Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
Signed-off-by: Jared Quick <jquick@chef.io>
* Fix profile vendoring on Windows
This fixes vendoring on Windows by doing the following:
- Expanding relative paths (handles `\\`)
- Ensuring archives after closed after reading (prevents locking)
This also does the following:
- Removes extra file from testing tar archive
- Ensures fetching dirs/archives in the local fetcher behaves the same
* Fix profile vendoring on Windows
This fixes vendoring on Windows by doing the following:
- Expanding relative paths (handles `\\`)
- Ensuring archives after closed after reading (prevents locking)
This also does the following:
- Removes extra file from testing tar archive
- Ensures fetching dirs/archives in the local fetcher behaves the same
* Add vendoring to fuctional testing and fix the tmp path for windows
* Add tests for relative paths and backslashes
* Remove backslashes support in filenames on Linux
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add impact class which contains all cvss scores.
* Add testing for impact changes.
* Change symbols to strings for impact.
* Update error messages to be more clear.
* Fix test with new sha
Signed-off-by: Jared Quick <jquick@chef.io>
* Add windows functional tests.
* Fix tests for 2012 server.
* Fix windows build script
* Add more functional tests for windows.
* Update comment with TODO.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add yml attribute option.
* Add type matching.
* Add testing profile for global attributes testing all types.
* Allow attributes to be called within a control block.
* Fix attribut test issues and allow value to be set at runtime.
* Allow setting attr value after creation.
* Move attributes to global namespace.
* Move attributes to a singleton object.
* Add unit and updated functional testing.
* Rename attributes to attributes_test so the testhelper picks it up.
* Add attribute object tests and error types.
* Update with feedback changes.
* Remove extra line.
* Move attribute registry class file.
* Add documentation for attributes
* Rename rspec_extensions.
* Add some failing functional tests.
* Update docs and fix typos.
Signed-off-by: Jared Quick <jquick@chef.io>
* Allow uuid passthrough
* Update flag to be target-id.
* Updated to use proper formatting for header.
* Fix empty line after cli banner.
Signed-off-by: Jared Quick <jquick@chef.io>
* Leverage existance check in Compliance::Fetcher.resolve to not re-download locally cached profiles
* Move logic from Compliance::API.exist? to Compliance::API.profiles to reuse code in cases where we need to access profiles' metadata directly.
* Declare @upstream_sha256 if target is a string
* Handle other fetchers that don't support upstream_sha256 within Inspec::CachedFetcher.initialize
* Add initialize for Compliance::Fetcher to not pollute Fetchers::Url with its logic
* Add Compliance::Fetcher.sha256 to leverage upstream_sha256 instead of relying on inherited method from Fetchers::Url
* Revert changes to cached fetcher that are unnecessary after refactor
* Pacify the god of ruby syntax
* Move Compliance::API.profiles filtering logic to end of method to leverage normalization of mapped_profiles
* Add and update unit tests to support caching with Compliance::Fetcher.upstream_sha256
Signed-off-by: Josh Hudson <jhudson@chef.io>
This does the following:
- Adds `--sudo` if using `--sudo-password`
- Warns the user if using `--sudo-password` without `--sudo`
- Adds unit tests for `Inspec::BaseCLI#opts`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* adding cloudlinux into the mocker under the redhat family as it is found inside of train, and creating tests for cloudlinux that mirror the centos/redhat tests.
* adding cloudlinux under the select_service_mgmt method so that it can be matched.
Signed-off-by: Vern Burton <me@vernburton.com>
In the `read_file` method we can call `read_file_content` with the second
argument `true` to avoid skipping on an empty file.
We will still skip the control if the main configuration file is empty
as there is still an explicit call to `read_file_content` without this
argument in the `read_content` method.
Signed-off-by: Kris Shannon <k.shannon@amaze.com.au>
* Functional tests for userdir option
* Accepts --config-dir CLI option
* Actually loads a config file from the config dir, more cases to test
* Able to load config and verify contents from config-dir
* Functional tests to ensure precedence for config options
* Enable setting config dir via env var
* .inspec, not .inspec.d
* Begin converting PluginCtl to PluginLoader/Registry
* Able to load and partially validate the plugins.json file
* More work on the plugin loader
* Break the world, move next gen stuff to plugin/
* Be sure to require base cli in bundled plugins
* Move test file
* Revert changes to v1 plugin, so we can have a separate one
* Checkpoint commit
* Move v2 plugin work to v2 area
* Move plugins v1 code into an isolated directory
* rubocop fixes
* Rip out the stuff about a user-dir config file, just use a plugin file
* Two psuedocode test file
* Working base API, moock plugin type, and loader.
* Adjust load path to be more welcoming
* Silence circular depencency warning, which was breaking a unit test
* Linting
* Fix plugin type registry, add tests to cover
* Feedback from Jerry
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Allow the jsonMerged report to be executed from cli.
* Renamed reporter to json-automate and added in comments.
