* Added line to fix bug when no key in file rule and updated test to validate bug fix
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated to consider corner case
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Filter check output based on sensitive flag
-Updated check in formatters to filter check output during failures based on
sensitive metadata flag
-Added functional test of output filtering
-Updated documentation with blerb on usage
* Update output format for sensitive resources
Signed-off-by: Kevin Formsma <kevin.formsma@gmail.com>
* Update color output on new test
Update the color output to match the newly-expected non-color format if there are no tests that match.
Signed-off-by: Adam Leff <adam@leff.co>
* Added aide_conf resource and subsequent files
* Updated to match on all selection lines
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Changed to use CommentParser and fixed typo
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Fix typo in test file
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated to address PR feedback
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Refine the profile/test summary output of the CLI formatter
* The "Profile Summary" is misleading as it's not a summary of profile
success/failure but rather the controls within the profile(s). Altered
the output to be clear. I still like calling it the "profile summary"
but wanted to add clarity that the numbers are about the controls.
* Made the colorized output dynamic. The success/failure will only be
green/red if there are controls/tests that fall into that category.
That way we are not printing red failure text when there are no
actual failures. Fixes#1752.
* Cleaned up some grammar issues. ("1 failure" vs "1 failures")
Signed-off-by: Adam Leff <adam@leff.co>
* check the proper field for dpkg installation state fixes#2006
Signed-off-by: Mathieu Sauve-Frankel <msf@kisoku.net>
* Properly handle held packages on dpkg-flavored OS
InSpec was looking at the wrong field in `dpkg -s` output to determine
whether a package was installed or not. An installed, held package was
incorrectly reported as uninstalled.
This adds the proper unit tests and also adds a `be_held` matcher.
Thanks to @kisoku for the initial work in #2007.
Signed-off-by: Adam Leff <adam@leff.co>
With last weeks tag fix, `ourorg/container` ended up having its `repo` reported as `container`.
With this it'll be `ourorg/container` again.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
Train 0.26.1 fixes a bug where missing mocked commands would return
a zero exit code. This resulted in some unit tests failing due to
missing mocked commands.
Signed-off-by: Adam Leff <adam@leff.co>
* New matcher 'be_in'
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* small fixes to wording.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Added code to use be_in for with the following use case:
describe nginx do
its(module_list) { should be_in AUTHORIZED_MODULE_LIST }
end
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Updates to the matcher
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Added tests for the be_in matcher
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Requested updates completed
Signed-off-by: Rony Xavier <rx294@nyu.edu>
The fix is already provided here: https://github.com/chef/inspec/pull/2040
This PR only adds a unit test to catch it
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* bugfix: empty file strings from archive readers
Empty files in archives are sometimes possible (we just ran into this with TGZ), but is never a valid file to extract. So remove it and discount it altogether. Changed structure to support testing of these global calls.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* lint and rebuild
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
If a profile has a data files directory that looks like this:
```
files/platforms/one/data.json
files/platforms/two/data.json
files/platforms/three/data.json
```
... the source reader will return the directories in the list of files but with
nil contents. This causes an issue when Inspec::Profile tries to create a sha256
checksum of the profile contents only to try to cast nil to a string when
building the null-delimited profile contents string.
Files that are empty will have an empty string as its contents, so it's safe to
assume that file entries with nil contents are actually a directory and have no
affect on the profile's checksum. Therefore, this change will eliminate any file
entries in responses from the source readers where the contents are nil.
Signed-off-by: Adam Leff <adam@leff.co>
* Change host resource to use getent ahosts on Linux
In InSpec 1.31, we changed the `host` resource to use `dig` instead of `getent
hosts` for name resolution because `getent hosts` does not return all entries
(only the first v6 entry if it exists, then the first v4 entry) and we wanted to
keep the Darwin and Linux implementation as close as possible. Unfortunately,
this affected users' ability to do resolution checks for entried stored in their
/etc/hosts file.
This change goes back to using `getent` for Linux and changes to `getent ahosts`
which returns both v4 and v6 records. Additionally, the Darwin provider's dig
implementation was reordered to return v4 addresses before v6 addresses to be
consistent with how `getent ahosts` returns records.
Signed-off-by: Adam Leff <adam@leff.co>
* Update unit tests for resolve_with_getent with proper output
Signed-off-by: Adam Leff <adam@leff.co>
The logic used to determine whether a viable netcat binary exists is wrong and
prevents Linux hosts from doing TCP reachability checks.
Signed-off-by: Adam Leff <adam@leff.co>
CoreOS is considered a member of the Linux family, and the `host` resource tries
to use `nc` on Linux hosts to test TCP reachability. Unfortunately, `nc` is not
available on CoreOS, but `ncat` is.
This change attempts to use `nc` first, then `ncat` if it's available.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix host resolution on Darwin, use dig wherever possible
The `host` and `dig` commands do not return non-zero if a query returns NXDOMAIN
or NOERROR, but the DarwinHostProvider was expecting it when deciding whether to
fall back to IPv4 if a IPv6 query failed. Therefore, the `host` resource would
not function properly when resolving hostnames on Darwin. The logic has been
changed to use `dig` short output and query for both v6 and v4 addresses.
