This PR adds 5 closely related plugin types, which allow a plugin to implement new DSL methods / keywords. The mechanism to activate the plugins are all very similar - basically, in a particular location in the code, `method_missing` is implemented, and is used to activate the particular type of DSL being requested.
4 of the DSL plugin types relate to code that could appear in a profile control file.
* outer_profile_dsl plugins allow you to extend the code in profile Ruby files that appear outside `control` or `describe` blocks.
* control_dsl plugins allow you to extend the code within `control` blocks.
* describe_dsl plugins allow you to extend the code within `describe` blocks.
* test_dsl plugins allow you to extend the code within `it`/`its` blocks.
Finally, the `resource_dsl` plugin allows you to extend the code used within custom resources.
Basic unit tests are provided to prove that the plugin types are properly defined.
A simple plugin fixture defining DSL hooks (based on favorite foods) is included, and is exercised through a set of functional tests.
The plugin developer docs are updated to describe the 5 DSLs.
*Note*: Implementing a plugin using any of the DSL plugin types is experimental. The contexts that are exposed to the DSL methods are private and poorly documented. The InSpec project does not claim the APIs used by these plugin types are covered by SemVer. Plugin authors are encouraged to pin tightly to the `inspec` gem in their gemspecs.
Motivation for this plugin comes from the desire to allow passionate community members to implement things like "2 out of 3" tests, example groups, improved serverspec compatibility, "they/their" and other "fluency" changes, as well as make it possible for future work by the InSpec team to be implemented as a core plugin, rather than a direct change to the main codebase.
* add aws_eks_cluster
Signed-off-by: Timothy van Zadelhoff
timothy.inspec@theothersolution.nl
* disable ABC check on fetch_from_api
Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl>
* add status predicates
* Change docs for status attribute
Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl>
* Add integration tests
Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl>
* Adjust EKS build code to almost work
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* EKS only uses private subnets - integration tests pass
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Correct AWS Exception class for resource search miss in unit test
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Update unit test to reflect AWS resource-standard miss behavior, returning nil for most properties
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Update package.rb to solve issue #3361
Update the windows package search regex.
According to issue #3361
* Update package.rb
Fix trailing spaces
* Update helper.rb
update sha for get-item-package. To fix the issue #3361
Signed-off-by: markus hackethal <mh@it31.de>
* Improve filesystem.rb to support windows
improve filesystem.rb to support windows.
Split into 2 classes LinuxFileSystemResource / WindowsFileSystemResource
Add filesystem to verify a FS-type ( currently not for linux because missing test server )
Size on Windows is converted to GB - discussion about this welcome
update to reflect also windows os
* Create get-wmiobject-filesystem
* Delete get-wmiobject-filesystem
* Fix the testing code for filesystem.
Change its 'filesystem' to 'type' according to recommendation from @miah
Signed-off-by: Markus Hackethal <mh@it31.de>
* Revert "Silence RSpec 'should' Warning (#3560)"
This reverts commit 7c611a4c24.
* Add comment with link to reverted fix
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add run_inspec_process, with JSON handling, to functional helper
* Add ability to run a plugin to functional helper
* CWD fix for run_inspec_process
* Add support for running a plugin within a functional test
* Move plugin functional helper code to main func helper file
* FuncHelper: Do not send reporter or lock options if command is not exec
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* unit tests for plugin conf file class, all skip
* File path stuff works
* Validation works
* Add works
* Added remove_entry
* Save works - ready to refactor others
* Rework Loader to use ConfigFile
* Modify loader and installer to use the config file class
* linting
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* When pty is used not having --no-pager makes inspec hang during the test
* Updated tests
Signed-off-by: Jose Alexandre <jose.alexandre@worldfirst.com>
* add security-group to security-group rules
* update docs
* Add integration tests for security-group to security-group rules
* rubocop fix
* Add one security group rule, with position.
* make control fit description
Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl
* Add support for `git@` and HTTP basic auth
This adds support for the following:
```
inspec exec git@github.com:private/example_profile
inspec exec https://username:token@github.com/private/example_profile
inspec exec https://username:password@webserver/private/example_profile
```
This also uses the Git fetcher when the URL ends in `.git`. Example:
```
git config credential.helper cache
git ls-remote https://github.com/private/example_profile.git
inspec exec https://github.com/private/example_profile.git
```
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add documentation for `inspec exec` usage
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add tests for Git fetcher and `inspec exec`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add `opts` to branch of Git fetcher resolve logic
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify Git example comments
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Force `parse_uri` to attempt a parse
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Allow add_test to accept negation
This will allow for negated tests to be generated with add_tests.
* Fix rubocop violation
* Add optional options hash
Signed-off-by: Rachel Rice <rrice@chef.io>
Methods like…
* `count()` return `Integer` values
* `boolean()` return `TrueClass`/`FalseClass` values
* `concat()` return `String` values
…but threw exceptions because those types weren't supported.
This adds support to the `xml` resource, and adds tests to verify some of those examples.
Signed-off-by: Mark Hughes <greenantdotcom@users.noreply.github.com>
* Failing functional test for RSpec should deprecation
* Configure RSpec to allow .should calls
* Remove cruft from test files where we needed to filter deprecation warning
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Fixes (some) ruby warnings related to functional tests
* Removes unneeded `Dir.tmpdir` from test
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* ✓ adds additional checks for vendored profiles
This PR adds additional checks to verify if:
- inspec.yml and inspec.lock dependencies are out-of-sync
- complains about a missing lock file if we have dependencies defined
* skip if legacy profile path is used
* Fix unit tests.
* Force static sha256 for lock files and protect from unnamed depends.
* Add vendor profiles for checks. Windows downloads with different sha256.
* Adding inspec init profile for GCP.
* Adding final newline, thanks rubocop.
* Ensure README headings are at the same level.
* Move OS-specific default profile to new location
* Enforce os-platform restriction on default profile template
* Use profile templates in subdirs.
* Updates to address PR feedback after rebasing from #3491.
* Alter test setup to properly use YAML
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Resource for a Windows Security Identifier (SID)
* Integration tests for security_identifier resource
* Address rubocop violations
* Improve security_identifier from PR feedback
* Update security_identifier tests
* Improve security_identifier unit tests
* Fix unit tests fpr security_identifier resource
* More security_identifier unit tests
* Add docs page for security_identifier resource
* Fix issues with documentation
* Improve docs
Link to Microsoft reference page, and use their term 'trustee' instead of 'entity' where applicable.
* Change exists to exist
* Test appveyor file changes.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add missing tests for groups resource, document members propery, and assorted fixes.
Update existing documentation for group resource.
Add documentation for groups resource.
Update group resource tests to test members property.
Change groups resource members property to have simple style. (this
ensures members is a single array)
remove deprecated have_gid propery.
change `if !` to `unless`
Remove early return from members method. This prevented members from
working correctly on any OS other than Windows.
Add missing tests for the groups resource.
remove tests for has_gid
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Fix comments
Signed-off-by: Jared Quick <jquick@chef.io>
* Allow strings or symbols to be used interchangeably in filtertable criteria; improve error message
* rubocop
* Update test count
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Remove deprecated yumrepo. (#3435)
* Remove deprecations for cli `--format` and metadata.rb (#3452)
* Remove deprecated database_helpers stderr/stdout methods.
Update deprecation text for processes/apache.
* Remove deprecations for `--format` and metadata.rb
Remove deprecated `format` code.
Remove deprecated code test and change json-config format test to use
reporter.
Remove deprecated metadata.rb code
Remove deprecation notice for old supports syntax.
Deprecate metadata.rb from source_reader
Remove rubocop disables as they are no longer required for this code block.
Remove deprecated legacy metadata.rb mock profiles.
Remove deprecated metadata.rb profile tests.
Remove deprecated yumrepo test.
* Allow inspec-3.0 branch to be tested.
* Allow appveyor to test inspec-3.0 branch
* Change runner tests to use reporter rather than format.
Remove deprecated `supports: linux` tests.
* Remove skip from inherited profiles from showing up in reporting (breaking change) (#3332)
* Skip loading dependency profiles if they are unsupported on the current
platform.
Skip loading dependencies if they are unsupported on the current
platform.
Wrap our log and next in a conditional checking if the platform is
supported.
Change a `if !` into a `unless`
Check if the backend is a Train Mock Connection and if so say that the
profile does support the platform.
While iterating through tests being loaded skip when the platform is
unsupported.
We now log a WARN when a profile is skipped due to unsupported platform,
so lets check that.
Modified existing test to log that there are 0 skipped tests, instead of
2.
Add functional test that loads profile-support-skip with a json reporter
to check that our controls are not loaded and that stderr contains our
warning.
* Rather than iterating through each test return before recursion if the platform is
unsupported.
* Resolve tests using a supported platform different from testing platform
Add a control to `test/unit/mock/profiles/complete-profile` that would
work on any OS with a Internet connection. This allows the profile
to execute on any OS with success. `filesystem_spec.rb` was a control
that would only work on Linux and some BSD's.
We want profile tests to consistently work across development and testing
platforms, and not get 'skipped' in some cases. Travis-CI tests on Linux,
Inspec Dev team uses Linux and MacOS, Appveyor tests on Windows
Also Updated `file_provider_test.rb` for `complete-profile` content changes.
If you `MockLoader.load_profile` on a unsupported platform you might not
hit the usual skip. Lets handle situations where the tests array in
Profile#load_checks_params could be nil.
* Use safe navigation rather than checking if tests is nil.
Update tests to point to unsupported_inspec and account for WARN changes.
Make unsupported_inspec profile support os-family 'unsupported_inspec'
* Fix skip bug when using include/require controls. (#3487)
* Fix skip bug when using include/require controls.
* fix test and feedback.
* Remove need for UUID detection for Automate report (#3507)
* Add json metadata for skipped profiles (#3495)
* Add skip metadata to json reports
* Unify skip messages.
* Update with status field.
* Add testing.
* Fix tests.
* lint
* Add skip exit codes for profile skips.
* Update website for 3.0 launch
Add `plugins` to sidebar.
Change 2.0 -> 3.0 in slim files.
Update 3.0 features list.
* Fix comments
* Update float to numeric.
* Change Float to numeric.
* updated feature list and impact doc
* Change "What's new in InSpec 3.0" -> "Announcing InSpec 3.0"
* Bump VERSION to 3.0.0 (#3511)
* Remove 3.0 testing checks.
* Fix azure link.
* Unit and functional tests for a reject list facility
* Implementation of plugin reject facility
* Initial draft of reject list
* Add option to search to hide test fixture by default
* Fix test
* PR feedback
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Move compliance pluging to v2 system.
* Update kitchen-inspec to test.
* Add legacy require patsh.
* Fix unit test
Signed-off-by: Jared Quick <jquick@chef.io>
For larger processes, Busybox's ps displays the vsz and rss columns in
megabytes or gigabytes, with no option I've found to override the behavior.
