* allow users to configure the profiles namespace
By default it uses the username of the user that is logged into the system. However, the user can now specify the `--user` on the cli to list profiles from a user other than his own domain.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* allow users to provide owner for profile listing and uploading
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
* use config only
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
* Add non-halting exception support to resources
This adds two `Inspec::Exceptions` that can be used within resources to
either skip or fail a test without halting execution.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
`curl` expects a valid header per RFC 2616 when using the
`-H`/`--header` option. RFC 2616 declares header field/values
should be separated using a colon (`:`):
https://tools.ietf.org/html/rfc2616#section-4.2
Signed-off-by: Seth Chisamore <schisamo@chef.io>
* mount resource: fix for Device-/Sharenames and Mountpoints including whitespaces
Device-/Sharenames and Mountpoints on Linux may include whitespaces (\040), e.g. /etc/fstab entry like:
```//fileserver.corp.internal/Research\040&\040Development /mnt/Research\040&\040Development cifs OTHER_OPTS```
... results in a mount line like:
```//fileserver.corp.internal/Research & Development on /mnt/Research & Development type cifs (OTHER_OPTS)```
The Linux mount command replaces \040 with whitspace automatically, so this should be tributed.
I used a control like this:
```
describe mount('/mnt/Research & Development') do
it { should be_mounted }
its('device') { should eq '//fileserver.corp.internal/Research & Development' }
end
```
Before:
```
× whitespaces-1: Mount with whitespace within sharename and mountpoint. (1 failed)
✔ Mount /mnt/Research & Development should be mounted
× Mount /mnt/Research & Development device should eq "//fileserver.corp.internal/Research & Development"
expected: "//fileserver.corp.internal/Research & Development"
got: "//fileserver.corp.internal/Research"
(compared using ==)
```
After:
```
✔ whitespaces-01: Mount with whitespace within sharename and mountpoint.
✔ Mount /mnt/Research & Development should be mounted
✔ Mount /mnt/Research & Development device should eq "//fileserver.corp.internal/Research & Development"
```
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mounts_with_whitespaces: make lint happy
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mount resource: added parentheses as suggested by https://github.com/chef/inspec/pull/2257/files
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* mount resource: fix for Device-/Sharenames and Mountpoints including whitespaces
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
This allows a user to specify an Automate server without prepending
`https://`. Without this, anything using the `url` fetcher will fail
because `open` doesn't interpret the argument as a URL.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Merge `login` and `login_automate` commands
This provides a single interface for logging into either Chef Automate
or Chef Compliance servers. Server type is evaluated at run time via
HTTP responses from designated endpoints.
This also moves the login logic from `Compliance::ComplianceCLI` to a
separate set of modules in `Compliance::API`. This removes logic from
Thor and allows for more in depth Unit testing.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove empty line below class definition
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add message to `raise CannotDetermineServerType`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Refactor `token_info` assignment
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove unnecessary rubocop disable
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `Login` module namespacing
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove mentions of login_automate and --usertoken
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `determine_server_type` to return a symbol
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add support for `login_automate` and `--usertoken`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Fix encoding typo
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Address PR feedback
This does the following:
- Moves `CannotDetermineServerType` error to `.login`
- Changes methods that store configuration to return the configuration
- Moves user output to one location in `.login`
- Makes other small improvements
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Added CRAN resource to check R modules
control 'cran-1' do
impact 1.0
desc '
Ensure R module DBI is installed.
'
describe cpan('DBI') do
it { should be_installed }
its('version') { should cmp >= '3.0' }
end
end
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* cran resource: made lint happy, added negative unit test, removed unused arg perl_lib_path
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* Added CPAN resource to check Perl modules
control 'cpan-1' do
impact 1.0
desc '
Ensure Perl modules DBI and DBD::Pg are installed.
'
describe cpan('DBI') do
it { should be_installed }
end
describe cpan('DBD::Pg') do
it { should be_installed }
its('version') { should cmp >= '3.0' }
end
end
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* cpan resource: fixed unit test for non-installed module
Signed-off-by: Markus Grobelin <grobi@koppzu.de>
* new resource: elasticsearch resource, test cluster/node state
This is a new resource for testing an Elasticsearch cluster. It operates
by fetching the `_nodes` endpoint from a given Elasticsearch node and
collects data about each node in a cluster, even if there's only a
single node.
This work is based on inspiration from an initial PR #1956 submitted by
@rx294.
Signed-off-by: Rony Xavier <rx294@nyu.edu>
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Signed-off-by: Adam Leff <adam@leff.co>
* Reduce mock data on non-default tests
Signed-off-by: Adam Leff <adam@leff.co>
* Adds alias for 'ListDirectory' permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Works with Ruby array of permissions as long as possible
Converts to PowerShell array just before use.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Abstracts user-provided permissions to router method
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds FullControl as a specifiable permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds specific permission 'modify'
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fixes#1743
Limits Windows' broad "read" permission to if it can read all of the
above, instead of just the first:
- File contents
- File attributes
- File extended attributes
- File permissions
This better aligns with how Windows names the permissions.
