencies)) end diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index fc3d00f03..c42ffe6f4 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -96,9 +96,8 @@ module Inspec::DSL profile_id_key.pop new_profile_id = key if profile_id_key.join("-") == profile_id end - profile_id = new_profile_id end - dep_entry = dependencies.list[profile_id] + dep_entry = new_profile_id ? dependencies.list[new_profile_id] : dependencies.list[profile_id] if dep_entry.nil? raise <<~EOF From 70a48576114d5d43f300a97dc6eab9e01703ccee Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 9 Jun 2022 15:31:28 +0530 Subject: [PATCH 05/11] New profile id usage instead of profile_id in dsl Signed-off-by: Nikita Mathur --- lib/inspec/dsl.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index c42ffe6f4..536d69954 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -87,10 +87,10 @@ module Inspec::DSL profile_id = opts[:profile_id] profile_version = opts[:profile_version] + new_profile_id = nil if profile_version - profile_id = "#{profile_id}-#{profile_version}" + new_profile_id = "#{profile_id}-#{profile_version}" else - new_profile_id = nil dependencies.list.keys.each do |key| profile_id_key = key.split("-") profile_id_key.pop From 1166489a93a3a55782c0fd586d2b0d43be4ddc6c Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 13 Jun 2022 20:26:14 +0530 Subject: [PATCH 06/11] Test case added for verifying running of same profile with different versions Signed-off-by: Nikita Mathur --- .../child-profile-1/controls/example.rb | 3 +++ .../inheritance/child-profile-1/inspec.yml | 15 +++++++++++++++ .../child-profile-2/controls/example.rb | 3 +++ .../inheritance/child-profile-2/inspec.yml | 14 ++++++++++++++ .../parent-profile/controls/example.rb | 2 ++ .../inheritance/parent-profile/inspec.yml | 15 +++++++++++++++ test/functional/inspec_exec_test.rb | 12 ++++++++++++ 7 files changed, 64 insertions(+) create mode 100644 test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/controls/example.rb create mode 100644 test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/inspec.yml create mode 100644 test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/controls/example.rb create mode 100644 test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/inspec.yml create mode 100644 test/fixtures/profiles/git-fetcher/inheritance/parent-profile/controls/example.rb create mode 100644 test/fixtures/profiles/git-fetcher/inheritance/parent-profile/inspec.yml diff --git a/test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/controls/example.rb b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/controls/example.rb new file mode 100644 index 000000000..58b8f3d12 --- /dev/null +++ b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/controls/example.rb @@ -0,0 +1,3 @@ +require_controls "ssh" do + control "sshd-50" +end \ No newline at end of file diff --git a/test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/inspec.yml b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/inspec.yml new file mode 100644 index 000000000..a9decfbd9 --- /dev/null +++ b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-1/inspec.yml @@ -0,0 +1,15 @@ +name: child-profile-1 +title: InSpec Profile +maintainer: The Authors +copyright: The Authors +copyright_email: you@example.com +license: Apache-2.0 +summary: An InSpec Compliance Profile +version: 0.1.0 +supports: + platform: os +depends: + - name: ssh + git: https://github.com/dev-sec/ssh-baseline.git + tag: 2.7.0 + \ No newline at end of file diff --git a/test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/controls/example.rb b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/controls/example.rb new file mode 100644 index 000000000..8698d0387 --- /dev/null +++ b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/controls/example.rb @@ -0,0 +1,3 @@ +require_controls "ssh" do + control "sshd-01" +end \ No newline at end of file diff --git a/test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/inspec.yml b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/inspec.yml new file mode 100644 index 000000000..230c76532 --- /dev/null +++ b/test/fixtures/profiles/git-fetcher/inheritance/child-profile-2/inspec.yml @@ -0,0 +1,14 @@ +name: child-profile-2 +title: InSpec Profile +maintainer: The Authors +copyright: The Authors +copyright_email: you@example.com +license: Apache-2.0 +summary: An InSpec Compliance Profile +version: 0.1.0 +supports: + platform: os +depends: + - name: ssh + git: https://github.com/dev-sec/ssh-baseline.git + tag: 2.6.0 \ No newline at end of file diff --git a/test/fixtures/profiles/git-fetcher/inheritance/parent-profile/controls/example.rb b/test/fixtures/profiles/git-fetcher/inheritance/parent-profile/controls/example.rb new file mode 100644 index 