Additionally, the LinuxHostProvider has been modified to prefer `dig` if it's
available to keep behavior similar between Darwin and Linux whenever possible.
This has the added benefit of providing v6 and v4 resolution if possible where
`getent hosts` only returns v6 if v6 records exist.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix up methods, add command mock, do string matching in ruby instead of command
Fixes#1643Fixes#1673
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed a small courner case in the error detection - error: vs error
fixed resource to use 'shellwords' module to escape the query
requested chances in method architecture for testing
added unit tests
Fixes: #1814
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* updated resource and tests with requested review changes
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed unneeded call to `escaped_query` in the `create_sql_cmd`.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed license info
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Remove any "All Rights Reserved" references
InSpec is licensed and released under the Apache 2.0 license. This
change removes all reference to legacy code files that still had
any Copyright or License lines referring to "All Rights Reserved".
Signed-off-by: Adam Leff <adam@leff.co>
* fix functional tests
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
The resource itself only offers contents and params right now. It resolved
all include calls it can find and creates the aggregated config object.
This is limited in functionality. One last (set of) PR(s) is needed to
add an interface that makes querying this config file easier. It is due
to the file's inherent complexity that I want to explore which methods
are needed to be effective. In the meantime, this resource offers accessors
to the underlying data that are stable.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
For cleanliness and ease of testing, I've moved the logic that
parses the server version from the compliance config to a
separate method.
Signed-off-by: Adam Leff <adam@leff.co>
Net::HTTP does not gracefully handle HTTP options/headers
that have nil values. This updates Fetchers::Url to verify
that all headers we attempt to configure have non-nil,
non-empty values.
This originally surfaced via the audit cookbook with the
chef-automate fetcher in use without the data_collector
token being set.
Signed-off-by: Adam Leff <adam@leff.co>
* Adding toml resource
This adds a `toml` resource that inherits from the json resource and
behaves the same way as the JSON and YAML resources.
Signed-off-by: Nolan Davidson <ndavidson@chef.io>
* s/package/service/ on service unit test descriptions
Signed-off-by: Kristian Vlaardingerbroek <kvlaardingerbroek@schubergphilis.com>
* Add support for CoreOS to the service resource
Signed-off-by: Kristian Vlaardingerbroek <kvlaardingerbroek@schubergphilis.com>
* Remove some apparently unused test setup to remove some warnings.
* Initialize some instance variables before use to silence warnings.
* Remove an unused variable to remove a warning.
* Remove some indirection.
* Silence logger during tests.
* Check if an instance variable was defined before referencing to remove a warning.
* Define duplicated constant once in root rakefile.
* Initialize an instance variable to remove a warning.
* Remove PROJECT_DIR to reduce coupling.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
The is_automate_server_pre_080? and is_automate_server_080_and_later?
methods needed some fixing. The Compliance configuration could have
a "version" key that was not nil but was an empty hash, indicating
that it came from a pre-0.8.x Automate server. What we really need
to look for is config['version']['version'] being nil?.
Signed-off-by: Adam Leff <adam@leff.co>
Due to limitations in Thor it is not possible to set an argument to be both optional and its value to be mandatory. E.g. the user supplying the --password argument is optional and not always required, but whenever it is used, it requires a value. Handle options that were defined with mandatory values in a way that fails with an `ArgumentError` if the value is missing, i.e.:
```
> inspec exec examples/profile --password
ArgumentError: Please provide a value for --password. For example: --password=hello.
```
It works without `--password` or with `--password=arg`. Also handled for `--sudo-password`.
Fixes: https://github.com/chef/inspec/issues/1901
As suggested: https://github.com/chef/inspec/pull/1904
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
`must_equal nil` will fail in MiniTest 6. Changing those to `must_be_nil`
quiets down all the warnings we currently see and preps us for Minitest 6.
Signed-off-by: Adam Leff <adam@leff.co>
* Add TCP reachability support on Linux for host resource
This enhances the `host` resource on Linux targets by using netcat
(if installed) to perform TCP reachability checks.
Signed-off-by: Adam Leff <adam@leff.co>
* documentation updates
Signed-off-by: Adam Leff <adam@leff.co>
* Appease rubocop
Signed-off-by: Adam Leff <adam@leff.co>
Generated duplicate messages due to the way that examples are aggregated in RSpec. Make sure we never show any duplicate test result messages, as they offer not value to any user.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
The Compliance::API.version method could potentially return
a hash containing no "version" key but would return an empty
hash upon any expected failure. Downstream callers of the
Compliance::API.version method were looking for a "version"
key to always be present when, in some cases, it would not be.
This change ensures that if a version is not available, there
is no "version" key in the hash, and downstream callers of this
method have been changed to check for nil instead of empty.
Signed-off-by: Adam Leff <adam@leff.co>
* add bitbucket repo url handling
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
* backout changes to .gitignore
* adding unit tests for bitbucket url transformers
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
* fixing some indents
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
* fix some indents
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