Signed-off-by: Jared Quick <jquick@chef.io>
* Error cleanly if a reporter error while rendering.
* Add functional test for automate reporter.
* Remove authors.
Signed-off-by: Jared Quick <jquick@chef.io>
to set_skip_rule could be a boolean, or a message. Now value should
always be a boolean, and if a message is needed one can be passed and
will be set.
Allow only_if to take a message during control_eval DSL.
Add test for only_if(message).
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add --vendor-cache flag for archive, check, and json commands.
* Remove unused ignore_supports flag for Inspec::Runner.
This flag was only set in two code paths that did not call
Inspec::Runner so setting it did not have any effect.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
* Provide a json_merge report used by A2 that merges all child profiles.
Signed-off-by: Jared Quick <jquick@chef.io>
* Merge profile controls from child up until we find something usable.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add testng for json_merged report.
Signed-off-by: Jared Quick <jquick@chef.io>
* Push the profile population to be later in the report.
Signed-off-by: Jared Quick <jquick@chef.io>
* Since /proc/xen is an empty dir in Amazon Linux, inspec falsely detects docker instances as platform='xen'
* Remove unnecessary rubocop comment
Signed-off-by: Bill ONeill <woneill@pobox.com>
* windows_feature resource: Add DISM support
This modifies the `windows_feature` resource to fallback to DISM when
the `Get-WindowsFeature` command is not available.
* Allow specifying `:dism` or `:powershell`
* Replace stacktrace with smaller error message
* Add notes/todo about raise behavior
* Remove duplicated platform check
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* cli: Downcase supermarket tool name to match URL
This downcases the user provided tool name. Without this fetching the
profile will fail because the Supermarket API downcases in the URL.
* Add another downcase
* Add handling for `supermarket://owner_but_no_name`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Constrain RuboCop disables to single method
* Add comment to Alpine package command
* Use single quotes for Alpine package command
* Change `it` statement to be readable
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
Raise with the stderr from `git ls-remote` if stderr is not empty.
This is useful when inspec runs in CI and you do not have direct control/troublshooting options.
Signed-off-by: James Stocks <jstocks@chef.io>
Context:
When testing a Windows registry key with a period character in it e.g. `explorer.exe` it is not possible to use `its("explorer.exe")` because the period would be interpreted as method chaining.
In this case, you must instead use `its(["explorer", "exe"])`
See https://github.com/inspec/inspec/issues/1281
This commit fixes `to_ruby`in `Inspec::Describe` so that it produces an array in the generated Inspec code instead of a string.
Signed-off-by: James Stocks <jstocks@chef.io>
* Use fail_resource rather than skip_resource when the platform is not
supported by the resource.
* Update tests to handle failing on unsupported platforms.
Update functional tests.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Refactor 'inspec init profile' into a reusable component.
base_cli.rb had several methods used internally, these are exposed so
lib/bundles/inspec-init/profile.rb can act as a library for anything
that needs to create new Inspec profiles programatically
* Move output methods to be public instance methods; and make Init::Profile into a working renderer. Functional tests pass but could use some refactoring to be easier to use.
* Refactor, renaming vars to be clearer
* Move puts and exit calls into basecli
* Add comment about simplified ERB rendering in ruby 2.5.0+
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Functional tests for regex control selection
* Implementation for regex-based control filtering
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
profile name. eg "with/slash" would result in a profile created in the
"with" directory named "slash"
Add test for inspec init, and updated other for new output.
Clean up profiles created during testing and place them in temporary
directories.
Describe our test a bit better.
Check that the profile was created in the right location.
Check that the profile is named correctly.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Updating inspec with bastion options as per https://github.com/inspec/train/pull/310
* Updating train pin
* Adding --password to pass the test
* Revert "Updating train pin"
* PR changes
Signed-off-by: Noel Georgi <18496730+frezbo@users.noreply.github.com>
* Add long description to inspec exec command, mentioning exit codes
* Modify website doc builder code to use long description if available
* Functional test for --distinct-exit flag
* Implement --distinct-exit option
* Inspec shell also needs the option
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Search and replace filtertable methods to use new names, and rely on automatic methods
* Remove spurious exists? matchers - see https://relishapp.com/rspec/rspec-expectations/docs/built-in-matchers/exist-matcher
* Revert removing exists? - we'll do it on a separate PR
* Gah, didn't save before resolving conflict
* Add back name column on aws cloudtrail trails
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* apache_conf resource: Strip quotes from values
* Update regex to capture all vars between quotes
* Change `x` and `y` to proper variable names
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Do not load AWS resources if SDK version mismatches
* Detect if we are running ins inspec-core mode, and do not attempt loading AWS or Azure if so.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Fix the control merging issues when overriding child controls.
* Fix rubocop issue and vendor compression.
* Add in lock file for vendor profile
Signed-off-by: Jared Quick <jquick@chef.io>
* Add insecure option to the automate report json.
* Add in automate and compliance json documentation.