This change updates the process regex to account for that and converts
the values to kilobytes so they can still be cast as integers.
Signed-off-by: Jonathan Hartman <j@hartman.io>
* Unit tests passing for loading Train plugins
* detect works with a train test fixture
* Update fixture install of train-fixture-plugin
* Add functional tests for detect and shell when talking to a train plugin backend
* Update docs to reflect availability of Train plugins
* Functional test for install train plugin from path
* Working install train plugin from path, more tests for installing from odd locations
* PR Feedback
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add support for multiple descriptions for controls
This adds the ability to specify multiple descriptions in controls.
Example:
```ruby
control 'my-control' do
impact 1.0
title 'My control'
desc 'A default description'
desc 'rational', 'I need an example'
describe file('/tmp') do
it { should be_directory }
end
end
```
Many thanks to @jquick for helping me with the unit tests.
* Remove unused `descriptions` method
* Remove unused profile from test mocks
* Respond to feedback
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Functional test for usage messaging
* Activate v2 commands on empty CLI invocation for usage messaging
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add audit integration testing.
* Add some docs and feedback changes.
* Updated integration task to use paramaters and clean it up.
* Fix unit test
Signed-off-by: Jared Quick <jquick@chef.io>
* Sketch out in comments the unit and functional tests for the installer
* Make a test fixture gem, v0.1.0
* Add a 0.2.0 version of the test fixture gem, this one with a dependency
* Add a fixture with a pre-installed gem
* Correct test-fixture 0.1.0 gem
* Moockup of installed inspec-test-fixture gems
* Uggh add gemspec files to mock installs
* Update gem fixtures, and add a script that does it for me
* Able to load from and list privately managed gems
# Conflicts:
# lib/inspec/plugin/v2/loader.rb
* Expanded tests, starting on implementation of installer
# Conflicts:
# test/unit/plugin/v2/loader_test.rb
* Install plugin from local gem file works
* Writes the plugins.json file; needs refactor
* Gem install works; no version pinning
* Install with pinned version works
* Install from path works
* update works
* Validation for uninstall
* Uninstall from path works
* Uninstaller works on gems
* Add search to installer API.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Move inspec init to v2 plugins.
* Revert inspec run command env change.
* Allow prefix and env for run_inspec_process.
* Update unit tests to use new functionality.
Signed-off-by: Jared Quick <jquick@chef.io>
This is useful when you have multiple versions of the same gem installed. It can be leveraged like so:
```
describe gem('rest-client') do
its('versions') { should include /1.8\.\d+/ }
its('versions') { should include /2.0\.\d+/ }
its('versions.count') { should_be eq 2 }
end
```
Signed-off-by: Ben Abrams <me@benabrams.it>
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
Signed-off-by: Jared Quick <jquick@chef.io>
* Fix profile vendoring on Windows
This fixes vendoring on Windows by doing the following:
- Expanding relative paths (handles `\\`)
- Ensuring archives after closed after reading (prevents locking)
This also does the following:
- Removes extra file from testing tar archive
- Ensures fetching dirs/archives in the local fetcher behaves the same
* Fix profile vendoring on Windows
This fixes vendoring on Windows by doing the following:
- Expanding relative paths (handles `\\`)
- Ensuring archives after closed after reading (prevents locking)
This also does the following:
- Removes extra file from testing tar archive
- Ensures fetching dirs/archives in the local fetcher behaves the same
* Add vendoring to fuctional testing and fix the tmp path for windows
* Add tests for relative paths and backslashes
* Remove backslashes support in filenames on Linux
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add impact class which contains all cvss scores.
* Add testing for impact changes.
* Change symbols to strings for impact.
* Update error messages to be more clear.
* Fix test with new sha
Signed-off-by: Jared Quick <jquick@chef.io>
* Add windows functional tests.
* Fix tests for 2012 server.
* Fix windows build script
* Add more functional tests for windows.
* Update comment with TODO.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add yml attribute option.
* Add type matching.
* Add testing profile for global attributes testing all types.
* Allow attributes to be called within a control block.
* Fix attribut test issues and allow value to be set at runtime.
* Allow setting attr value after creation.
* Move attributes to global namespace.
* Move attributes to a singleton object.
* Add unit and updated functional testing.
* Rename attributes to attributes_test so the testhelper picks it up.
* Add attribute object tests and error types.
* Update with feedback changes.
* Remove extra line.
* Move attribute registry class file.
* Add documentation for attributes
* Rename rspec_extensions.
* Add some failing functional tests.
* Update docs and fix typos.
Signed-off-by: Jared Quick <jquick@chef.io>
* Allow uuid passthrough
* Update flag to be target-id.
* Updated to use proper formatting for header.
* Fix empty line after cli banner.
Signed-off-by: Jared Quick <jquick@chef.io>
* Leverage existance check in Compliance::Fetcher.resolve to not re-download locally cached profiles
* Move logic from Compliance::API.exist? to Compliance::API.profiles to reuse code in cases where we need to access profiles' metadata directly.
* Declare @upstream_sha256 if target is a string
* Handle other fetchers that don't support upstream_sha256 within Inspec::CachedFetcher.initialize
* Add initialize for Compliance::Fetcher to not pollute Fetchers::Url with its logic
* Add Compliance::Fetcher.sha256 to leverage upstream_sha256 instead of relying on inherited method from Fetchers::Url
* Revert changes to cached fetcher that are unnecessary after refactor
* Pacify the god of ruby syntax
* Move Compliance::API.profiles filtering logic to end of method to leverage normalization of mapped_profiles
* Add and update unit tests to support caching with Compliance::Fetcher.upstream_sha256
Signed-off-by: Josh Hudson <jhudson@chef.io>
This does the following:
- Adds `--sudo` if using `--sudo-password`
- Warns the user if using `--sudo-password` without `--sudo`
- Adds unit tests for `Inspec::BaseCLI#opts`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* adding cloudlinux into the mocker under the redhat family as it is found inside of train, and creating tests for cloudlinux that mirror the centos/redhat tests.
* adding cloudlinux under the select_service_mgmt method so that it can be matched.
Signed-off-by: Vern Burton <me@vernburton.com>
* Functional tests for userdir option
* Accepts --config-dir CLI option
* Actually loads a config file from the config dir, more cases to test
* Able to load config and verify contents from config-dir
* Functional tests to ensure precedence for config options
* Enable setting config dir via env var
* .inspec, not .inspec.d
* Begin converting PluginCtl to PluginLoader/Registry
* Able to load and partially validate the plugins.json file
* More work on the plugin loader
* Break the world, move next gen stuff to plugin/
* Be sure to require base cli in bundled plugins
* Move test file
* Revert changes to v1 plugin, so we can have a separate one
* Checkpoint commit
* Move v2 plugin work to v2 area
* Move plugins v1 code into an isolated directory
* rubocop fixes
* Rip out the stuff about a user-dir config file, just use a plugin file
* Two psuedocode test file
* Working base API, moock plugin type, and loader.
* Adjust load path to be more welcoming
* Silence circular depencency warning, which was breaking a unit test
* Linting
* Fix plugin type registry, add tests to cover
* Feedback from Jerry
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Allow the jsonMerged report to be executed from cli.
* Renamed reporter to json-automate and added in comments.
Signed-off-by: Jared Quick <jquick@chef.io>
* Error cleanly if a reporter error while rendering.
* Add functional test for automate reporter.
* Remove authors.
Signed-off-by: Jared Quick <jquick@chef.io>
to set_skip_rule could be a boolean, or a message. Now value should
always be a boolean, and if a message is needed one can be passed and
will be set.
Allow only_if to take a message during control_eval DSL.
Add test for only_if(message).
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add --vendor-cache flag for archive, check, and json commands.
* Remove unused ignore_supports flag for Inspec::Runner.
This flag was only set in two code paths that did not call
Inspec::Runner so setting it did not have any effect.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
* Provide a json_merge report used by A2 that merges all child profiles.
Signed-off-by: Jared Quick <jquick@chef.io>
* Merge profile controls from child up until we find something usable.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add testng for json_merged report.
Signed-off-by: Jared Quick <jquick@chef.io>
* Push the profile population to be later in the report.
Signed-off-by: Jared Quick <jquick@chef.io>
* windows_feature resource: Add DISM support
This modifies the `windows_feature` resource to fallback to DISM when
the `Get-WindowsFeature` command is not available.
* Allow specifying `:dism` or `:powershell`
* Replace stacktrace with smaller error message
* Add notes/todo about raise behavior
* Remove duplicated platform check
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* cli: Downcase supermarket tool name to match URL
This downcases the user provided tool name. Without this fetching the
profile will fail because the Supermarket API downcases in the URL.
* Add another downcase
* Add handling for `supermarket://owner_but_no_name`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Constrain RuboCop disables to single method
* Add comment to Alpine package command
* Use single quotes for Alpine package command
* Change `it` statement to be readable
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
Context:
When testing a Windows registry key with a period character in it e.g. `explorer.exe` it is not possible to use `its("explorer.exe")` because the period would be interpreted as method chaining.
In this case, you must instead use `its(["explorer", "exe"])`
See https://github.com/inspec/inspec/issues/1281
This commit fixes `to_ruby`in `Inspec::Describe` so that it produces an array in the generated Inspec code instead of a string.
Signed-off-by: James Stocks <jstocks@chef.io>
* Use fail_resource rather than skip_resource when the platform is not
supported by the resource.
* Update tests to handle failing on unsupported platforms.
Update functional tests.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Functional tests for regex control selection
* Implementation for regex-based control filtering
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
profile name. eg "with/slash" would result in a profile created in the
"with" directory named "slash"
Add test for inspec init, and updated other for new output.
Clean up profiles created during testing and place them in temporary
directories.
Describe our test a bit better.
Check that the profile was created in the right location.
Check that the profile is named correctly.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Updating inspec with bastion options as per https://github.com/inspec/train/pull/310
* Updating train pin
* Adding --password to pass the test
* Revert "Updating train pin"
* PR changes
Signed-off-by: Noel Georgi <18496730+frezbo@users.noreply.github.com>
* Sort `Dir.entries` in functional test
Ruby's `Dir.entries` differs between OS's. This ensures the same order
is used when comparing two arrays.
* Remove unused variable `exec_out`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add long description to inspec exec command, mentioning exit codes
* Modify website doc builder code to use long description if available
* Functional test for --distinct-exit flag
* Implement --distinct-exit option
* Inspec shell also needs the option
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* apache_conf resource: Strip quotes from values
* Update regex to capture all vars between quotes
* Change `x` and `y` to proper variable names
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* A functional test for attributes
* Add tests for nested attrs in yaml
* remove commented-out tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Fix the control merging issues when overriding child controls.
* Fix rubocop issue and vendor compression.
