* Add non-halting exception support to resources
This adds two `Inspec::Exceptions` that can be used within resources to
either skip or fail a test without halting execution.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
`curl` expects a valid header per RFC 2616 when using the
`-H`/`--header` option. RFC 2616 declares header field/values
should be separated using a colon (`:`):
https://tools.ietf.org/html/rfc2616#section-4.2
Signed-off-by: Seth Chisamore <schisamo@chef.io>
* mount resource: fix for Device-/Sharenames and Mountpoints including whitespaces
Device-/Sharenames and Mountpoints on Linux may include whitespaces (\040), e.g. /etc/fstab entry like:
```//fileserver.corp.internal/Research\040&\040Development /mnt/Research\040&\040Development cifs OTHER_OPTS```
... results in a mount line like:
```//fileserver.corp.internal/Research & Development on /mnt/Research & Development type cifs (OTHER_OPTS)```
The Linux mount command replaces \040 with whitspace automatically, so this should be tributed.
I used a control like this:
```
describe mount('/mnt/Research & Development') do
it { should be_mounted }
its('device') { should eq '//fileserver.corp.internal/Research & Development' }
end
```
Before:
```
× whitespaces-1: Mount with whitespace within sharename and mountpoint. (1 failed)
✔ Mount /mnt/Research & Development should be mounted
× Mount /mnt/Research & Development device should eq "//fileserver.corp.internal/Research & Development"
expected: "//fileserver.corp.internal/Research & Development"
got: "//fileserver.corp.internal/Research"
(compared using ==)
```
After:
```
✔ whitespaces-01: Mount with whitespace within sharename and mountpoint.
✔ Mount /mnt/Research & Development should be mounted
✔ Mount /mnt/Research & Development device should eq "//fileserver.corp.internal/Research & Development"
```
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mounts_with_whitespaces: make lint happy
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mount resource: added parentheses as suggested by https://github.com/chef/inspec/pull/2257/files
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mount resource: fix for Device-/Sharenames and Mountpoints including whitespaces
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* Merge `login` and `login_automate` commands
This provides a single interface for logging into either Chef Automate
or Chef Compliance servers. Server type is evaluated at run time via
HTTP responses from designated endpoints.
This also moves the login logic from `Compliance::ComplianceCLI` to a
separate set of modules in `Compliance::API`. This removes logic from
Thor and allows for more in depth Unit testing.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove empty line below class definition
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add message to `raise CannotDetermineServerType`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Refactor `token_info` assignment
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove unnecessary rubocop disable
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `Login` module namespacing
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove mentions of login_automate and --usertoken
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `determine_server_type` to return a symbol
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add support for `login_automate` and `--usertoken`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Fix encoding typo
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Address PR feedback
This does the following:
- Moves `CannotDetermineServerType` error to `.login`
- Changes methods that store configuration to return the configuration
- Moves user output to one location in `.login`
- Makes other small improvements
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Added CRAN resource to check R modules
control 'cran-1' do
impact 1.0
desc '
Ensure R module DBI is installed.
'
describe cpan('DBI') do
it { should be_installed }
its('version') { should cmp >= '3.0' }
end
end
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* cran resource: made lint happy, added negative unit test, removed unused arg perl_lib_path
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* Added CPAN resource to check Perl modules
control 'cpan-1' do
impact 1.0
desc '
Ensure Perl modules DBI and DBD::Pg are installed.
'
describe cpan('DBI') do
it { should be_installed }
end
describe cpan('DBD::Pg') do
it { should be_installed }
its('version') { should cmp >= '3.0' }
end
end
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* cpan resource: fixed unit test for non-installed module
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* new resource: elasticsearch resource, test cluster/node state
This is a new resource for testing an Elasticsearch cluster. It operates
by fetching the `_nodes` endpoint from a given Elasticsearch node and
collects data about each node in a cluster, even if there's only a
single node.
This work is based on inspiration from an initial PR #1956 submitted by
@rx294.
Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Adam Leff <adam@leff.co>
* Reduce mock data on non-default tests
Signed-off-by: Adam Leff <adam@leff.co>
* Adds alias for 'ListDirectory' permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Works with Ruby array of permissions as long as possible
Converts to PowerShell array just before use.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Abstracts user-provided permissions to router method
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds FullControl as a specifiable permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds specific permission 'modify'
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fixes#1743
Limits Windows' broad "read" permission to if it can read all of the
above, instead of just the first:
- File contents
- File attributes
- File extended attributes
- File permissions
This better aligns with how Windows names the permissions.
'read' -> Read instead of 'read' -> ReadData
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* 'Execute' Windows ACL has alias of 'Traverse'
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds 'Delete' permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds `should allow('perm').by_user('me')` matcher
Provides hooks for later use with Windows ACL matching
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds remaining Windows ACL hooks
Skips ReadAndExecute on intentionally since it just aliases the combo of
2 permissions into one new one.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* [Rubocop] Reduces ABC / Cyclomatic complexity
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Reduces global scope with `allows()` -> `be_allowed()`
RSpec inferred matchers work nicely here. This changes the `by_user()`
and `by()` chained matchers to just be an options hash on the underlying
`allowed?()` method.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fixes integration tests with rename `allows()` -> `be_allowed()`
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fix `only_if` behavior when used outside controls
This renames `@skip_profile` to `@skip_file` and modifies the scope of
`only_if` (used outside of a control) to only apply to the control file
that contains it instead of the entire profile.
This does this by exposing `@skip_file` from the control context so that
it can be set back to `false` between loading control files in the
profile context.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `get_checks` to accept a rule index
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `only_if` to work regardless of location
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Disable Cyclomatic/Perceived Complexity in Rubocop
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add comment for `skip_file` in `load_control_file`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Support PAX-formatted tar files, standardize file lists
When a tar file is generated in PAX format, the files have an additional
relative path prefix added to them. For example, instead of:
inspec.yml
... the file is listed as:
./inspec.yml
And the source reader plugin looks only for a "inspec.yml" file to
determine the profile format.
This change addresses this issue by normalizing the file paths in the
TarReader and accounting for the additional "./" prefix that may exist
whenever the tar file is walked looking for a file to read its content.
Signed-off-by: Adam Leff <adam@leff.co>
* Remove pax from unit test, will move to functional
Signed-off-by: Adam Leff <adam@leff.co>
* Add function test for the pax header tar file
Signed-off-by: Adam Leff <adam@leff.co>
* Uses netstat to detect open ports on AIX
Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
* Adds unit tests for AIX port resource
Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
* Move raise condition for host into enabled method
This is related to #1205. This will fix the ssl resource for now until
we redo the exceptions. Still looking around the code and need to build
some unit tests for the ssl resource.
My fix here is to move the raise condition till later in the flow,
specifically the enabled? method. This lets the raise get caught
accordingly without killing the other tests.
Signed-off-by: Jared Quick <jquick@chef.io>
* Remove authors from ssl resource test
Signed-off-by: Jared Quick <jquick@chef.io>
This change enhances the processes resource to support the busybox
ps command which is common on Alpine, for example. The way we
map ps fields to the structs needed by FilterTable have also been
refactored to be more flexible so we can support multiple formats
in the future.
Also, the processes resource now allows the grep argument to be optional
thus allowing a user to query all resources without passing in a
match-all regex.
Signed-off-by: Adam Leff <adam@leff.co>
As detected in #2036, it is not possible to extract values from
a YAML file if the key is a symbol. This change refactors ObjectTraverser
to support symbol keys before attempting to stringify them.
Signed-off-by: Adam Leff <adam@leff.co>
* Add nil check for sshd config file
This fixes#1778. There was a issue where if the user did not have read
permissions on /etc/ssh/sshd_config it would error out on the empty?
check. The fix here is to also look for nil on the file content. Along
with this I refactored the inspec file empty? check as it does not exist
and was also erroring during my testing.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add emptyfile test object and refactor tests
Signed-off-by: Jared Quick <jquick@chef.io>
Currently, the http resource always executes locally, even when scanning
a remote machine with `--target` which leads to undesireable behavior.