* Fix typo.
Signed-off-by: Jared Quick <jquick@chef.io>
* Un-deprecate plural properties on shadow; deprecate the singular versions
* Update filtertable interface to current
* A weak attempt at making the docs coherent
* Doc feedback per Jerry
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
This translates the output of `auditctl -s` on RHEL to match CentOS.
This is based on the details from issue #3113. I could not find a test
box that would give me the output to match what was reported.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* set port default to nil, introduce local_mode
* raise instead of warning
* restore default port, allow explicit nil
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
* Adding YAML reporter
* Updating yaml o/p
* Removing comment
* Adding UT for YAML reporter, adding missing reporters
* This PR takes care of the following:
- Fixes the YAML reporter UT
- Adds the report method to YAML reporter to support code example as in #3085
- Disables the cyclomatic complexity Metric for reporter
Signed-off-by: Noel Georgi <18496730+frezbo@users.noreply.github.com>
* implement members property
* flatten groups entry, extract flatten helper
* lints
* more idiomatic spec, add example of members testing
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
* Add integration and unit tests for aws_ec2_instances
* Basic docs for aws_ec2_instances
* Add basic aws_ec2_instances resource
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Split inspec into a core gem.
* Include inspec-core.gemspec, not inspec.gemspec.
* Only load aws and azure when the gems are installed.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add check if aws s3 bucket is encrypted.
Required terraform aws provider >= 1.6
Fix indentation issue in aws_s3_bucket.rb
* Implement most changes recommended by @TrevorBramble, and refactored other methods to align with recommendations (except Terraform nitpick; preference is to keep coding style consistent until full refactor).
Signed-off-by: Jeremy Phillips <github@uranusbytes.com>
* nginx_conf resource: Fix include paths with quotes
* Move quote removal to `NginxParser`
* Add parsers/tests for quotes in quotes
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Update tests and docs to assume one recorder per region
* Config recorder supports singleton fetch
* Docs and tests for singleton mode delivery_channel
* Implementation for singleton delivery channel, and some other code cleanup
* Implement some feedback, and fix a bug in traversing the struct in looking for empty results
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Bug replication tests, unit and integration
* Fixes statement_count
* Fixes statement_count and have_statement
* rubocop trim whitespace
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add IOS transport and `enable_password` support
* Remove Cisco IOS connection swap (moving to Train)
* Pin to Train 1.4.0
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
Bug Fix#2865
* Defining an attribute without a default value generates a stacktrace
* Fix string quotes
* Moved logic out of the initilize method.
* Refactoring for better clarity.
* Fixing trailing white spaces
Signed-off-by: Omar J Irizarry <irizarry_omar_j@network.lilly.com>
* Update singular implementation to avoid use of inner object
* Update docs and tests for 3 new filters and properties on aws_vpcs
* Implement new filters and properties; one failing test due to odd FilterTable behavior
* changes to avoid bug 2929
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add tests for method chained shadow resource with readable and
unreadable shadow files.
Ensure @params always has a safe value, otherwise we may stacktrace when
unable to read /etc/shadow and invoked with method chaining.
* Wrap deprecation notices with a proc/must_output to clean up test
output.
Added some missing newlines.
Catch deprecation notice on `lines`.
* Resolve the majority of the issues pointed out by @tbramble.
Deprecate `lines`; its really only used internally but it was 'exposed'
through tests and who knows if there is external use. `lines` is not
documented as a property at least..
`#set_params` is much better now =)
Signed-off-by: Miah Johnson <miah@chia-pet.org>
When the anonymous DEFAULT_ATTRIBUTE class is used, log a warning.
We now pass in the attribute name to that class so it can be used in the
log message.
Signed-off-by: Trevor Bramble <tbramble@chef.io>
Provides low-, and mid-level properties and matchers for examining rules on aws_security_group.
* Second draft of docs for SG rules interface; need to clarify semantics of reject
* First cut at unit tests
* Cleanup test fixtures
* Implementation for allow, with plausible unit tests
* Doc updates based on reality
* Add integration tests; move allow to allow_ / out; several docs updates
* Add be_open_to_the_world and be_open_to_the_world_on_port
* Update docs to reflect adding allow_only
* Update docs to reflect use of position to allow multiple rules with 'only'
* Implement allow_only with unit tests; still need integration tests
* Add integration tests for allow_only
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* * Adds new property to test how many days ago the CloudTrail delivered logs to the CloudWatch Logs.
* * Changes query for selected cloud trail in unit test
* Changes uses Time.now explicitly instead of making a variable in the unit test
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Adds new property to test the users in an aws_iam_group
* Adds terraform code to add the recall_hit user to the administrator group
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Initial commit of skeletal resource aws_route_tables
* Fixes issues with documentation
* Renames route table terraform resources to be more conventional
* Removes tags terraform resources
* Changes aws_route_table and aws_route_tables integration tests to use new terraform names
* Removes unneeded data given in unit tests
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>