* Add in lock file for vendor profile
Signed-off-by: Jared Quick <jquick@chef.io>
* Add insecure option to the automate report json.
* Add in automate and compliance json documentation.
* Fix typo.
Signed-off-by: Jared Quick <jquick@chef.io>
* Un-deprecate plural properties on shadow; deprecate the singular versions
* Update filtertable interface to current
* A weak attempt at making the docs coherent
* Doc feedback per Jerry
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* set port default to nil, introduce local_mode
* raise instead of warning
* restore default port, allow explicit nil
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
* Adding YAML reporter
* Updating yaml o/p
* Removing comment
* Adding UT for YAML reporter, adding missing reporters
* This PR takes care of the following:
- Fixes the YAML reporter UT
- Adds the report method to YAML reporter to support code example as in #3085
- Disables the cyclomatic complexity Metric for reporter
Signed-off-by: Noel Georgi <18496730+frezbo@users.noreply.github.com>
* implement members property
* flatten groups entry, extract flatten helper
* lints
* more idiomatic spec, add example of members testing
Signed-off-by: Tor Magnus Rakvåg <tm@intility.no>
* Add integration and unit tests for aws_ec2_instances
* Basic docs for aws_ec2_instances
* Add basic aws_ec2_instances resource
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add check if aws s3 bucket is encrypted.
Required terraform aws provider >= 1.6
Fix indentation issue in aws_s3_bucket.rb
* Implement most changes recommended by @TrevorBramble, and refactored other methods to align with recommendations (except Terraform nitpick; preference is to keep coding style consistent until full refactor).
Signed-off-by: Jeremy Phillips <github@uranusbytes.com>
* nginx_conf resource: Fix include paths with quotes
* Move quote removal to `NginxParser`
* Add parsers/tests for quotes in quotes
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
This change should make it easier to work with a running environment.
You may now apply changes without doing a full teardown/rebuild any time
you make a change to the terraform plan.
Adds some documenation on how to use the Terraform tooling.
Adds AZURE_LOCATION to override the default region.
Signed-off-by: David McCown <dmccown@chef.io>
* Update tests and docs to assume one recorder per region
* Config recorder supports singleton fetch
* Docs and tests for singleton mode delivery_channel
* Implementation for singleton delivery channel, and some other code cleanup
* Implement some feedback, and fix a bug in traversing the struct in looking for empty results
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Update terrform to 0.11.7 (latest) and aws plugin to 1.14; upgrade plugins on test startup
* TF route table resource doesn't export associations or routes attributes. Which we weren't using anyway.
* Downgrade to aws plugin 1.13 to avoid TF panic; suppress deprecation warning for aws_region
* Fix incoherent attribute combination on cloudtrail
* Add -auto-approve to suppress interactive confirmation
* Update version pinning for AWS minimal account
* Use a plan file in AWS runs
* Pin azure TF run to 0.11 and 1.3; also an autoformatter pass on the TF code.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Bug replication tests, unit and integration
* Fixes statement_count
* Fixes statement_count and have_statement
* rubocop trim whitespace
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Update singular implementation to avoid use of inner object
* Update docs and tests for 3 new filters and properties on aws_vpcs
* Implement new filters and properties; one failing test due to odd FilterTable behavior
* changes to avoid bug 2929
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add tests for method chained shadow resource with readable and
unreadable shadow files.
Ensure @params always has a safe value, otherwise we may stacktrace when
unable to read /etc/shadow and invoked with method chaining.
* Wrap deprecation notices with a proc/must_output to clean up test
output.
Added some missing newlines.
Catch deprecation notice on `lines`.
* Resolve the majority of the issues pointed out by @tbramble.
Deprecate `lines`; its really only used internally but it was 'exposed'
through tests and who knows if there is external use. `lines` is not
documented as a property at least..
`#set_params` is much better now =)
Signed-off-by: Miah Johnson <miah@chia-pet.org>
Provides low-, and mid-level properties and matchers for examining rules on aws_security_group.
* Second draft of docs for SG rules interface; need to clarify semantics of reject
* First cut at unit tests
* Cleanup test fixtures
* Implementation for allow, with plausible unit tests
* Doc updates based on reality
* Add integration tests; move allow to allow_ / out; several docs updates
* Add be_open_to_the_world and be_open_to_the_world_on_port
* Update docs to reflect adding allow_only
* Update docs to reflect use of position to allow multiple rules with 'only'
* Implement allow_only with unit tests; still need integration tests
* Add integration tests for allow_only
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* * Adds new property to test how many days ago the CloudTrail delivered logs to the CloudWatch Logs.
* * Changes query for selected cloud trail in unit test
* Changes uses Time.now explicitly instead of making a variable in the unit test
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Adds new property to test the users in an aws_iam_group
* Adds terraform code to add the recall_hit user to the administrator group
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Initial commit of skeletal resource aws_route_tables
* Fixes issues with documentation
* Renames route table terraform resources to be more conventional
* Removes tags terraform resources
* Changes aws_route_table and aws_route_tables integration tests to use new terraform names
* Removes unneeded data given in unit tests
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Initial commit of skeletal resource aws_s3_buckets
* Add fixes to documents
* Removes property 'creation_date' for there is no use case as of right now
* Rebases on master and moves aws_s3_buckets integration test to the correct location
* Adds test on unit test for false exists
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Adds chocolatey package resource
* Adds docs for chocolatey_package resource
* Differentiate chocolatey package from windows feature
Suggested by @frezbo
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Change `skip_resource` to use raise
* Add `supports` lines to example resource
* Change to rescue `StandardError` vs `Exception`
* Change raise to use `e.message` vs `$!`
* Remove redundant returns
* Change `File.exists?` to `File.exist?`
* Update shasum in tests
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add AWS hardware MFA matcher
Adding a hardware as well as a virtual MFA matcher for aws_iam_root_user
resource
* Add New AWS Root Matcher Docs
- Add documentation for new root MFA matchers
- Fix logic for checking MFA devices from feedback on PR
* Add Integration tests for MFA matchers
- Add integration tests for virtual and hardware MFA matchers
- Clean up logic for has_virtual_mfa_enabled? method
Signed-off-by: Paul Welch <pwelch@chef.io>
* Add python check for pip resource
When checking pip resources, we should skip resource if python is not
installed or we will fail with an error when trying to parse the path.
* Check pip command on windows
On Windows, if pip has a newer version available, it adds an error
message to stderr. Now checking if both stderr and stdout on windows
have values. If so, assume pip package is installed.
* Clean up powershell query command
- Make it easier to read what the powershell command is doing
- Make it easier to read what the cmd_successful method lokos for
Signed-off-by: Paul Welch <pwelch@chef.io>
Without the terminating character ($), it just accepted any characters
at all after the initial matching set.
Also add some tests to assure we're raising appropriately.
Co-authored-by: Trevor Bramble <tbramble@chef.io>
Co-authored-by: Joshua Padgett <jpadgett@chef.io>
Signed-off-by: Trevor Bramble <tbramble@chef.io>
This adds `powershell` resource support for non-Windows OSs via `pwsh`
and Base64 encoded commands.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Mitigate trivial warning on test by initializing
Also fixes passing a ambiguous argument.
* Mitigate trivial warning by removing redundant method
Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
* registry_key resource was returning an incorrect value
when key value was greater than 2147483647
* added mock
* Fix issue with default reg key
(default) key was returning nil even when a value was present.
Signed-off-by: Omar Irizarry <irizarry_omar_j@network.lilly.com>
* Initial commit of new skeletal resource aws_config_delivery_channel
* Changes delivery_frequency to be an integer and names delivery_frequency_in_hours
* Adds more documentation and clarifies descriptions
* Wraps API call in the aws_catch_errors function
* Changes config bucket name to use dashes instead of underscores
* Updates on master and changes directory location of build and integration files
* Fix integration tests to only create one ConfigRecorder
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Initial commit of skeletal resource aws_kms_key
* * Adds comments to rerun travis
* * Clarifies some parts of the doc.
* Changes matcher have_aws_key_manager to manged_by_aws
* Fixes copypasta
* Adds clarification to property names
* Fixes rescueing exceptions from the api
* raises exceptions in the unit tests
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
This mock was a remenant of file reading tests that became obsolete with
the centralization of that code.
Signed-off-by: Trevor Bramble <tbramble@chef.io>
* Clean up test data, correct parse error handling
* Use functional pipeline to avoid need for conditional clauses and clarify the intent of the comment parsing.
* Extract magic strings to constants
* Remove code and tests now covered by FileReader
Co-authored-by: Trevor Bramble <tbramble@chef.io>
Co-authored-by: Paul Welch <pwelch@chef.io>
Signed-off-by: Trevor Bramble <tbramble@chef.io>
* Initial commit of skeletal resource aws_sns_topics
* Adds clarification in documentation
* Adds functionality for calling the next token returned from aws api.
* Wraps api calls in the catch_aws_errs method
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Create file-check functionality into utility file
There are the similar issues as PR #2302. Almost resources return false
positives when a file does not exist or is not read.
* Replace to file-check functionality
* Fix dh_params and x509_certificate resources
If a file is empty, OpenSSL::PKey::DH and OpenSSL::X509::Certificate have
raised an exception and have skipped the inspection. Thus x509_certificate
and dh_params resources are not allowed to read a empty file.
* to_s of shadow expects filters is not nil
* Remove workaround of sshd_config
Removes the workaround of sshd_config since Travis CI fails due to a bug
of dev-sec/ssh-baseline and the PR #100 will fix it.
* Use init block variable in methods
Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
* Initial commit of new resource
* Makes changes to docs to match changes to the resources.
* Adds clarifications in docs and changes it to be an erb file.
* Simplifies some unit tests
* Wraps calls to the api in a aws_catch_errors method
* Removes provisioner terraform code
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
When testing on a filesystem used for a long time or built on a small
sized partition, the actual file order may be different from the
expected file order as below:
1) Failure:
inspec keyword::inspec.profile.files#test_0002_lists all profile files when calling #files [/work/git/inspec/test/unit/dsl/other_keywords_test.rb:50]:
--- expected
+++ actual
@@ -1 +1 @@
-["a_sub_dir/sub_items.conf", "items.conf"]
+["items.conf", "a_sub_dir/sub_items.conf"]
2) Failure:
SourceReaders::InspecReader::with a valid profile#test_0005_retrieves all extra files [/work/git/inspec/test/unit/source_readers/inspec_test.rb:39]:
--- expected
+++ actual
@@ -1 +1 @@
-["files/a_sub_dir/sub_items.conf", "files/items.conf"]
+["files/items.conf", "files/a_sub_dir/sub_items.conf"]
Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
* Modify version constraints to be an Array
This will allow both old and new versions of InSpec to parse the
`inspec.lock` correctly.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* quote password when generating mysql command string
* added a test for mysql_session, added shellwords escaping to mysql_session resource
* changed the name of the escape method
* clarified test conditions
Signed-off-by: Tom Hodder <tom@limepepper.co.uk>
shadow file.
