* Add AWS hardware MFA matcher
Adding a hardware as well as a virtual MFA matcher for aws_iam_root_user
resource
* Add New AWS Root Matcher Docs
- Add documentation for new root MFA matchers
- Fix logic for checking MFA devices from feedback on PR
* Add Integration tests for MFA matchers
- Add integration tests for virtual and hardware MFA matchers
- Clean up logic for has_virtual_mfa_enabled? method
Signed-off-by: Paul Welch <pwelch@chef.io>
* Add python check for pip resource
When checking pip resources, we should skip resource if python is not
installed or we will fail with an error when trying to parse the path.
* Check pip command on windows
On Windows, if pip has a newer version available, it adds an error
message to stderr. Now checking if both stderr and stdout on windows
have values. If so, assume pip package is installed.
* Clean up powershell query command
- Make it easier to read what the powershell command is doing
- Make it easier to read what the cmd_successful method lokos for
Signed-off-by: Paul Welch <pwelch@chef.io>
Without the terminating character ($), it just accepted any characters
at all after the initial matching set.
Also add some tests to assure we're raising appropriately.
Co-authored-by: Trevor Bramble <tbramble@chef.io>
Co-authored-by: Joshua Padgett <jpadgett@chef.io>
Signed-off-by: Trevor Bramble <tbramble@chef.io>
This adds `powershell` resource support for non-Windows OSs via `pwsh`
and Base64 encoded commands.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Mitigate trivial warning on test by initializing
Also fixes passing a ambiguous argument.
* Mitigate trivial warning by removing redundant method
Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
* Initial commit of skeletal resource aws_kms_key
* * Adds comments to rerun travis
* * Clarifies some parts of the doc.
* Changes matcher have_aws_key_manager to manged_by_aws
* Fixes copypasta
* Adds clarification to property names
* Fixes rescueing exceptions from the api
* raises exceptions in the unit tests
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Clean up test data, correct parse error handling
* Use functional pipeline to avoid need for conditional clauses and clarify the intent of the comment parsing.
* Extract magic strings to constants
* Remove code and tests now covered by FileReader
Co-authored-by: Trevor Bramble <tbramble@chef.io>
Co-authored-by: Paul Welch <pwelch@chef.io>
Signed-off-by: Trevor Bramble <tbramble@chef.io>
* Initial commit of skeletal resource aws_sns_topics
* Adds clarification in documentation
* Adds functionality for calling the next token returned from aws api.
* Wraps api calls in the catch_aws_errs method
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Create file-check functionality into utility file
There are the similar issues as PR #2302. Almost resources return false
positives when a file does not exist or is not read.
* Replace to file-check functionality
* Fix dh_params and x509_certificate resources
If a file is empty, OpenSSL::PKey::DH and OpenSSL::X509::Certificate have
raised an exception and have skipped the inspection. Thus x509_certificate
and dh_params resources are not allowed to read a empty file.
* to_s of shadow expects filters is not nil
* Remove workaround of sshd_config
Removes the workaround of sshd_config since Travis CI fails due to a bug
of dev-sec/ssh-baseline and the PR #100 will fix it.
* Use init block variable in methods
Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
* Initial commit of new resource
* Makes changes to docs to match changes to the resources.
* Adds clarifications in docs and changes it to be an erb file.
* Simplifies some unit tests
* Wraps calls to the api in a aws_catch_errors method
* Removes provisioner terraform code
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
When testing on a filesystem used for a long time or built on a small
sized partition, the actual file order may be different from the
expected file order as below:
1) Failure:
inspec keyword::inspec.profile.files#test_0002_lists all profile files when calling #files [/work/git/inspec/test/unit/dsl/other_keywords_test.rb:50]:
--- expected
+++ actual
@@ -1 +1 @@
-["a_sub_dir/sub_items.conf", "items.conf"]
+["items.conf", "a_sub_dir/sub_items.conf"]
2) Failure:
SourceReaders::InspecReader::with a valid profile#test_0005_retrieves all extra files [/work/git/inspec/test/unit/source_readers/inspec_test.rb:39]:
--- expected
+++ actual
@@ -1 +1 @@
-["files/a_sub_dir/sub_items.conf", "files/items.conf"]
+["files/items.conf", "files/a_sub_dir/sub_items.conf"]
Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
* Modify version constraints to be an Array
This will allow both old and new versions of InSpec to parse the
`inspec.lock` correctly.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* quote password when generating mysql command string
* added a test for mysql_session, added shellwords escaping to mysql_session resource
* changed the name of the escape method
* clarified test conditions
Signed-off-by: Tom Hodder <tom@limepepper.co.uk>
shadow file.
