Commit graph

759 commits

Author SHA1 Message Date
Adam Leff
a21bdc4a04 Handle parse errors for attrs/secrets
Inspired by #1640, this change cleans up the logic used when
reading in secrets files, provides clearer warnings when the
secrets files can't be parsed, and adds tests for those methods.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-09 13:44:33 +02:00
Dominik Richter
00682eb2d2 Merge pull request #1751 from nsdavidson/add-oracle-session
Add an oracle_session resource
2017-05-09 13:21:53 +02:00
Dominik Richter
bac360475f bugfix: dev-sec/ssl-benchmark -> ssl-baseline
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-05-09 10:58:07 +02:00
Nolan Davidson
ba6745444e Renaming oracle_session to oracledb_session
Signed-off-by: Nolan Davidson <ndavidson@chef.io>
2017-05-05 13:11:07 -04:00
Nolan Davidson
fbe7b8ddf8 Refactor to options hash and add unit tests
Switched the oracle_session resource to take an option hash and allow
for configuring hostname, DB_SID, and sqlplus binary path.

Added unit tests.

Signed-off-by: Nolan Davidson <ndavidson@chef.io>
2017-05-05 09:29:38 -04:00
Dominik Richter
5d1765c9bb add inspec.profile.file(...) for profile files
Fixes https://github.com/chef/inspec/issues/1396

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-05-03 20:39:27 +02:00
Adam Leff
04c43c6834
Make the --no-color flag work for inspec exec
The CLI formatter is not currently honoring the --no-color flag
when outputting CLI output. This change cleans up how we format
with color and properly support the flag for use cases where
color-encoding characters make the output difficult to use
(i.e. when someone redirects CLI output to a text file for
sharing with others).

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-02 09:52:01 -05:00
Adam Leff
6ed5379134 Error and exit when using --sudo locally
Running `inspec exec` with --sudo locally produces unintended results
given that we cannot escalate local Ruby methods after we're already
running. --sudo is meant to only be used with remote targets. We do
not currently enforce that.

This change will print an error for the user if they attempt to use
--sudo with a local exec and exit non-zero.

Signed-off-by: Adam Leff <adam@leff.co>
2017-05-02 12:41:02 +02:00
Adam Leff
a1769cc01b
Update inspec.io references in docs/code
The website is now at https://www.inspec.io - updating all inspec.io
references accordingly. :)

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-27 18:05:51 -04:00
Adam Leff
42797b4231 Add matchers help to shell, clean up help output
A new `help matchers` command will provide helpful examples on a few
of the standard matchers: be, cmp, include, etc.

I also cleaned up the formatting of the resources list and provided
better feedback if a user requests help for an unknown resource.

Resolves #1684

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-27 01:16:39 +02:00
Dominik Richter
1dafe50bd9 rename SimpleConfig / parse_config / parse_config_file options
See https://github.com/chef/inspec/issues/1709
Fixes https://github.com/chef/inspec/issues/1709

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-26 23:18:40 +02:00
Dominik Richter
8e5fbb9e02 provide inspec.version information
as a friendly shortcut and a native call within profiles

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-26 13:07:32 +02:00
Dominik Richter
8b7ef09f85 provide the inspec keyword
Instead of my favorite shortcut of `os.inspec` just finally add it as a global keyword.

Preparation for https://github.com/chef/inspec/issues/1396

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-26 12:30:31 +02:00
Dominik Richter
50e1c76fce print and prettyprint the inspec backend class
This is always bothersome when debugging code and drilling down objects, since it will just a return a two-layer anonymous class with no help at all.
Instead print a nice name and even give a bit of information on pretty-printing (which pry does naturally)

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-26 12:04:01 +02:00
Dominik Richter
c5101e5ef0 pretty-print multiline control descriptions
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-25 17:12:30 +02:00
Dominik Richter
37a2e45cd1 bugfix: unindent description misbehaviors
Unindent has been misbehaving for control `desc`riptions by completely removing newlines. This is now fixed and the unindentation mechanism improved to behave as expected.

Removing empty lines at the beginning and end of string remains unchanged.
Tabs are not treated as multi-space indentations; supporting them as 8-space chars would require additional effort (please comment if this is important to you)

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-25 13:21:38 +02:00
Dominik Richter
37a778173d inspec control.to_ruby to respect newlines
I.e. instead of printing them as:

```
desc "hello\nworld"
```

it would instead do:

```
desc "hello
world"
```

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-25 10:34:45 +02:00
Christoph Hartmann
218bda9c34 Docker resource (#1566)
* add docker, docker_container, and docker_image resources