After much thought the deprecations from #2642 were for the wrong methods.
Plural method names feel much more natural when working with this
resource because you can have more than a single result.
Consider a match like `shadow.user(/^www/)`, this could return multiple
users, so `shadow.users` feels more natural here.
The problem is that the fields we're matching in the shadow file itself
are singular. Each entry is for a user, which has a password, and some
other fields. A user never has `passwords` in the shadow file, only a
`password`.
This is made more obvious when you use the `filter` method.
When we use this filter: `shadow.filter(min_days: 20, max_days: 30)` we
are matching fields in the shadow file and not using our matcher
methods. This means that if there is a discrepancy between our matcher
methods, and the shadow fields the user could end up confused. Like I did =)
This PR changes:
Changed matchers to match shadow fields.
Updated documentation to reflect changes.
Updated tests to reflect changes.
Re-add `filter` method, and add a test for it.
Renamed variable for FilterTable to be less confusing.
Renamed query argument for methods to be consistent.
Cleanup docs based on comments from @jerryaldrichiii
Make Rubocop happy <3
Signed-off-by: Miah Johnson <miah@chia-pet.org>
Removes skip_resource and raise .. if InSpec.os stuff from initialize as this is covered by platform support.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* return 1 as exit code for commands that are not available
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
* update tests
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
* Change shadow resource to use FilterTable rather than custom filter
implementation.
Add tests for singluar aliased methods and other minor changes to work
with FilterTable output.
Coverage is at 100%
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* merge master
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add support to use bash in host resource
Netcat's presence is widely regarded as a security issue, and thus not
always available. This solution first tries to use bash builtins and
timeout (from coreutils), so is less likely to require installing
additional packages.
* Darwin UDP support in host resource
* Host: use netcat first if available
Signed-off-by: João Vale <jpvale@gmail.com>
* Fix aws-iam-users pagination
PROBLEM: aws-iam-users resource only retrieves 100 records due to pagination
in the AWS IAM list_users function.
FIX: Iterate over all the pages using the AWS pagination variables `marker`
and `is_truncated`
Signed-off-by: Richard Nixon <richard.nixon@btinternet.com>
* Move instance variable to avoid `NoMethodError`
Methods for `role` and `system` properties are dynamically generated and
return values from the `@virtualization_data` Mash. Therefor, we must
ensure `@virtualization_data` exists before calling these methods.
* Move supports logic to `supports platform: linux`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Initial commit of new resource
* Removes deprecated matcher in example
* Adds a new terraform file for config resources
* Fixes and clarifies documentation
* Wraps calls to api in catch_aws_errors method
* Changes the names of two matchers
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu>
* Fix formatting of iam user integration tests by placing them in controls
* Fix subnet AZ test by making it an attribute; can't hardcode it
* Fix VPC ID fixture export for subnet testing
* Rename Azure integration tasks to match AWS and allow on-demand attribute dump
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* package resource: Fix `brew` package detection
This allows for package detection via `brew` to handle cases where a
particular package formula exists but is not installed.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Fixes the deprecation warning text for report and output.
Remove an extra 'is being' from the 'is being is being'
Signed-off-by: Franklin Webber <franklin@chef.io>
* Fix legacy reporter output.
Signed-off-by: Jared Quick <jquick@chef.io>
* Wrap test in a proc to catch warnings.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add output deprecation.
Signed-off-by: Jared Quick <jquick@chef.io>
This does the following to `inspec detect`:
- Modifies it to use the `platform` resource
- Changes the output to mention Platform and show the family hierarchy
- Changes the JSON output by changing `family` to `families`
- Adds better error messaging (no more stacktraces!)
- Adds support for APIs such as AWS/Azure
- Hides Arch from API platforms (not applicable)
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Formatter and reporter refactor.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add exception and backtrace to json-min report.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add sha to json-min and include generator version for json profile.
Signed-off-by: Jared Quick <jquick@chef.io>
* Fix deprecated typo and add fallback for cli resource title.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update to build json report and clean up cli logic.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add tests for json reporter.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add cli suppress_log_output? and a fallback for invalid reporter type.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update suppress_log_output? to check if we are outputting to stdout.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update reporter cli optoins to work with json_config.
Signed-off-by: Jared Quick <jquick@chef.io>
* Refactor some safe-navigation and variable names.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add thor banner to show reporter file output syntax.
Signed-off-by: Jared Quick <jquick@chef.io>
Unlike `Inspec::Test` this supports having multiple tests within one block that describes a resource. This has now been seen as an optimization problem where a resource may be computed once and tested multiple times with `it` and `its` within the body.
If successful, it requires a follow-up to deprecated Inspec::Test and remove it for 2.0 completely with a recommendation to use Inspec::Describe.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This adds support for `architectures` to the `packages` resource.
Example:
```
describe packages(/compat-libstdc++-33/) do
its('architectures') { should include 'x86_64' }
its('architectures') { should include 'i686' }
end
```
This also adds documentation for the `packages` resource
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* adding df resource
Signed-off-by: Vern Burton <me@vernburton.com>
* adding unit tests and required mocks for them, created integration test
Signed-off-by: Vern Burton <me@vernburton.com>
* cleaning up skip test to include only the filename and not full path
Signed-off-by: Vern Burton <me@vernburton.com>
* adding docs
Signed-off-by: Vern Burton <me@vernburton.com>
* size makes more sense than space
Signed-off-by: Vern Burton <me@vernburton.com>
* removing unneeded author lines
Signed-off-by: Vern Burton <me@vernburton.com>
* as the command changed, changing mock to the new sha
Signed-off-by: Vern Burton <me@vernburton.com>
* updating to address comments from #2441
* removing author lines
* using attr_reader functions
* using ruby string functions rather than pipe to sed
* adding os family detection
* using ResourceFailed as the pattern already existed for OS family detection
* using if for future case support for unix and unix-like (FreeBSD)
Signed-off-by: Vern Burton <me@vernburton.com>
* adding supports to resource metadata, and adding tests that show that resource says that it is not supported on windows/unix.
Signed-off-by: Vern Burton <me@vernburton.com>
* focusing on linux os family and removing logic for assumed future cases
Signed-off-by: Vern Burton <me@vernburton.com>
* changing df to filesystem
Signed-off-by: Vern Burton <me@vernburton.com>
* service resource: Fix no `.service` + systemd bug
This modifies the `enabled?` check to fallback to `sysv_service` in the
event that a `.service` file cannot be found.
For example: On Debian 8.7 the stock apache2 package does not deploy a
`.service` file but deploys a SysV style service. This causes
`systemctl is-enabled` to fail when the service is in fact enabled.
* Remove `cmd_stderr` and clean up `cmd_exit_1`
* Clean up `stderr` assignment using ternary
This change adds the `docker_service` resource for Docker swarm mode services. This
branches off some of the common elements (id, exists) into a `DockerObject` module along
with a utility function for parsing the image/repo string. That function was implemented
separately by `docker_image` and `docker_container`, now with a third resource, it made
sense to consolidate that into an included module. I used the most comprehensive
implementation. Existing classes had to be slightly modified for the genericization.
Signed-off-by: Matt Kulka <mkulka@parchment.com>
* Fix `grub_conf` menuentry detection
This does the following:
- Corrects Grub2 bug where last entry was always selected
- Adds support for specifying a Grub2 menu entry by name
- Adds support for using `GRUB_DEFAULT=saved` with Grub2
- Adds more Unit tests
* Add error if menuentry name cannot be extracted
* Add handling for missing/unreadable grubenv
* Add defensive code for failed menuentry extraction
* http resource: make header keys case insensitive
HTTP header keys are currently case-sensitive, and the local and remote
workers currently store the keys in different formats due to the
different tools generating them.
This change ensures the ability to fetch headers by key is
case-insensitive and adds a deprecation to inform the user that future
fetches should use all lowercase.
Signed-off-by: Adam Leff <adam@leff.co>
* Remove deprecation treatment
HTTP header keys are case insensitive anyways. There's no reason to make
things harder for our users.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix `nil:NilClass` error for `package` resource
This modifies `.info` to return `{}` in cases where the package manager
cannot be determined. This matches the behavior of `@pkgman.info`.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Change `must_be_empty` to `must_equal({})`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* adding database.xml with attributes to files and mocking it in the helper.rb
Signed-off-by: Vern Burton <me@vernburton.com>
* adding logic to test class returned by XPATH and using functions from respective classes to fill a array for return, and unit and integration tests to ensure functionality
Signed-off-by: Vern Burton <me@vernburton.com>
* updating docs to show how attributes are used
Signed-off-by: Vern Burton <me@vernburton.com>
* 'and' instead of 'or' makes more sense
Signed-off-by: Vern Burton <me@vernburton.com>
* adding default else for capturing unknown classes from REXML
Signed-off-by: Vern Burton <me@vernburton.com>
* removing extra newline
Signed-off-by: Vern Burton <me@vernburton.com>
* adding fail case with enough information to debug in future case
Signed-off-by: Vern Burton <me@vernburton.com>
* adding control statement to add rule in front of string as long as it doesn't already contain rule.
Correcting resource name in firewalld from etc_hosts_deny
adding tests for both branches of the statement created in firewalld
Signed-off-by: Vern Burton <me@vernburton.com>
* moving to unless with a start_with
Signed-off-by: Vern Burton <me@vernburton.com>
* adding documentation that states that it is not needed to add `rule` string
Signed-off-by: Vern Burton <me@vernburton.com>
* adding SQL 2012 SP1 for mssql_session testing
Signed-off-by: Vern Burton <me@vernburton.com>
* updating SHA to match new commands with ports in them
Signed-off-by: Vern Burton <me@vernburton.com>
* adding port, and a default value and moving from skip_resource to resource_fail
Signed-off-by: Vern Burton <me@vernburton.com>
* adding new sha for custom host
Signed-off-by: Vern Burton <me@vernburton.com>
* adding tests for hostname and migrating test that passed port in host to a dedicated port test
Signed-off-by: Vern Burton <me@vernburton.com>
* adding integration test
Signed-off-by: Vern Burton <me@vernburton.com>
* removing services as appveyor does not have integration testing running so it would be a waste of time to enable it
Signed-off-by: Vern Burton <me@vernburton.com>
* mock instance command
Signed-off-by: Vern Burton <me@vernburton.com>
* making instance readable
Signed-off-by: Vern Burton <me@vernburton.com>
* adding instance test
Signed-off-by: Vern Burton <me@vernburton.com>
* moving to ResourceSkipped as ResourceFailed is targeted for a major release
Signed-off-by: Vern Burton <me@vernburton.com>
* Testing train downcase platform names.
* Added NameCleaned tests and fixed some formatting.
* Clean up tests with helper method.