This change adds the ability to remotely execute tests with curl. This
behavior is currently opt-in with the `enable_remote_worker` flag, but
will become the default behavior in InSpec 2.0. Deprecation warnings
are emitted if the user is scanning a remote target but has not opted
in to the new behavior.
Signed-off-by: Adam Leff <adam@leff.co>
* Added output for port/protocol for host resource.
Signed-off-by: Jared Quick <jquick@chef.io>
* refactor with explicit return
This fixes#2085. Port and protocol are now shown in output of the host
resource if defined.
Signed-off-by: Jared Quick <jquick@chef.io>
* refactor with string building return
Signed-off-by: Jared Quick <jquick@chef.io>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resourec - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource firewalld
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications to new resource - firewalld
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse.
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications made
* installed? method now tells by checking if firewall-cmd is a command on the system
* The firewalld_command method now strips the stdout of the return
* added another test for testing multiple active zones
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing rake lint issue
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing match and returning boolean for seeing if firewalld is running
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing lint issues
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Empty commit to rerun. Accidentally updated branch.
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Rerunning test, accidentally updated branch. needs sign off commit
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Add hotfix resource for Windows
Signed-off-by: Matt Ray <matthewhray@gmail.com>
* Renamed hotfix to windows_hotfix
Added additional unit test checking for KB that is not present on a box
Signed-off-by: Matt Ray <matthewhray@gmail.com>
* Integration test to spot-check for hotfixes
Queries the Windows operating system via Powershell for a list of all
installed hotfixes and spot-checks every 10th one with the
windows_hotfix resource. Checking hundreds is time-consuming. Also
checks to ensure a non-installed hotfix is not present.
Signed-off-by: Matt Ray <matthewhray@gmail.com>
Wildcards are evaluated prior to applying `sudo` permissions. This
means that running `sudo find /some/path/*.conf` will fail if the user
does not have read permissions on `/some/path/` because the wildcard
cannot expand before `sudo` is applied and `*.conf` isn't a file.
The solution for this is to run the command in a subshell that has the
proper permissions (e.g. `sudo sh -c 'find /some/path/*.conf'`).
This modifies `Utils::FindFiles` to use a subshell thus allowing
wildcard support.
This fixes#2157
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
This modifies `Inspec::DirProvider` to allow special characters in the
file glob by escaping those characters via `Shellwords.shellescape`.
This fixes#2111 (`inspec check` on path with special characters)
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* forgiving default attributes
When default attributes arent specified provide one that is much more forgiving.
See this https://github.com/chef/inspec/issues/2176
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This modifies the enabled check for the `service` resource to use the
service's config file instead of `initctl show-config`.
`initctl show-config` does not accurately show the state of a service if
that service's config file is modified while the service is running.
This fixes#1834.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
The logic in `Inspec::Attribute` prohibited the use of `false` (FalseClass) as
a valid attribute. If the attribute value supplied was `false`, then it would fall
back to the default value.
This change properly allows the use of `false` as a value, adds the initial tests
for Inspec::Attribute, and also uses better attr_writer semantics for writing/storing
the value.
Signed-off-by: Adam Leff <adam@leff.co>
Users cannot query for registry keys that have periods in them because of
how rspec-its works. This change enables Array-style syntax for the
registry_key resource so users can use that as a workaround.
Signed-off-by: Adam Leff <adam@leff.co>
* Added auditd resource and documentation.
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Removed all legacy code for audit < 2.3. Removed parens to create consistency.
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated method names and removed unnecessary content based on review
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Add wildcard/multiple server support to nginx_conf
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* separate the merge function for maps in nginx_conf
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Support profile versions for automate profiles storage
Signed-off-by: Alex Pop <apop@chef.io>
* Add unit tests for inspec-compliance bundle
Signed-off-by: Alex Pop <apop@chef.io>
* Refactor target_url method, fix tests, fix rubocop errors
Signed-off-by: Adam Leff <adam@leff.co>
* package resource: assume a default Homebrew path
Homebrew's `brew` script is installed to /usr/local/bin by default which
is usually not in a non-interactive PATH. We will now first check to see
if `brew` is in PATH, and if not, assume a default of `/usr/local/bin/brew`
Signed-off-by: Adam Leff <adam@leff.co>
* Ignore linked container names when parsing docker containers
If a container is linked to another container, the normal `docker ps` output
does not include this information. However, when pulling the `.Names` field
with `docker ps --format`, the linked container is listed in the name. This
is confusing for users trying to use InSpec to audit a container.