000000000..71ed7c9b3 --- /dev/null +++ b/test/fixtures/profiles/git-fetcher/inheritance/parent-profile/controls/example.rb @@ -0,0 +1,2 @@ +include_controls "child-profile-1" +include_controls "child-profile-2" \ No newline at end of file diff --git a/test/fixtures/profiles/git-fetcher/inheritance/parent-profile/inspec.yml b/test/fixtures/profiles/git-fetcher/inheritance/parent-profile/inspec.yml new file mode 100644 index 000000000..da868a46f --- /dev/null +++ b/test/fixtures/profiles/git-fetcher/inheritance/parent-profile/inspec.yml @@ -0,0 +1,15 @@ +name: parent-profile +title: InSpec Profile +maintainer: The Authors +copyright: The Authors +copyright_email: you@example.com +license: Apache-2.0 +summary: An InSpec Compliance Profile +version: 0.1.0 +supports: + platform: os +depends: + - name: child-profile-2 + path: ../child-profile-2 + - name: child-profile-1 + path: ../child-profile-1 \ No newline at end of file diff --git a/test/functional/inspec_exec_test.rb b/test/functional/inspec_exec_test.rb index d9b9e4fec..b8779edc5 100644 --- a/test/functional/inspec_exec_test.rb +++ b/test/functional/inspec_exec_test.rb @@ -1305,4 +1305,16 @@ EOT assert_json_controls_passing end end + + describe "when profiles are dependent on different versions of same profile" do + let(:profile) { "#{profile_path}/git-fetcher/inheritance/parent-profile" } + let(:run_result) { run_inspec_process("exec #{profile}") } + it "should evaluate all test controls of all versions correctly" do + _(run_result.stderr).must_be_empty + _(run_result.stdout).must_include "2.7.0" + _(run_result.stdout).must_include "2.6.0" + _(run_result.stdout).must_include "sshd-01" + _(run_result.stdout).must_include "sshd-50" + end + end end From b2e3bb342b12c559a8b64f7fa7a47dbd23de33e5 Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Thu, 23 Jun 2022 19:57:36 +0530 Subject: [PATCH 07/11] using fake version 0.0.0 in case no source version available from a dep profile Signed-off-by: Nikita Mathur --- lib/inspec/dependencies/dependency_set.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/inspec/dependencies/dependency_set.rb b/lib/inspec/dependencies/dependency_set.rb index 75d6d0ca3..e82f884b3 100644 --- a/lib/inspec/dependencies/dependency_set.rb +++ b/lib/inspec/dependencies/dependency_set.rb @@ -25,7 +25,7 @@ module Inspec def self.from_array(dependencies, cwd, cache, backend) dep_list = {} dependencies.each do |d| - key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : d.name) rescue d.name + key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}-0.0.0") rescue "#{d.name}-0.0.0" dep_list[key_name] = d end new(cwd, cache, dep_list, backend) @@ -40,7 +40,7 @@ module Inspec def self.flatten_dep_tree(dep_tree) dep_list = {} dep_tree.each do |d| - key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : d.name) rescue d.name + key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}-0.0.0") rescue "#{d.name}-0.0.0" dep_list[key_name] = d dep_list.merge!(flatten_dep_tree(d.dependencies)) end From e7ee813ec7d91f4a9189e14ecf915b6ab012413c Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Fri, 24 Jun 2022 14:20:47 +0530 Subject: [PATCH 08/11] Reverted fake version change and added comments for more clarity Signed-off-by: Nikita Mathur --- lib/inspec/dependencies/dependency_set.rb | 6 ++++-- lib/inspec/dsl.rb | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/inspec/dependencies/dependency_set.rb b/lib/inspec/dependencies/dependency_set.rb index e82f884b3..9c63b4e88 100644 --- a/lib/inspec/dependencies/dependency_set.rb +++ b/lib/inspec/dependencies/dependency_set.rb @@ -25,7 +25,8 @@ module Inspec def self.from_array(dependencies, cwd, cache, backend) dep_list = {} dependencies.each do |d| - key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}-0.0.0") rescue "#{d.name}-0.0.0" + # if depedent profile does not have a source version then only name is used in dependency hash + key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue "#{d.name}" dep_list[key_name] = d end new(cwd, cache, dep_list, backend) @@ -40,7 +41,8 @@ module Inspec def self.flatten_dep_tree(dep_tree) dep_list = {} dep_tree.each do |d| - key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}-0.0.0") rescue "#{d.name}-0.0.0" + # if depedent profile does not have a source version then only name is used in dependency hash + key_name = (d.source_version ? "#{d.name}-#{d.source_version}" : "#{d.name}") rescue d.name dep_list[key_name] = d dep_list.merge!