* Update to new gemfile and platform resource.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add platform resource and platform supports.
Signed-off-by: Jared Quick <jquick@chef.io>
* Cache platform and inspec checks and implement inspec_version.
Signed-off-by: Jared Quick <jquick@chef.io>
* Deprecate current inspec support in favor of inspec_version.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update resource/profile skip messages.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update load_resource to use platform instead of os.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update platform example.
Signed-off-by: Jared Quick <jquick@chef.io>
An update to the openssl cookbook modified the defaults for `state` and
`city` in the `openssl_x509` resource. That change modified the output
of `issuer_dn` and `subject_dn` in InSpec's `x509_certificate` resource.
This modifies the expected output of the integration tests to match
these new defaults.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Update apache_conf test to check for ServerAlias values.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add ServerAlias key and values to mock apache conf which includes
trailing whitespace.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Updated test to reflect all ServerAlias values being put into a single
array item. This is expected as we do not override the key_values
default setting of '1' when passing the raw configuration to
SimpleConfig.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Update the regular expression to include a conditional with positive
lookahead that checks if the line ends with one or more spaces. If the
lookahead succeeds we non-greedily capture, and when it fails we
greedily capture.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add mode method to test the value of Bonding Mode
Signed-off-by: Eammon Hanlon <eammon.hanlon@microsoft.com>
* Add test for bonding mode in bond unit test
Signed-off-by: Eammon Hanlon <eammon.hanlon@microsoft.com>
* Add documentation on mode matcher for bond resource
Signed-off-by: Eammon Hanlon <eammon.hanlon@microsoft.com>
* Update example for 'Test parameters for bond0'
Signed-off-by: Eammon Hanlon <eammon.hanlon@microsoft.com>
* Add handling for OWCA login via `compliance login`
OpsWorks Chef Automate currently returns a 200 for the
`/compliance/version` endpoint and redirects to the Chef Manage page.
This adds support to `inspec compliance login` to accept this as valid
behavior and continue with the login.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add test case for 200 response but no Chef Manage
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add debug info and split `determine_server_type`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Appease RuboCop
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove forced returns from `determine_server_type`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add `false` code path for non-200/non-401 response
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Reword debug messages
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
Traditionally those would translated DEFAULT_ATTRIBUTE. but that was wrong, it should have been nil or false or whatever the user supplied.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Add support for Darwin Directory Service groups
This allows users to verify groups added by Chef on OS X.
The current method that `UnixGroup` uses is to check the contents of
`/etc/group`, but OS X adds groups to Directory Service and not
`/etc/group`. This modifies the `group` resource on Darwin to use
`dscacheutil` to get group info.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Clean up `select_group_manager`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Clean up DarwinGroup `groups` method
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Enhance `package` resource error handling
This does the following:
- Modifies `info` to return an empty hash instead of `nil`
- Adds a failure case if package name is not specified
- Adds a skip case if no package manager can be found
- Changes `skip_resource` to use the `ResourceSkipped` exception
- Raises an error if JSON parsing fails for Windows/MacOS/Darwin
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Make RuboCop happy
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Change missing argument behavior
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove unnecessary boolean check
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Rewrite of Inspec Azure Resource pack to allow the testing of _any_ value Azure reosurce.
Closes#36Closes#37
This fixes#56 so that it works with the latest version of the SDK. In fact it will only work to version >= 0.15
Signed-off-by: Russell Seymour <russell.seymour@turtlesystems.co.uk>
* Move cache cli command to vendor-cache.
Signed-off-by: Jared Quick <jquick@chef.io>
* Rename DEPRECATION to DEPRECATED for cache flag.
Signed-off-by: Jared Quick <jquick@chef.io>
* Constructor unit tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Constructor tests pass, all others gutted
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Basic 'where' test in place, no criteria
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Wired up filter table to backend list users
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Unit testing for has_mfa_enabled and has_console_password
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Simple AWS client implementation for Users
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rework resource parameters and validation; copy in code from #121
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add constructor tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add search/recall tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Recall unit tests pass
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Failing unit tests for username and has_console_password
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* has_console_password works in unit tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* has_mfa_enabled failing unit tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* has_mfa_enabled passes unit tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Failing unit tests for Access Keys
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* CLean up bad rebase commit
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Access keys property works, as an uncooked AWS response
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* De-linting
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Integration tests work
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Remove provider support libraries
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Integration tests pass for users resource
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* De-lint
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Remove aws connection load from user
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Adapt aws_iam_user to rely on AwsResourceMixin
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* add a emulated /etc/cron.d/crondotd file to the mocking system.
* test that we handle incoming paths correctly by rendering to_s.
* We take in both users and a path, so lets call that destination.
* To make the test pass we'll determine if we are dealing with a path or
a user and return the correct string.
* we will need the ability to determine if we are dealing with a path when either calling the crontab command or reading the file directly, so break that out into a path? method.
* remove author field.
* test contents of our crondotd file.
* we have to explicitly make @destination a String to use include?.
* when we get a path we use inspec.file to get conents, otherwise we run the crontab command.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add documentation for example usage with file path.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Make path? and path_or_user private methods
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add missing username filed to crondotd mock file
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Pass argument as a hash when testing file paths
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Expected results should include usernames when testing file paths
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add special string `@yearly` test to crondotd mock file
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add user to existing cron tests
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Rubocop says I need spaces after/before curly brackets
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add user to crondotd file tests and add @yearly test
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Modify initialize to take options hash and be backwards compatible.
Change initialize default argument to create a hash by default, though
it is still possible to pass in a 'user' string argument.
@user gets set with the argument value unless its a hash, in which case
it tries to set the value of the user key, otherwise it becomes nil.
@file gets set with the value of the path key, unless it doesn't exist
in which case it becomes nil.
All hash keys are symbolized to ensure consistent access.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Check if @path is nil to determine if we run crontab command or parse
file.
path? was removed as we're not overloading a @destination variable
anymore.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* if @user is nil assume current user otherwise crontab for @user
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Change to complete if rather than ternary.
We have three possible cases, current user, other user, or file path.
This accounts for all of them.
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add user to the crontab FilterTable
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Remove path? and path_or_user
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Move crontab parsing to two methods, parse_user_crontab and
parse_system_crontab
Because a command in a crontab file could have spaces we must parse user
and system crontabs differently.
When we parse user crontabs the user field will either be nil, or the requested user.
Both user and path parsers handle special strings (@yearly, @weekly,
etc). And also account for position of user in these files (or adds it
in user case)
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Update examples with user: and path:
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add spaces after : in example docs
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Disable rubocop ClassLength check
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Moved rubocop ClassLength metric next to class instead of above the
module.
Remove unnecessary braces.
Add is_system_crontab? and is_user_crontab helper methods and use them.
Add tests to see if error conditions are raised when the resource is
invoked with missing parameters (user, or path), and on a unsupported
os.
Change initialize to group all hash functions together and raise errors
when user and path is unset. Also raise errors on unsupported operating
systems.
Change order of ternary and use is_system_crontab? rather than
@path.nil?
Signed-off-by: Miah Johnson <miah@chia-pet.org>
* Add debug for caching and fix cli merge bug.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update options merge to take cli options over json.
Signed-off-by: Jared Quick <jquick@chef.io>
* test appveyor with ruby#File
Signed-off-by: Jared Quick <jquick@chef.io>
* Update inspec train to version 0.31.1
Signed-off-by: Jared Quick <jquick@chef.io>
* Allow `inspec check` to ignore `only_if`
When using `inspec check` a mock Train backend is created. This means
that the following would raise an error because `os.name` is `nil`
```
only_if { os.name.include?('anything') }
```
Since `inspec check` isn't concerned with the evaluation of `only_if`
this skips those checks if the block given raises an error.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove unnecessary `e` in rescue
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify implementation to use `check_mode`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Move `check_mode` concept to the Profile scope
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Fix lint after rubocop upgrade
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add comment for mocked ControlEvalContext options
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Enable caching for command and file calls to train
* Moved transport conn to connection and refactored tests
* Update caching flag to use train caching.
* Move caching flag to cli option.
* Add backed cache default from thor.
* Add hard disable for cache option and remove all cache from debug shell.
* Add comment to caching settings conditional.
* Force file cache on when caching enabled.
* Update gemspec for train 0.30.0.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update security policy export to use pid instead of random.
Signed-off-by: Jared Quick <jquick@chef.io>
* Update helper for the new train.
Signed-off-by: Jared Quick <jquick@chef.io>
* Standardize requires in unit tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Standardize requires in resources
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Move AWS connection hook into non-resource library area
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add an AWS resource mixin, pushing constructor out to it
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Push resource param name recognition into mixin
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Push exists predicate up to mixin
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rename base.rb to be resource_mixin for clarity
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Separate the backend from its factory, and push it out into a class mixin
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Push BackendFactory up into the resource mixin
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* De-linting
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Remove aws_conn require from LMF and CloudWatch Alarm filters
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Use resource mixin for Cloudwatch Alarm
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rework LMF to use the resource mixin
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Remove SDK load from connection.rb; that happens in aws.rb now
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Mixin should default to allowing empty resource params
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Update LMF to enforce params being required
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
When supplying a docker image that contains a registry with a port number,
such as `localhost:5000/chef/inspec:1.46.3`, the docker_image resource
was unable to locate the image in question due to incorrect parsing
of the repository and tag.
Signed-off-by: Adam Leff <adam@leff.co>
When the JSON resource (and those that subclass off of it) were modified
to properly throw exceptions in the event of failure, this caused the
`params` method to return nil instead of what it used to be, an empty
hash.
This is fine in the case of a describe block, but it's not okay when used
outside of a describe, as it will cause users trying to pluck from the
hash to throw a dreaded-and-unhelpful NilClass error.
This change pre-populates the params to be an empty hash, and if the
read/parse steps fail, it will still be one.
Signed-off-by: Adam Leff <adam@leff.co>
* Add a unique export for security policy resource.
Signed-off-by: Jared Quick <jquick@chef.io>
* Remove skip resource on empty policy file.
Signed-off-by: Jared Quick <jquick@chef.io>
* Allow skipping/failing resources in FilterTable
`FilterTable` is commonly used in the class body of a resource and is
evaluated during an `instance_eval`. This means that if you raise an
exception (e.g. SkipResource) it will halt `inspec exec` and
`inspec check`.
This adds an `ExceptionCatcher` class that will postpone evaluation
until test execution.
This allows `inspec check` and `inspec exec` to perform as intended when
skipping/failing a resource in `FilterTable`
Huge thanks to @adamleff for providing the starting code/ideas!
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Comment why `ExceptionCatcher` doesn't raise
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove `accessor` from `ExceptionCatcher`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Return the existing ExceptionCatcher object rather than creating new
Signed-off-by: Adam Leff <adam@leff.co>
* Modifies test for failing WMI string interpolation
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fixes#2260 (WMI string interpolation)
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
The existing method of adding `-X HEAD` to the curl command does not
work properly and can cause timeouts because curl doesn't properly
close the connection. The correct way is to use curl's own `--head`
flag.