After much thought the deprecations from #2642 were for the wrong methods.
Plural method names feel much more natural when working with this
resource because you can have more than a single result.
Consider a match like `shadow.user(/^www/)`, this could return multiple
users, so `shadow.users` feels more natural here.
The problem is that the fields we're matching in the shadow file itself
are singular. Each entry is for a user, which has a password, and some
other fields. A user never has `passwords` in the shadow file, only a
`password`.
This is made more obvious when you use the `filter` method.
When we use this filter: `shadow.filter(min_days: 20, max_days: 30)` we
are matching fields in the shadow file and not using our matcher
methods. This means that if there is a discrepancy between our matcher
methods, and the shadow fields the user could end up confused. Like I did =)
This PR changes:
Changed matchers to match shadow fields.
Updated documentation to reflect changes.
Updated tests to reflect changes.
Re-add `filter` method, and add a test for it.
Renamed variable for FilterTable to be less confusing.
Renamed query argument for methods to be consistent.
Cleanup docs based on comments from @jerryaldrichiii
Make Rubocop happy <3
Signed-off-by: Miah Johnson <miah@chia-pet.org>
Removes skip_resource and raise .. if InSpec.os stuff from initialize as this is covered by platform support.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Change shadow resource to use FilterTable rather than custom filter
implementation.
Add tests for singluar aliased methods and other minor changes to work
with FilterTable output.
Coverage is at 100%
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* merge master
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add support to use bash in host resource
Netcat's presence is widely regarded as a security issue, and thus not
always available. This solution first tries to use bash builtins and
timeout (from coreutils), so is less likely to require installing
additional packages.
* Darwin UDP support in host resource
* Host: use netcat first if available
Signed-off-by: João Vale <jpvale@gmail.com>
* Fix aws-iam-users pagination
PROBLEM: aws-iam-users resource only retrieves 100 records due to pagination
in the AWS IAM list_users function.
FIX: Iterate over all the pages using the AWS pagination variables `marker`
and `is_truncated`
Signed-off-by: Richard Nixon <richard.nixon@btinternet.com>
* Move instance variable to avoid `NoMethodError`
Methods for `role` and `system` properties are dynamically generated and
return values from the `@virtualization_data` Mash. Therefor, we must
ensure `@virtualization_data` exists before calling these methods.
* Move supports logic to `supports platform: linux`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Initial commit of new resource
* Removes deprecated matcher in example
* Adds a new terraform file for config resources
* Fixes and clarifies documentation
* Wraps calls to api in catch_aws_errors method
* Changes the names of two matchers
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* package resource: Fix `brew` package detection
This allows for package detection via `brew` to handle cases where a
particular package formula exists but is not installed.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Fixes the deprecation warning text for report and output.
Remove an extra 'is being' from the 'is being is being'
Signed-off-by: Franklin Webber <franklin@chef.io>
* Fix legacy reporter output.
Signed-off-by: Jared Quick <jquick@chef.io>
* Wrap test in a proc to catch warnings.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add output deprecation.
Signed-off-by: Jared Quick <jquick@chef.io>
* Formatter and reporter refactor.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add exception and backtrace to json-min report.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add sha to json-min and include generator version for json profile.
Signed-off-by: Jared Quick <jquick@chef.io>
* Fix deprecated typo and add fallback for cli resource title.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update to build json report and clean up cli logic.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add tests for json reporter.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add cli suppress_log_output? and a fallback for invalid reporter type.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update suppress_log_output? to check if we are outputting to stdout.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update reporter cli optoins to work with json_config.
Signed-off-by: Jared Quick <jquick@chef.io>
* Refactor some safe-navigation and variable names.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add thor banner to show reporter file output syntax.
Signed-off-by: Jared Quick <jquick@chef.io>