'read' -> Read instead of 'read' -> ReadData
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* 'Execute' Windows ACL has alias of 'Traverse'
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds 'Delete' permission
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds `should allow('perm').by_user('me')` matcher
Provides hooks for later use with Windows ACL matching
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Adds remaining Windows ACL hooks
Skips ReadAndExecute on intentionally since it just aliases the combo of
2 permissions into one new one.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* [Rubocop] Reduces ABC / Cyclomatic complexity
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Reduces global scope with `allows()` -> `be_allowed()`
RSpec inferred matchers work nicely here. This changes the `by_user()`
and `by()` chained matchers to just be an options hash on the underlying
`allowed?()` method.
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
* Fixes integration tests with rename `allows()` -> `be_allowed()`
Signed-off-by: David Alexander <opensource@thelonelyghost.com>
Introduces a new `inspec habitat profile setup` command
which will set up an existing profile repository with all
the files necessary to build a Habitat package. This will
prime a repository to be used by the Habitat Builder service.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix `only_if` behavior when used outside controls
This renames `@skip_profile` to `@skip_file` and modifies the scope of
`only_if` (used outside of a control) to only apply to the control file
that contains it instead of the entire profile.
This does this by exposing `@skip_file` from the control context so that
it can be set back to `false` between loading control files in the
profile context.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `get_checks` to accept a rule index
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Modify `only_if` to work regardless of location
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Disable Cyclomatic/Perceived Complexity in Rubocop
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Add comment for `skip_file` in `load_control_file`
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* Remove a broken link.
Signed-off-by: Nathen Harvey <nharvey@chef.io>
* It is now 2017
While the content in this file was actually written in 2015, this
example is meant to be overwritten and is generated by the user in the
current year.
Signed-off-by: Nathen Harvey <nharvey@chef.io>
* Support PAX-formatted tar files, standardize file lists
When a tar file is generated in PAX format, the files have an additional
relative path prefix added to them. For example, instead of:
inspec.yml
... the file is listed as:
./inspec.yml
And the source reader plugin looks only for a "inspec.yml" file to
determine the profile format.
This change addresses this issue by normalizing the file paths in the
TarReader and accounting for the additional "./" prefix that may exist
whenever the tar file is walked looking for a file to read its content.
Signed-off-by: Adam Leff <adam@leff.co>
* Remove pax from unit test, will move to functional
Signed-off-by: Adam Leff <adam@leff.co>
* Add function test for the pax header tar file
Signed-off-by: Adam Leff <adam@leff.co>
* Uses netstat to detect open ports on AIX
Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
* Adds unit tests for AIX port resource
Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
* Updated so that the credentials file is only interogated if it exists
Fixes#39
Signed-off-by: Russell Seymour <russell.seymour@turtlesystems.co.uk>
* Made change to set credentials to nil as requested
Signed-off-by: Russell Seymour <russell.seymour@turtlesystems.co.uk>
Some object methods have been deprecated in v0.11.0 of the arm sdks.
This commit fixes the get_resources method by using the new resources
object instance method. We are also updating the Gemfile accordingly.
Signed-off-by: sanabriad <sanabria.d@gmail.com>
* Enhance cmp matcher to work with symbols
The `cmp` matcher will now stringify symbol actual values if the
expected value was passed in as a string. This will help with the file
resource `type` method where Train returns the file type as a symbol.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix documentation for file type character_device
Signed-off-by: Adam Leff <adam@leff.co>
* Fix docs for block_device
Signed-off-by: Adam Leff <adam@leff.co>
* Fix file mtime docs
Signed-off-by: Adam Leff <adam@leff.co>
* Move raise condition for host into enabled method
This is related to #1205. This will fix the ssl resource for now until
we redo the exceptions. Still looking around the code and need to build
some unit tests for the ssl resource.
My fix here is to move the raise condition till later in the flow,
specifically the enabled? method. This lets the raise get caught
accordingly without killing the other tests.
Signed-off-by: Jared Quick <jquick@chef.io>
* Remove authors from ssl resource test
Signed-off-by: Jared Quick <jquick@chef.io>
When running `inspec exec` with multiple profiles, such as:
inspec exec profile1 profile2
... profile1 control calls to `inspec.profile.file` will incorrectly
try to pull files from profile2 because the RuntimeProfile object
is stored on the backend object, and we share the backend object.
This change ensures each profile has a unique backend object to ensure
the RuntimeProfile instance is not overwritten.
Signed-off-by: Adam Leff <adam@leff.co>
This change enhances the processes resource to support the busybox
ps command which is common on Alpine, for example. The way we
map ps fields to the structs needed by FilterTable have also been
refactored to be more flexible so we can support multiple formats
in the future.
Also, the processes resource now allows the grep argument to be optional
thus allowing a user to query all resources without passing in a
match-all regex.
Signed-off-by: Adam Leff <adam@leff.co>
As detected in #2036, it is not possible to extract values from
a YAML file if the key is a symbol. This change refactors ObjectTraverser
to support symbol keys before attempting to stringify them.