Signed-off-by: Adam Leff <adam@leff.co>
* json resource (et. al.): allow inspec check to succeed when using command
When using the `json` resource (or any of the resources that subclass
JsonConfig), `inspec check` would fail if the content was supplied with
the `command` option. This is because the `command` resource is mocked
and an empty string would be returned for `stdout`. That content would
be blindly passed to the `parse` method would which raise an exception
and cause `inspec check` to fail.
This change refactors JsonConfig to be a bit cleaner and use some helper
methods. Additionally, we use the new Exceptions to properly raise errors
which are naturally caught by Inspec::Profile, etc.
Signed-off-by: Adam Leff <adam@leff.co>
* Make `resource_base_name` method private
Signed-off-by: Adam Leff <adam@leff.co>
* Full docs, first draft; integration tests; started on unit tests
* Integration tests pass
* Docs update
* More consistent syntax in examples
* Alter fetch phase to perform fetch, handle results, and unpack into instance vars, more like other resources
* Docs first draft, integration tests, and constructor unit tests for SNS topic
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Skeleton of SNS topic
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Constructor arg validation works
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Passing unit tests for recall
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Subscription Count property, works
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Subscription, not subscriber
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Integration tests pass; also wildard ARNs are not allowed
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop changes
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Doc updates per kagarmoe
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
'etc_group' resource stores 'gid' as integer but the 'where' method
compares 'gid' as string.
By this fix, the 'where' method always converts the stored data to string
when comparing. And it can also look for groups without members.
Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
* Fix classname in JUnit formatter
The JUnit formatter currently incorrectly uses `class` instead of
`classname` as an attribute.
Signed-off-by: Adam Leff <adam@leff.co>
* Prefixing classname with profile name, fix functional tests
Signed-off-by: Adam Leff <adam@leff.co>
* Bumping train to 0.29
Train 0.29 includes some bug fixes and a refactor of the File classes
Signed-off-by: Adam Leff <adam@leff.co>
* Correct unit test for undefined platform
Train requires that a hash is supplied when mocking an OS. Because
an OS of "unsupported" rather than "undefined" was chosen in a unit
test, a nil was passed to train and it caused a failure.
Signed-off-by: Adam Leff <adam@leff.co>
* Ensure 0.29.1 or later gets picked up, but 0.30 is also acceptable
Signed-off-by: Adam Leff <adam@leff.co>
* Add failing unit test for deprecation warning on profiles with slashes in their name
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Issue warning during validation if name contains a slash
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Slug profile names generated from target paths to prevent breaking unit tests
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop whinges
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Update functional test watching for default profile name
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Make deprecation warning more descriptive
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop whinges
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Set title with original test path if no profile name or title provided
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop whinges
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
When configuring a profile dependency, if the dependent profile had a
hyphen in it, it would not properly match the default version constraint
of `>= 0`. This is because a hyphen indicates the version is a pre-release
version and proper version matching would require the constraint to also
be listed with a pre-release version string.
The proper solution is to use the `+` character instead which indicates
a build number, which is what the hyphen was meant to convey. In the
meantime, this change properly compares version strings as SemVer and
also adds tests.
Signed-off-by: Adam Leff <adam@leff.co>
PR #2216 introduced some new tests that use the old syntax that was
deprecated in #2235. This gets them in line and eliminates the
deprecation warnings.
Signed-off-by: Adam Leff <adam@leff.co>
Curl doesn't distinguish between them so need to use the sum of both as
the overall timeout.
fixes#2288
Signed-off-by: Brett Delle Grazie <brett.dellegrazie@gmail.com>
An nginx config may contain configuration settings that are quoted, such
as a map entry:
"~^\/opcache-api" 1;
The `nginx_conf` resource was failing to properly parse these.
Signed-off-by: Adam Leff <adam@leff.co>
The `toml` gem has a very strict version dependency on an old version
of parslet. This change switches us to use `tomlrb` instead which has
no direct dependencies. This will allow us to bump up to a later version
of parslet that has better error handling and insight into parser errors.
Signed-off-by: Adam Leff <adam@leff.co>
* Add non-halting exception support to resources
This adds two `Inspec::Exceptions` that can be used within resources to
either skip or fail a test without halting execution.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
`curl` expects a valid header per RFC 2616 when using the
`-H`/`--header` option. RFC 2616 declares header field/values
should be separated using a colon (`:`):
https://tools.ietf.org/html/rfc2616#section-4.2
Signed-off-by: Seth Chisamore <schisamo@chef.io>
* mount resource: fix for Device-/Sharenames and Mountpoints including whitespaces
Device-/Sharenames and Mountpoints on Linux may include whitespaces (\040), e.g. /etc/fstab entry like:
```//fileserver.corp.internal/Research\040&\040Development /mnt/Research\040&\040Development cifs OTHER_OPTS```
... results in a mount line like:
```//fileserver.corp.internal/Research & Development on /mnt/Research & Development type cifs (OTHER_OPTS)```
The Linux mount command replaces \040 with whitspace automatically, so this should be tributed.
I used a control like this:
```
describe mount('/mnt/Research & Development') do
it { should be_mounted }
its('device') { should eq '//fileserver.corp.internal/Research & Development' }
end
```
Before:
```
× whitespaces-1: Mount with whitespace within sharename and mountpoint. (1 failed)
✔ Mount /mnt/Research & Development should be mounted
× Mount /mnt/Research & Development device should eq "//fileserver.corp.internal/Research & Development"
expected: "//fileserver.corp.internal/Research & Development"
got: "//fileserver.corp.internal/Research"
(compared using ==)
```
After:
```
✔ whitespaces-01: Mount with whitespace within sharename and mountpoint.
✔ Mount /mnt/Research & Development should be mounted
✔ Mount /mnt/Research & Development device should eq "//fileserver.corp.internal/Research & Development"
```
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mounts_with_whitespaces: make lint happy
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mount resource: added parentheses as suggested by https://github.com/chef/inspec/pull/2257/files
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mount resource: fix for Device-/Sharenames and Mountpoints including whitespaces
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* Rename EC2-instance resources
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Add interim updates
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* testing for issue 82
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* completed integration for EC2 roles
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* adding in the beginning of the unit test for issue 82
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* Fix unit tests
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Add has_roles? examples
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Remove redundant gsub
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* corrected OpenStruct format
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* setting up variable for InstanceProfile
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* Updated the unit test so all variables are at the top
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* Fixed Rubocop issues that were detected
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* Updating README.md to include changes to aws_ec2
Signed-off-by: Simon Varlow <simon.varlow@d2l.com>
* Add failing IT for has_roles?
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Add negative IT and fix uncovered issue
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Fix Rubocop issue
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Fix integration test
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Fix Rubocop issues and unit tests
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Pin AWS dependency to '~> 2'
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Initial Commit
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* aws_iam_user uses lazy loading
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* Disassociates convert call from list_users
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* A real-world working AwsIamUsers (#71)
* Add aws_iam_users
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Adding Filter table and Collect User Details to aws_iam_users.rb
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Adding Filter table and Collect User Details to aws_iam_users.rb
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Adding Filter table and Collect User Details to aws_iam_users.rb
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Get an aws_iam_users integration test to pass
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Fix RuboCop issues and tests
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Improving code based on PR feedback
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* AWS IAM Users unit tests work with new lazy loading feature
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* Fixes tests
Signed-off-by: aduric <adnan.duric@d2l.com>
* Users should only hold the returned user references, transfering responsibility to each user to fetch any details
Signed-off-by: aduric <adnan.duric@d2l.com>
* Create user details provider class
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* Using details provider factory to delegate creation of detail providers, and updates tests
Signed-off-by: aduric <adnan.duric@d2l.com>
* Rubocop fixes
Signed-off-by: aduric <adnan.duric@d2l.com>
* Rename user details provider factory to initializer, and remove unnecessary instance variables
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* Merge `login` and `login_automate` commands
This provides a single interface for logging into either Chef Automate
or Chef Compliance servers. Server type is evaluated at run time via
HTTP responses from designated endpoints.
This also moves the login logic from `Compliance::ComplianceCLI` to a
separate set of modules in `Compliance::API`. This removes logic from
Thor and allows for more in depth Unit testing.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove empty line below class definition
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add message to `raise CannotDetermineServerType`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Refactor `token_info` assignment
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove unnecessary rubocop disable
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `Login` module namespacing
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove mentions of login_automate and --usertoken
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `determine_server_type` to return a symbol
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add support for `login_automate` and `--usertoken`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Fix encoding typo
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Address PR feedback
This does the following:
- Moves `CannotDetermineServerType` error to `.login`
- Changes methods that store configuration to return the configuration
- Moves user output to one location in `.login`
- Makes other small improvements
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Added CRAN resource to check R modules
control 'cran-1' do
impact 1.0
desc '
Ensure R module DBI is installed.
'
describe cpan('DBI') do
it { should be_installed }
its('version') { should cmp >= '3.0' }
end
end
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* cran resource: made lint happy, added negative unit test, removed unused arg perl_lib_path
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* Added CPAN resource to check Perl modules
control 'cpan-1' do
impact 1.0
desc '
Ensure Perl modules DBI and DBD::Pg are installed.
'
describe cpan('DBI') do
it { should be_installed }
end
describe cpan('DBD::Pg') do
it { should be_installed }
its('version') { should cmp >= '3.0' }
end
end
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* cpan resource: fixed unit test for non-installed module
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* new resource: elasticsearch resource, test cluster/node state
This is a new resource for testing an Elasticsearch cluster. It operates
by fetching the `_nodes` endpoint from a given Elasticsearch node and
collects data about each node in a cluster, even if there's only a
single node.
This work is based on inspiration from an initial PR #1956 submitted by
@rx294.
Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Adam Leff <adam@leff.co>
* Reduce mock data on non-default tests
Signed-off-by: Adam Leff <adam@leff.co>
* Adds alias for 'ListDirectory' permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Works with Ruby array of permissions as long as possible
Converts to PowerShell array just before use.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Abstracts user-provided permissions to router method
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds FullControl as a specifiable permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds specific permission 'modify'
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fixes#1743
Limits Windows' broad "read" permission to if it can read all of the
above, instead of just the first:
- File contents
- File attributes
- File extended attributes
- File permissions
This better aligns with how Windows names the permissions.