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-24 10:47:03 -04:00
Tor Magnus Rakvåg
8ad02f4d04 added test for guest user
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
2017-04-21 09:45:58 +02:00
Tor Magnus Rakvåg
740b84a387 use userinfo hash instead of hard coding
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
2017-04-21 09:44:14 +02:00
Tor Magnus Rakvåg
96bb596bc4 fetch user groups while building user object
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
2017-04-20 16:02:21 +02:00
Ryan Gerstenkorn
5e0cab08a0 Add OSX support for host resource (#1608)
* Add OSX support for host resource

Signed-off-by: Ryan Gerstenkorn <ryan_gerstenkorn@fastmail.fm>
2017-04-13 11:32:04 -04:00
Christoph Hartmann
effd0dd9f8 harmonize compliance profiles view with supermarket views (#1654)
* harmonize profiles view with supermarket plugin

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-13 11:24:17 -04:00
Christoph Hartmann
29e286fee6 Merge pull request #1639 from chef/dr/rabbitmq_config
add `rabbitmq_config` resource
2017-04-12 21:19:15 +02:00
Dominik Richter
02e435b6d0 add rabbitmq config resource
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-04-12 20:51:12 +02:00
Adam Leff
da56a08f74 Fix gem resource on Windows
RubyGems on windows comes with a batch file that wraps the `gem` command
so it executes correctly. This change uses that batch file for windows
for our `gem` resource, and also properly handles when we receive no output
from the command.

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-12 17:34:16 +02:00
Adam Leff
a8ffe449ff
Add helper methods, tests for registry key path building
Broke out some of the conditional logic in the `#initialize`
method into helper methods and added tests.

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-07 10:09:51 -04:00
Christoph Hartmann
266241f173 do not install apache and postgres on windows
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-07 10:57:03 +02:00
Christoph Hartmann
6f6f3985a6 fix #1131 circumvent bug in powershell where string are not properly handled
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-07 10:57:02 +02:00
Christoph Hartmann
90b985a7c1 fix #1268 and allows registry key resource with leading backslash
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-04-06 23:30:10 +02:00
Doc Walker
692e660140 Fix #1617 Add dh_params resource (#1618)
* Fix #1617 Add dh_params resource

Signed-off-by: Doc Walker <4-20ma@wvfans.net>
2017-04-04 10:34:09 -04:00
Adam Leff
73d46f9c49
Replace Nokogiri with REXML in the JUnit formatter
In #1454, we welcomed a newly-revamped JUnit formatter which has
a dependency on Nokogiri. Unfortunately, this had led us to problems
getting InSpec included in Chef omnibus builds (see chef/chef#5937)
because Chef is using Ruby 2.4.1 and the Nokogiri maintainers have
not yet released a windows binary gem that supports Ruby 2.4.x.
This has led to breaking builds in Chef's CI platform and would
block the acceptance of chef/chef#5937.

This change replaces Nokogiri use with REXML instead. While REXML
can be slower than Nokogiri, it does not require native extensions
and is supported on all Chef platforms.

Signed-off-by: Adam Leff <adam@leff.co>
2017-04-03 14:51:48 -04:00
Adam Leff
68a930f141 Merge pull request #1406 from carldjohnston/apache_conf-symlinks
Allow apache_conf to include symlinked configuration files
2017-04-03 10:38:22 -04:00
Ryan Larson
0e187f6117 Feature/fix ability to pass in supermarket url (#1595)
* Enable customization of supermarket_url

It looks like this was originally supposed to work, but at some point
the default value was put in the method body rather than in the method
parameters.

This change allows you to configure the supermarket_url in test kitchen
like so:

```
verifier:
  inspec_tests:
  - name: linux-hardening
    supermarket: som3guy/apache-disa-stig
    supermarket_url: https://my.supermarket.com
```

Signed-off-by: Ryan Larson <ryan.mango.larson@gmail.com>
2017-03-29 12:42:24 -04:00
Adam Leff
7df9674e42 Remove method_missing, provide methods for repo metadata
Instead of method_missing, methods for each output item from
`yum repolist` are provided.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:42:25 +02:00
Adam Leff
1cf80737ad Yum resource fix for non-existent repos and repo info
If a repo did not exist, running matchers against it (such as `exist`)
were failing due to a bug in `#to_s` when fetching the repo name. The
`info` method would return nil and we'd still try to treat it as a hash.

This change ensures that info is always a hash, possibly empty if the
repo doesn't exist, and uses the repo name provided by the user rather
than shortening it to be consistent with our other resources which don't
manipulate the user input in the formatter.

Also added a method_missing to allow users to interrogate repo options,
such as baseurl or gpgcheck.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:42:25 +02:00
Adam Leff
96d18435a4 Update CLI output, adjust tests
The CLI output for the vendoring of profiles has been updated slightly
to be more clear, and the functional tests have been modified to match
as well.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
e1c664272e Break out profile vendor activities into separate class
Per PR feedback, `Inspec::ProfileVendor` is created to centralize
the logic and data of vendoring profile dependencies. The `BaseCLI`
class and the `Habitat::Profile` class have been modified to use it

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
8269d0da9e Support vendored profiles in Habitat-packaged profiles
This change adds support in Habitat-packaged profiles for
profiles that depend on other profiles. When `inspec habitat
profile create` or `inspec habitat profile upload` is run,
it will see if the profile's dependencies have been vendored
yet, and if not, it will vendor them before creating the
habitat artifact.