(flatten_dep_tree(d.dependencies)) end diff --git a/lib/inspec/dsl.rb b/lib/inspec/dsl.rb index 536d69954..da22c4dfd 100644 --- a/lib/inspec/dsl.rb +++ b/lib/inspec/dsl.rb @@ -92,6 +92,7 @@ module Inspec::DSL new_profile_id = "#{profile_id}-#{profile_version}" else dependencies.list.keys.each do |key| + # If dep profile does not contain a source version, key does not contain a version as well. In that case new_profile_id will be always nil and instead profile_id would be used to fetch profile from dependency list. profile_id_key = key.split("-") profile_id_key.pop new_profile_id = key if profile_id_key.join("-") == profile_id From f3aa18b4f902ed872fa3ed4d0e0457a4a573175a Mon Sep 17 00:00:00 2001 From: Nikita Mathur Date: Mon, 27 Jun 2022 21:07:30 +0530 Subject: [PATCH 09/11] Pinning minitest to 5.15.0 to fix build issue Signed-off-by: Nikita Mathur --- Gemfile | 2 +- test/helpers/mock_loader.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 58a2e8008..a1bb0b915 100644 --- a/Gemfile +++ b/Gemfile @@ -29,7 +29,7 @@ group :test do gem "json_schemer", ">= 0.2.1", "< 0.2.19" gem "m" gem "minitest-sprint", "~> 1.0" - gem "minitest", "~> 5.5" + gem "minitest", "5.15.0" gem "mocha", "~> 1.1" gem "nokogiri", "~> 1.9" gem "pry-byebug" diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index f4ae53631..2a8ae0dc6 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -227,7 +227,7 @@ class MockLoader 'sh -c \'type "/sbin/auditctl"\'' => empty.call, 'sh -c \'type "sql"\'' => cmd_exit_1.call, 'type "pwsh"' => empty.call, - 'type "netstat"' => empty.call, + 'type "/usr/sbin/netstat"' => empty.call, "sh -c 'find /etc/apache2/ports.conf -type l -maxdepth 1'" => empty.call, "sh -c 'find /etc/httpd/conf.d/*.conf -type l -maxdepth 1'" => empty.call, "sh -c 'find /etc/httpd/mods-enabled/*.conf -type l -maxdepth 1'" => empty.call, From 34cdb8780d1bf6e0aa9d068c2c3af75e85e501d9 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 27 Jun 2022 15:30:17 -0400 Subject: [PATCH 10/11] Add explict /usr/sbin/netstat to mockloader, fixes routingtable tests Signed-off-by: Clinton Wolfe --- test/helpers/mock_loader.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/test/helpers/mock_loader.rb b/test/helpers/mock_loader.rb index 2a8ae0dc6..c1c7c0386 100644 --- a/test/helpers/mock_loader.rb +++ b/test/helpers/mock_loader.rb @@ -409,6 +409,7 @@ class MockLoader "php -c /etc/php/7.4/cli/php.ini -r 'echo get_cfg_var(\"default_mimetype\");'" => cmd.call("get-cfg-var"), # routing_table "netstat -rn" => cmd.call("netstat-rn-linux"), + "/usr/sbin/netstat -rn" => cmd.call("netstat-rn-linux"), %{sh -c 'type "netstat"'} => empty.call, # mocks for be_immutable matcher for file resource "lsattr constantfile.txt" => cmd.call("lsattr-output"), From 17d7822365e24fdd8d3f1b58c78446d7dff67935 Mon Sep 17 00:00:00 2001 From: Clinton Wolfe Date: Mon, 27 Jun 2022 15:35:46 -0400 Subject: [PATCH 11/11] Use esxi instead of undefined as an unsupported OS to silence 'unknown OS' warnings Signed-off-by: Clinton Wolfe --- test/unit/resources/cgroup_test.rb | 2 +- test/unit/resources/default_gateway_test.rb | 2 +- test/unit/resources/routing_table_test.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/unit/resources/cgroup_test.rb b/test/unit/resources/cgroup_test.rb index e176c2669..18284b720 100644 --- a/test/unit/resources/cgroup_test.rb +++ b/test/unit/resources/cgroup_test.rb @@ -26,7 +26,7 @@ describe Inspec::Resources::Cgroup do # undefined it "check carrotking cgroup information on unsupported os" do - resource = MockLoader.new("undefined".to_sym).load_resource("cgroup", "carrotking") + resource = MockLoader.new("exsi".to_sym).load_resource("cgroup", "carrotking") _(resource.resource_skipped?).must_equal true _(resource.resource_exception_message).must_equal "The `cgroup` resource is not supported on your OS yet." end diff --git a/test/unit/resources/default_gateway_test.rb b/test/unit/resources/default_gateway_test.rb index cf580a095..8aa57d958 100644 --- a/test/unit/resources/default_gateway_test.rb +++ b/test/unit/resources/default_gateway_test.rb @@ -19,7 +19,7 @@ describe Inspec::Resources::Defaultgateway do # unsupported os it "check ipaddress and interface of default gateway on unsupported os" do - resource = MockLoader.new("undefined".to_sym).load_resource("default_gateway") + resource = MockLoader.new("esxi".to_sym).load_resource("default_gateway") _(resource.resource_skipped?).must_equal true _(resource.resource_failed?).must_equal true end diff --git a/test/unit/resources/routing_table_test.rb b/test/unit/resources/routing_table_test.rb index fab6fcc3c..b7b35a230 100644 --- a/test/unit/resources/routing_table_test.rb +++ b/test/unit/resources/routing_table_test.rb @@ -26,7 +26,7 @@ describe Inspec::Resources::Routingtable do # unsupported os it "check routing table information on unsupported os" do - resource = MockLoader.new("undefined".to_sym).load_resource("routing_table") + resource = MockLoader.new("esxi".to_sym).load_resource("routing_table") _(resource.resource_skipped?).must_equal true _(resource.resource_failed?).must_equal true end