'read' -> Read instead of 'read' -> ReadData
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* 'Execute' Windows ACL has alias of 'Traverse'
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds 'Delete' permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds `should allow('perm').by_user('me')` matcher
Provides hooks for later use with Windows ACL matching
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds remaining Windows ACL hooks
Skips ReadAndExecute on intentionally since it just aliases the combo of
2 permissions into one new one.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* [Rubocop] Reduces ABC / Cyclomatic complexity
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Reduces global scope with `allows()` -> `be_allowed()`
RSpec inferred matchers work nicely here. This changes the `by_user()`
and `by()` chained matchers to just be an options hash on the underlying
`allowed?()` method.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fixes integration tests with rename `allows()` -> `be_allowed()`
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fix `only_if` behavior when used outside controls
This renames `@skip_profile` to `@skip_file` and modifies the scope of
`only_if` (used outside of a control) to only apply to the control file
that contains it instead of the entire profile.
This does this by exposing `@skip_file` from the control context so that
it can be set back to `false` between loading control files in the
profile context.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `get_checks` to accept a rule index
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `only_if` to work regardless of location
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Disable Cyclomatic/Perceived Complexity in Rubocop
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add comment for `skip_file` in `load_control_file`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Terraform now requires init to fetch providers
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rename env terraform command to workspace
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Pin Terraform version to reflect CLI updates
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Support PAX-formatted tar files, standardize file lists
When a tar file is generated in PAX format, the files have an additional
relative path prefix added to them. For example, instead of:
inspec.yml
... the file is listed as:
./inspec.yml
And the source reader plugin looks only for a "inspec.yml" file to
determine the profile format.
This change addresses this issue by normalizing the file paths in the
TarReader and accounting for the additional "./" prefix that may exist
whenever the tar file is walked looking for a file to read its content.
Signed-off-by: Adam Leff <adam@leff.co>
* Remove pax from unit test, will move to functional
Signed-off-by: Adam Leff <adam@leff.co>
* Add function test for the pax header tar file
Signed-off-by: Adam Leff <adam@leff.co>
* Uses netstat to detect open ports on AIX
Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
* Adds unit tests for AIX port resource
Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
* Move raise condition for host into enabled method
This is related to #1205. This will fix the ssl resource for now until
we redo the exceptions. Still looking around the code and need to build
some unit tests for the ssl resource.
My fix here is to move the raise condition till later in the flow,
specifically the enabled? method. This lets the raise get caught
accordingly without killing the other tests.
Signed-off-by: Jared Quick <jquick@chef.io>
* Remove authors from ssl resource test
Signed-off-by: Jared Quick <jquick@chef.io>
This change enhances the processes resource to support the busybox
ps command which is common on Alpine, for example. The way we
map ps fields to the structs needed by FilterTable have also been
refactored to be more flexible so we can support multiple formats
in the future.
Also, the processes resource now allows the grep argument to be optional
thus allowing a user to query all resources without passing in a
match-all regex.
Signed-off-by: Adam Leff <adam@leff.co>
As detected in #2036, it is not possible to extract values from
a YAML file if the key is a symbol. This change refactors ObjectTraverser
to support symbol keys before attempting to stringify them.
Signed-off-by: Adam Leff <adam@leff.co>
* Add nil check for sshd config file
This fixes#1778. There was a issue where if the user did not have read
permissions on /etc/ssh/sshd_config it would error out on the empty?
check. The fix here is to also look for nil on the file content. Along
with this I refactored the inspec file empty? check as it does not exist
and was also erroring during my testing.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add emptyfile test object and refactor tests
Signed-off-by: Jared Quick <jquick@chef.io>
Currently, the http resource always executes locally, even when scanning
a remote machine with `--target` which leads to undesireable behavior.
This change adds the ability to remotely execute tests with curl. This
behavior is currently opt-in with the `enable_remote_worker` flag, but
will become the default behavior in InSpec 2.0. Deprecation warnings
are emitted if the user is scanning a remote target but has not opted
in to the new behavior.
Signed-off-by: Adam Leff <adam@leff.co>
* Added output for port/protocol for host resource.
Signed-off-by: Jared Quick <jquick@chef.io>
* refactor with explicit return
This fixes#2085. Port and protocol are now shown in output of the host
resource if defined.
Signed-off-by: Jared Quick <jquick@chef.io>
* refactor with string building return
Signed-off-by: Jared Quick <jquick@chef.io>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resourec - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource firewalld
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications to new resource - firewalld
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse.
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications made
* installed? method now tells by checking if firewall-cmd is a command on the system
* The firewalld_command method now strips the stdout of the return
* added another test for testing multiple active zones
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing rake lint issue
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing match and returning boolean for seeing if firewalld is running
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing lint issues
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Empty commit to rerun. Accidentally updated branch.
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Rerunning test, accidentally updated branch. needs sign off commit
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Add hotfix resource for Windows
Signed-off-by: Matt Ray <matthewhray@gmail.com>
* Renamed hotfix to windows_hotfix
Added additional unit test checking for KB that is not present on a box
Signed-off-by: Matt Ray <matthewhray@gmail.com>
* Integration test to spot-check for hotfixes
Queries the Windows operating system via Powershell for a list of all
installed hotfixes and spot-checks every 10th one with the
windows_hotfix resource. Checking hundreds is time-consuming. Also
checks to ensure a non-installed hotfix is not present.
Signed-off-by: Matt Ray <matthewhray@gmail.com>
Wildcards are evaluated prior to applying `sudo` permissions. This
means that running `sudo find /some/path/*.conf` will fail if the user
does not have read permissions on `/some/path/` because the wildcard
cannot expand before `sudo` is applied and `*.conf` isn't a file.
The solution for this is to run the command in a subshell that has the
proper permissions (e.g. `sudo sh -c 'find /some/path/*.conf'`).
This modifies `Utils::FindFiles` to use a subshell thus allowing
wildcard support.
This fixes#2157
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
This modifies `Inspec::DirProvider` to allow special characters in the
file glob by escaping those characters via `Shellwords.shellescape`.
This fixes#2111 (`inspec check` on path with special characters)
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* forgiving default attributes
When default attributes arent specified provide one that is much more forgiving.
See this https://github.com/chef/inspec/issues/2176
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This modifies the enabled check for the `service` resource to use the
service's config file instead of `initctl show-config`.
`initctl show-config` does not accurately show the state of a service if
that service's config file is modified while the service is running.
This fixes#1834.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
The logic in `Inspec::Attribute` prohibited the use of `false` (FalseClass) as
a valid attribute. If the attribute value supplied was `false`, then it would fall
back to the default value.
This change properly allows the use of `false` as a value, adds the initial tests
for Inspec::Attribute, and also uses better attr_writer semantics for writing/storing
the value.
Signed-off-by: Adam Leff <adam@leff.co>
Users cannot query for registry keys that have periods in them because of
how rspec-its works. This change enables Array-style syntax for the
registry_key resource so users can use that as a workaround.
Signed-off-by: Adam Leff <adam@leff.co>
* Added auditd resource and documentation.
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Removed all legacy code for audit < 2.3. Removed parens to create consistency.
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated method names and removed unnecessary content based on review
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Add wildcard/multiple server support to nginx_conf
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* separate the merge function for maps in nginx_conf
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Support profile versions for automate profiles storage
Signed-off-by: Alex Pop <apop@chef.io>
* Add unit tests for inspec-compliance bundle
Signed-off-by: Alex Pop <apop@chef.io>
* Refactor target_url method, fix tests, fix rubocop errors
Signed-off-by: Adam Leff <adam@leff.co>
* package resource: assume a default Homebrew path
Homebrew's `brew` script is installed to /usr/local/bin by default which
is usually not in a non-interactive PATH. We will now first check to see
if `brew` is in PATH, and if not, assume a default of `/usr/local/bin/brew`
Signed-off-by: Adam Leff <adam@leff.co>
* Ignore linked container names when parsing docker containers
If a container is linked to another container, the normal `docker ps` output
does not include this information. However, when pulling the `.Names` field
with `docker ps --format`, the linked container is listed in the name. This
is confusing for users trying to use InSpec to audit a container.
This change strips any linked container names from the actual container name.
Signed-off-by: Adam Leff <adam@leff.co>
* Linked container names aren't guaranteed to be last depending on how they were linked
Signed-off-by: Adam Leff <adam@leff.co>
* Adding support for fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to docs of new resource etc_fstab
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications to new resource etc_fstab
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* wip: extend nginx_conf for http+servers+locations
... well `http` entries really, but we couldnt just call it `https`.
the goal is to `nginx_conf.http` / `nginx_conf.servers` / `nginx_conf.locations` and then also have these calls cascaded down to simplify the access to these fields. the current pattern is rather tedious since we need to check for nil everywhere.
* add test for new nginx accessors
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* add docs for nginx-conf
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* fix all incorrect NGINX spellings in docs
* prevent edge-cases where nginx params are nil
for location, http, and servers
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* more descriptive to_s for nginx servers
as suggested by @adamleff, thank you!
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* add more descriptive to_s for nginx location
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Remove test/resources directory, update README
The test/resources directory is stale and no longer used. Rather, we
favor Test Kitchen-backed integration tests in test/integration.
This change removes the stale tests and updates the README accordingly.
Signed-off-by: Adam Leff <adam@leff.co>
* Remove resources tests from travis
Signed-off-by: Adam Leff <adam@leff.co>
* Modify linux regular expression to handle process names with spaces
Signed-off-by: Chad Scott <cscott@chadikins.com>
* Add mocks, tests, etc.
Signed-off-by: Chad Scott <cscott@chadikins.com>
* Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* TDD Red for setgid/setuid/sticky File matchers
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add documentation for file resource sgid, sticky, and suid matchers
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add matchers to File for setgid, setuid, and sticky by aliasing existing predicates; TDD green
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop prefers alias to alias_method.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Lint before pushing, of course
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Correct spelling of setgid and setuid matchers in docs
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add be_setgid, be_setuid, be_sticky matcher integration tests for File.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Revert "Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here."
This reverts commit 42e672f3b1.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Revert "TDD Red for setgid/setuid/sticky File matchers"
This reverts commit a4f891fc7e.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add support for XML files
Signed-off-by: Morley, Jonathan <jmorley@cvent.com>
* Use REXML instead of nokogiri
Signed-off-by: Morley, Jonathan <jmorley@cvent.com>
* port resource: support ss instead of netstat
`netstat` is officially deprecated and is replaced with `ss`. This PR
changes the port resource to use `ss` if it's available on the target
system.
Signed-off-by: Adam Leff <adam@leff.co>
* Disable Metrics/ClassLength cop on the LinuxPorts class
Signed-off-by: Adam Leff <adam@leff.co>
* Update pip resource for #516 allow user to set path to pip executable
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* support virtualenv path, pip file exec and better logic
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* add tests for the change to the pip path and resource
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* tests are case sensitive, although command line is not
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* use a path verification method instead of a class method
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* use guard clauses instead of conditionals
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* change the control flow to return nil when commands are not available
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* fix the return values when custom pip path is not valid
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* Refactor pip path detection to fix unit tests
Signed-off-by: Adam Leff <adam@leff.co>
* Support mixed-case group entries
The `group` resource downcased the input parameter unless the target
was a Windows node. However, it's completely legitimate for a Unix-y
node to have mixed case group and passwd entries.