For the git and URL fetchers, more explicit creation of the
target directories for the vendored profiles is done. This
is implicitly done via normal CLI interactions a user may
go through, but in our case, we want to ensure those directories
are there before the fetchers try to write out content.

By adding this support, we also fix a bug experienced in Habitat
where a profile that was packaged before an `inspec exec` was run
for the profile would cause a failure in Habitat. This is caused
by `inspec exec` doing a vendor of the dependencies if necessary
and generating the inspec.lock file. In Habitat, the package dir
is not writable by the hab user and InSpec would fail to run due
to an inability to write out an inspec.lock.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 10:22:20 +02:00
Adam Leff
8e693a4ad9 Fix port resource for invalid IP address in netstat output
Netstat will sometimes output an IPv6 address that is not
formatted correctly; the address is either truncated or uses
or implies the `::` shorthand notation twice. This yields an
invalid IPv6 address and causes IPAddr.new to choke.

This change guards against invalid IP addresses and ensures they
do not end up in the port resource's entries list.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-29 08:33:50 +02:00
joe.nuspl
1ab80ea052 Extend gem to take an optional gem_binary
Allows one to test whether gems are installed into an omnibus environment.

Signed-off-by: Joe Nuspl <nuspl@nvwls.com>
2017-03-24 22:28:42 -07:00
Adam Leff
73e3bfda7a Merge pull request #1544 from chef/adamleff/hash-values-in-simpleconfig
Provide a method-based accessor for SimpleConfig hashes
2017-03-22 15:46:58 -04:00
Christoph Hartmann
7c11ff9280 add tag object (#1590)
* add tag object

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>

* add tests for to_hash function in tag

Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-03-22 13:41:44 -04:00
Christoph Hartmann
a96059a3eb x509 integration tests
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-03-22 11:44:33 +01:00
Christoph Hartmann
d2f000e435 refactor x509 resources and rsa key
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2017-03-22 11:44:32 +01:00
Richard Nixon
f66f0b3a18 Initial support for x509_certificate and rsa_key
* Includes unit tests
* Includes 2 new resources
* Includes documentation

Signed-off-by: Richard Nixon <richard.nixon@btinternet.com>
2017-03-22 10:00:48 +01:00
Dominik Richter
738bae0db8 add inspec json schema validation to functional tests
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2017-03-22 09:42:36 +01:00
Adam Leff
ea7c0c493e Provide a method-based accessor for SimpleConfig hashes
When SimpleConfig parses a config file that has sections, such as a mysqld
config file, the values within that section are returned via a Hash. However,
we do not provide an easy way to write tests for those deep hash values:

```
describe mysql_conf('/tmp/my.cnf') do
  its('mysqld.expire_logs_days') { should cmp 10 }
end

  MySQL Configuration
     ∅  undefined method `expire_logs_days' for #<Hash:0x007fe463795a00>
```

This change provides a method-based accessor for Hashes that are built via
SimpleConfig.

```
describe mysql_conf('/tmp/my.cnf') do
  its('mysqld.expire_logs_days') { should cmp 10 }
end

  MySQL Configuration
     ✔  mysqld.expire_logs_days should cmp == 10
```

Fixes #1541 by changing the way the attributes are fetched.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-15 14:49:16 -05:00
Adam Leff
4f2b66302d Fix ObjectTraverser when accessing array values
When attempting to access array values via the `json` resource:

```
describe json('/tmp/test.json') do
      its(['array',0]) { should eq "zero" }
end
```

... the resulting data would be an array of the size of the original array
with all the values replaced with nils:

```
     expected: "zero"
          got: [nil, nil, nil]
```

This was due to a bug in the ObjectTraverser mixin that mapped array values
back through `extract_value` rather than properly handling the passed-in
key(s). This worked fine for the specific data format created by the `csv`
resource but did not work `json` or any other resource that subclassed the
`JsonConfig` resource.

This change fixes the logic when dealing with an array when it's encountered,
and fixes up the `csv` resource with its own `value` method.

This change also adds tests for ObjectTraverser.

Signed-off-by: Adam Leff <adam@leff.co>
2017-03-15 11:35:55 +01:00
Carl Johnston
30b4152dd2 Add integration tests for symlinked apache configuration.
Remove httpd helper cookbook and write out simple configuration by hand.

Signed-off-by: Carl Johnston <carldjohnston@gmail.com>
2017-03-14 14:48:19 +11:00