Calling the `digest` library directly unfortunately causes issues in FIPS 140-2 mode:
sha512.c(81): OpenSSL internal error, assertion failed: Low level API call to digest SHA512 forbidden in FIPS mode!
Switching to `OpenSSL` as the caller resolve these issues
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
In #1820 we made it so inspec would install the checked out source
version rather than the version from RubyGems.
This actually didn't work (though it wasn't apparent in a development
environment) because it used a relative path to bin/inspec that pointed
at /src/bin/inspec, which only exists if you're in a Habitat studio
started from the InSpec repo.
Revert back to getting the gem from RubyGems to avoid this problem and
have a working package.
Signed-off-by: Nathan L Smith <smith@chef.io>
A change made to how we generate the Gemfile during the Habitat build process
means we cannot have the PLAN_CONTEXT be the "habitat" directory but instead
need it to be the repo root itself.
Also changed to the preferred `hab pkg build` command instead of the original
`hab studio build` command.
Signed-off-by: Adam Leff <adam@leff.co>
When running `inspec exec` without the `target` option but against remote endpoints OR when executing it with the `localhost://` target AND having `--sudo` active it would abort the execution. `--target` is a helper to set the Train parameters for `backend`, `host`, `user`, `port`, and potentially `password`. The detection would fail on providing any of these separately without specifying `--target`. The same holds true for the `localhost` train backend or just `localhost://` target.
This type of detection has since moved to Train. The driving reason was to have this very useful check for localhost vs sudo run for any type of inspec (or for that matter: train) execution.
This PR depends on https://github.com/chef/train/pull/179 and the next release of train.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Unsupported operating systems AND the mockloader when using inspec analysis tools may lead to powershell being called with the command being `nil`, because the resource skips during the initialize phase. Instead, propagate an empty string so that `command` has a valid input and then skip the resource.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Non-url URIs may have lead to broader crashes than initially fixed. Overwrite all URL resolvers in the plugin to work with these non-schema URLs.
Fixes#1473
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
The docs Rake task requires classes defined in the "shared"
Rake tasks file. However, only the www Rakefile includes the
"shared" tasks file.
Since the "docs" Rake task is what needs it, I'm adding a require
there to ensure it works from outside the www directory.
Signed-off-by: Adam Leff <adam@leff.co>
These are kind of all over the place, but should improve things:
* Use the new `pkg_version` mechanism to set the version, and fail if
the VERSION file is not present
* Use inspec.io for the upstream url
* Remove pkg_source and it's associated callbacks; they aren't required
any more
* Alphabetize the deps list
* Remove duplicate coreutils from build deps
* Move environment variable setting to `do_prepare`
* Delete all binstubs in bin that aren't inspec
* Put the generated Gemfile in $CACHE_PATH so it doesn't stomp on the
developer's Gemfile
* Insert the SSL_CERT_FILE env var in the binstub (Fixes#1582)
* Use install instead of cp to drop off Gemfile.lock
* Build using `path: '$SRC_PATH'` instead of `'= $pkg_version'` in the Gemfile
* Disable `do_strip` to decrease build time and because we don't need it
Works for me on Habitat 0.23.
Since all the "building" is done now in `do_install`, it would be
possible to define a `do_check` that runs `inspec exec` on profiles to
verify inspec is working by running inspec.
Signed-off-by: Nathan L Smith <smith@chef.io>
Due to habitat-sh/habitat#2395, we shouldn't try to log stderr output
to a file for now. While this makes for a less-than-awesome UX, it's
better than a process locking up due to a buffer filling up!
This change redirects stderr from InSpec to stdout and adds some
helpful troubleshooting messages. Should InSpec be able to generate
unique exit codes for when controls fail (vs. a Ruby eval failure)
then we can fix this up some more, too.
Signed-off-by: Adam Leff <adam@leff.co>
The `interface` resource currently refers to methods that don't
yet exist. Fixing the docs for now and will add the features
later.
Signed-off-by: Adam Leff <adam@leff.co>
When attempting to parse the profile out of the target URL, we
were not raising an exception if we failed to do so. Such a situation
could arise if a user's inspec config.json is incorrect either due to
manual editing or failure to re-login after an upgrade past Automate
0.8.0.
This change provides a clear exception if this occurs and also adds
tests for the compliance_profile_name method.
Signed-off-by: Adam Leff <adam@leff.co>
Postgres configuration doesnt always include absolute paths. When using relative paths it will fail!
Also: We treat the include as either a string or an array; when the first condition succeeds and you get a string and the second fails you get a array => ruby tries to add a string with an array and fails. This is now fixed as well.
Fixes: https://github.com/chef/inspec/issues/1780
Fixes: https://github.com/chef/inspec/issues/1738
Signed-off-by: Aaron Lippold <lippold@gmail.com>