This change strips any linked container names from the actual container name.
Signed-off-by: Adam Leff <adam@leff.co>
* Linked container names aren't guaranteed to be last depending on how they were linked
Signed-off-by: Adam Leff <adam@leff.co>
* Adding support for fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to docs of new resource etc_fstab
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications to new resource etc_fstab
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* wip: extend nginx_conf for http+servers+locations
... well `http` entries really, but we couldnt just call it `https`.
the goal is to `nginx_conf.http` / `nginx_conf.servers` / `nginx_conf.locations` and then also have these calls cascaded down to simplify the access to these fields. the current pattern is rather tedious since we need to check for nil everywhere.
* add test for new nginx accessors
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* add docs for nginx-conf
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* fix all incorrect NGINX spellings in docs
* prevent edge-cases where nginx params are nil
for location, http, and servers
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* more descriptive to_s for nginx servers
as suggested by @adamleff, thank you!
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* add more descriptive to_s for nginx location
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Remove test/resources directory, update README
The test/resources directory is stale and no longer used. Rather, we
favor Test Kitchen-backed integration tests in test/integration.
This change removes the stale tests and updates the README accordingly.
Signed-off-by: Adam Leff <adam@leff.co>
* Remove resources tests from travis
Signed-off-by: Adam Leff <adam@leff.co>
* Modify linux regular expression to handle process names with spaces
Signed-off-by: Chad Scott <cscott@chadikins.com>
* Add mocks, tests, etc.
Signed-off-by: Chad Scott <cscott@chadikins.com>
* Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* TDD Red for setgid/setuid/sticky File matchers
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add documentation for file resource sgid, sticky, and suid matchers
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add matchers to File for setgid, setuid, and sticky by aliasing existing predicates; TDD green
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop prefers alias to alias_method.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Lint before pushing, of course
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Correct spelling of setgid and setuid matchers in docs
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add be_setgid, be_setuid, be_sticky matcher integration tests for File.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Revert "Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here."
This reverts commit 42e672f3b1.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Revert "TDD Red for setgid/setuid/sticky File matchers"
This reverts commit a4f891fc7e.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add support for XML files
Signed-off-by: Morley, Jonathan <jmorley@cvent.com>
* Use REXML instead of nokogiri
Signed-off-by: Morley, Jonathan <jmorley@cvent.com>
* port resource: support ss instead of netstat
`netstat` is officially deprecated and is replaced with `ss`. This PR
changes the port resource to use `ss` if it's available on the target
system.
Signed-off-by: Adam Leff <adam@leff.co>
* Disable Metrics/ClassLength cop on the LinuxPorts class
Signed-off-by: Adam Leff <adam@leff.co>
* Update pip resource for #516 allow user to set path to pip executable
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* support virtualenv path, pip file exec and better logic
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* add tests for the change to the pip path and resource
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* tests are case sensitive, although command line is not
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* use a path verification method instead of a class method
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* use guard clauses instead of conditionals
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* change the control flow to return nil when commands are not available
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* fix the return values when custom pip path is not valid
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* Refactor pip path detection to fix unit tests
Signed-off-by: Adam Leff <adam@leff.co>
* Support mixed-case group entries
The `group` resource downcased the input parameter unless the target
was a Windows node. However, it's completely legitimate for a Unix-y
node to have mixed case group and passwd entries.
This change does have the potential to break people that did not carefully
match their case when searching for a group, but we're currently blocking
people from using the group resource properly if they have mixed-case
entries.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix unit tests
Signed-off-by: Adam Leff <adam@leff.co>