This change does have the potential to break people that did not carefully
match their case when searching for a group, but we're currently blocking
people from using the group resource properly if they have mixed-case
entries.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix unit tests
Signed-off-by: Adam Leff <adam@leff.co>
* Added line to fix bug when no key in file rule and updated test to validate bug fix
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated to consider corner case
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Filter check output based on sensitive flag
-Updated check in formatters to filter check output during failures based on
sensitive metadata flag
-Added functional test of output filtering
-Updated documentation with blerb on usage
* Update output format for sensitive resources
Signed-off-by: Kevin Formsma <kevin.formsma@gmail.com>
* Update color output on new test
Update the color output to match the newly-expected non-color format if there are no tests that match.
Signed-off-by: Adam Leff <adam@leff.co>
* Added aide_conf resource and subsequent files
* Updated to match on all selection lines
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Changed to use CommentParser and fixed typo
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Fix typo in test file
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated to address PR feedback
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Refine the profile/test summary output of the CLI formatter
* The "Profile Summary" is misleading as it's not a summary of profile
success/failure but rather the controls within the profile(s). Altered
the output to be clear. I still like calling it the "profile summary"
but wanted to add clarity that the numbers are about the controls.
* Made the colorized output dynamic. The success/failure will only be
green/red if there are controls/tests that fall into that category.
That way we are not printing red failure text when there are no
actual failures. Fixes#1752.
* Cleaned up some grammar issues. ("1 failure" vs "1 failures")
Signed-off-by: Adam Leff <adam@leff.co>
* check the proper field for dpkg installation state fixes#2006
Signed-off-by: Mathieu Sauve-Frankel <msf@kisoku.net>
* Properly handle held packages on dpkg-flavored OS
InSpec was looking at the wrong field in `dpkg -s` output to determine
whether a package was installed or not. An installed, held package was
incorrectly reported as uninstalled.
This adds the proper unit tests and also adds a `be_held` matcher.
Thanks to @kisoku for the initial work in #2007.
Signed-off-by: Adam Leff <adam@leff.co>
With last weeks tag fix, `ourorg/container` ended up having its `repo` reported as `container`.
With this it'll be `ourorg/container` again.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Train 0.26.1 fixes a bug where missing mocked commands would return
a zero exit code. This resulted in some unit tests failing due to
missing mocked commands.
Signed-off-by: Adam Leff <adam@leff.co>
* Add aws_iam_users
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Adding Filter table and Collect User Details to aws_iam_users.rb
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Adding Filter table and Collect User Details to aws_iam_users.rb
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Adding Filter table and Collect User Details to aws_iam_users.rb
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Get an aws_iam_users integration test to pass
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Fix RuboCop issues and tests
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Improving code based on PR feedback
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* New matcher 'be_in'
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* small fixes to wording.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Added code to use be_in for with the following use case:
describe nginx do
its(module_list) { should be_in AUTHORIZED_MODULE_LIST }
end
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Updates to the matcher
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Added tests for the be_in matcher
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Requested updates completed
Signed-off-by: Rony Xavier <rx294@nyu.edu>
The fix is already provided here: https://github.com/chef/inspec/pull/2040
This PR only adds a unit test to catch it
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* bugfix: empty file strings from archive readers
Empty files in archives are sometimes possible (we just ran into this with TGZ), but is never a valid file to extract. So remove it and discount it altogether. Changed structure to support testing of these global calls.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* lint and rebuild
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
If a profile has a data files directory that looks like this:
```
files/platforms/one/data.json
files/platforms/two/data.json
files/platforms/three/data.json
```
... the source reader will return the directories in the list of files but with
nil contents. This causes an issue when Inspec::Profile tries to create a sha256
checksum of the profile contents only to try to cast nil to a string when
building the null-delimited profile contents string.
Files that are empty will have an empty string as its contents, so it's safe to
assume that file entries with nil contents are actually a directory and have no
affect on the profile's checksum. Therefore, this change will eliminate any file
entries in responses from the source readers where the contents are nil.
Signed-off-by: Adam Leff <adam@leff.co>
* Change host resource to use getent ahosts on Linux
In InSpec 1.31, we changed the `host` resource to use `dig` instead of `getent
hosts` for name resolution because `getent hosts` does not return all entries
(only the first v6 entry if it exists, then the first v4 entry) and we wanted to
keep the Darwin and Linux implementation as close as possible. Unfortunately,
this affected users' ability to do resolution checks for entried stored in their
/etc/hosts file.
This change goes back to using `getent` for Linux and changes to `getent ahosts`
which returns both v4 and v6 records. Additionally, the Darwin provider's dig
implementation was reordered to return v4 addresses before v6 addresses to be
consistent with how `getent ahosts` returns records.
Signed-off-by: Adam Leff <adam@leff.co>
* Update unit tests for resolve_with_getent with proper output
Signed-off-by: Adam Leff <adam@leff.co>
The logic used to determine whether a viable netcat binary exists is wrong and
prevents Linux hosts from doing TCP reachability checks.
Signed-off-by: Adam Leff <adam@leff.co>
CoreOS is considered a member of the Linux family, and the `host` resource tries
to use `nc` on Linux hosts to test TCP reachability. Unfortunately, `nc` is not
available on CoreOS, but `ncat` is.
This change attempts to use `nc` first, then `ncat` if it's available.
Signed-off-by: Adam Leff <adam@leff.co>
* Run linter on unit tests
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* Bring remaining unit tests up to spec with rubocop
Signed-off-by: sfreeman <Steffanie.Freeman@d2l.com>
* Fix host resolution on Darwin, use dig wherever possible
The `host` and `dig` commands do not return non-zero if a query returns NXDOMAIN
or NOERROR, but the DarwinHostProvider was expecting it when deciding whether to
fall back to IPv4 if a IPv6 query failed. Therefore, the `host` resource would
not function properly when resolving hostnames on Darwin. The logic has been
changed to use `dig` short output and query for both v6 and v4 addresses.
Additionally, the LinuxHostProvider has been modified to prefer `dig` if it's
available to keep behavior similar between Darwin and Linux whenever possible.
This has the added benefit of providing v6 and v4 resolution if possible where
`getent hosts` only returns v6 if v6 records exist.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix up methods, add command mock, do string matching in ruby instead of command
Fixes#1643Fixes#1673
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed a small courner case in the error detection - error: vs error
fixed resource to use 'shellwords' module to escape the query
requested chances in method architecture for testing
added unit tests
Fixes: #1814
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* updated resource and tests with requested review changes
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed unneeded call to `escaped_query` in the `create_sql_cmd`.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed license info
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Remove any "All Rights Reserved" references
InSpec is licensed and released under the Apache 2.0 license. This
change removes all reference to legacy code files that still had
any Copyright or License lines referring to "All Rights Reserved".
Signed-off-by: Adam Leff <adam@leff.co>
* fix functional tests
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
The resource itself only offers contents and params right now. It resolved
all include calls it can find and creates the aggregated config object.
This is limited in functionality. One last (set of) PR(s) is needed to
add an interface that makes querying this config file easier. It is due
to the file's inherent complexity that I want to explore which methods
are needed to be effective. In the meantime, this resource offers accessors
to the underlying data that are stable.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
For cleanliness and ease of testing, I've moved the logic that
parses the server version from the compliance config to a
separate method.
Signed-off-by: Adam Leff <adam@leff.co>
Net::HTTP does not gracefully handle HTTP options/headers
that have nil values. This updates Fetchers::Url to verify
that all headers we attempt to configure have non-nil,
non-empty values.
This originally surfaced via the audit cookbook with the
chef-automate fetcher in use without the data_collector
token being set.
Signed-off-by: Adam Leff <adam@leff.co>
* Adding toml resource
This adds a `toml` resource that inherits from the json resource and
behaves the same way as the JSON and YAML resources.
Signed-off-by: Nolan Davidson <ndavidson@chef.io>
* s/package/service/ on service unit test descriptions
Signed-off-by: Kristian Vlaardingerbroek <kvlaardingerbroek@schubergphilis.com>
* Add support for CoreOS to the service resource
Signed-off-by: Kristian Vlaardingerbroek <kvlaardingerbroek@schubergphilis.com>
* Remove some apparently unused test setup to remove some warnings.
* Initialize some instance variables before use to silence warnings.
* Remove an unused variable to remove a warning.
* Remove some indirection.
* Silence logger during tests.
* Check if an instance variable was defined before referencing to remove a warning.
* Define duplicated constant once in root rakefile.
* Initialize an instance variable to remove a warning.
* Remove PROJECT_DIR to reduce coupling.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
The is_automate_server_pre_080? and is_automate_server_080_and_later?
methods needed some fixing. The Compliance configuration could have
a "version" key that was not nil but was an empty hash, indicating
that it came from a pre-0.8.x Automate server. What we really need
to look for is config['version']['version'] being nil?.
Signed-off-by: Adam Leff <adam@leff.co>
* Adding resource aws_iam_root_user
Signed-off-by: Miles Tjandrawidjaja <miles@tjandrawidjaja.com>
* Adding to_s method to class aws_iam_root_user
Signed-off-by: Miles Tjandrawidjaja <miles@tjandrawidjaja.com>
* Cleaner to_s result for aws_iam_root_user
Signed-off-by: Miles Tjandrawidjaja <miles@tjandrawidjaja.com>
* Add query for password_reuse_prevention to iam_password_policy
Signed-off-by: Miles Tjandrawidjaja <miles@tjandrawidjaja.com>
* Use mock over stub, and more concise language for tests in aws_iam_password_policy
Signed-off-by: Miles Tjandrawidjaja <miles@tjandrawidjaja.com>
* Rename method prevent_password_reuse to prevents_password_reuse
Signed-off-by: Miles Tjandrawidjaja <miles@tjandrawidjaja.com>
* Add access_keys method to aws_iam_user
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Fix unit test that accessed AWS
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Incorporate PR feedback
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Fix unit tests
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Update tests based on PR feedback
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
* Rebase to master
Signed-off-by: Chris Redekop <chris.redekop@d2l.com>
Due to limitations in Thor it is not possible to set an argument to be both optional and its value to be mandatory. E.g. the user supplying the --password argument is optional and not always required, but whenever it is used, it requires a value. Handle options that were defined with mandatory values in a way that fails with an `ArgumentError` if the value is missing, i.e.:
```
> inspec exec examples/profile --password
ArgumentError: Please provide a value for --password. For example: --password=hello.
```
It works without `--password` or with `--password=arg`. Also handled for `--sudo-password`.
Fixes: https://github.com/chef/inspec/issues/1901
As suggested: https://github.com/chef/inspec/pull/1904
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>