Signed-off-by: Adam Leff <adam@leff.co>
* Add nil check for sshd config file
This fixes#1778. There was a issue where if the user did not have read
permissions on /etc/ssh/sshd_config it would error out on the empty?
check. The fix here is to also look for nil on the file content. Along
with this I refactored the inspec file empty? check as it does not exist
and was also erroring during my testing.
Signed-off-by: Jared Quick <jquick@chef.io>
* Add emptyfile test object and refactor tests
Signed-off-by: Jared Quick <jquick@chef.io>
Currently, the http resource always executes locally, even when scanning
a remote machine with `--target` which leads to undesireable behavior.
This change adds the ability to remotely execute tests with curl. This
behavior is currently opt-in with the `enable_remote_worker` flag, but
will become the default behavior in InSpec 2.0. Deprecation warnings
are emitted if the user is scanning a remote target but has not opted
in to the new behavior.
Signed-off-by: Adam Leff <adam@leff.co>
* Added output for port/protocol for host resource.
Signed-off-by: Jared Quick <jquick@chef.io>
* refactor with explicit return
This fixes#2085. Port and protocol are now shown in output of the host
resource if defined.
Signed-off-by: Jared Quick <jquick@chef.io>
* refactor with string building return
Signed-off-by: Jared Quick <jquick@chef.io>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resourec - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - firewalld
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource firewalld
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications to new resource - firewalld
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Changing firewalld_command method to prepend the command with 'firewall-cmd' to reduce code reuse.
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications made
* installed? method now tells by checking if firewall-cmd is a command on the system
* The firewalld_command method now strips the stdout of the return
* added another test for testing multiple active zones
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing rake lint issue
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing match and returning boolean for seeing if firewalld is running
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Fixing lint issues
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Empty commit to rerun. Accidentally updated branch.
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Rerunning test, accidentally updated branch. needs sign off commit
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Add hotfix resource for Windows
Signed-off-by: Matt Ray <matthewhray@gmail.com>
* Renamed hotfix to windows_hotfix
Added additional unit test checking for KB that is not present on a box
Signed-off-by: Matt Ray <matthewhray@gmail.com>
* Integration test to spot-check for hotfixes
Queries the Windows operating system via Powershell for a list of all
installed hotfixes and spot-checks every 10th one with the
windows_hotfix resource. Checking hundreds is time-consuming. Also
checks to ensure a non-installed hotfix is not present.
Signed-off-by: Matt Ray <matthewhray@gmail.com>
When using the `query` method in the `postgres_session` resource, if
the query fails, the `query` method attempts to call `skip_resource`
with an error message. Not only does the `skip_resource` not properly
work, but it also returns a `String` object back to the test which is
probably going to try and call the `output` method on it to run the test.
This results in an error like this:
```
Can't read
∅ undefined method `output' for "output":String
```
This change returns the full psql output as a Lines object to the
user, including stderr, so they can at least get the error in their
test output and avoids undefined method errors.
Signed-off-by: Adam Leff <adam@leff.co>
Wildcards are evaluated prior to applying `sudo` permissions. This
means that running `sudo find /some/path/*.conf` will fail if the user
does not have read permissions on `/some/path/` because the wildcard
cannot expand before `sudo` is applied and `*.conf` isn't a file.
The solution for this is to run the command in a subshell that has the
proper permissions (e.g. `sudo sh -c 'find /some/path/*.conf'`).
This modifies `Utils::FindFiles` to use a subshell thus allowing
wildcard support.
This fixes#2157
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
This modifies `Inspec::DirProvider` to allow special characters in the
file glob by escaping those characters via `Shellwords.shellescape`.
This fixes#2111 (`inspec check` on path with special characters)
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* forgiving default attributes
When default attributes arent specified provide one that is much more forgiving.
See this https://github.com/chef/inspec/issues/2176
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This modifies the enabled check for the `service` resource to use the
service's config file instead of `initctl show-config`.
`initctl show-config` does not accurately show the state of a service if
that service's config file is modified while the service is running.
This fixes#1834.
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
The logic in `Inspec::Attribute` prohibited the use of `false` (FalseClass) as
a valid attribute. If the attribute value supplied was `false`, then it would fall
back to the default value.
This change properly allows the use of `false` as a value, adds the initial tests
for Inspec::Attribute, and also uses better attr_writer semantics for writing/storing
the value.
Signed-off-by: Adam Leff <adam@leff.co>
* Update method in which Pry hooks are removed
Pry 0.11 removed the clear_all method for removing all hooks. This change
updates the way we clear hooks for the events we care about.
Signed-off-by: Adam Leff <adam@leff.co>
Users cannot query for registry keys that have periods in them because of
how rspec-its works. This change enables Array-style syntax for the
registry_key resource so users can use that as a workaround.
Signed-off-by: Adam Leff <adam@leff.co>
The auditd_rules resource has been replaced by the auditd resource.
We are planning on removing the auditd_rules resource in InSpec 2.0.
This change will provide a warning to any user using the old resource.
Signed-off-by: Adam Leff <adam@leff.co>
* Added auditd resource and documentation.
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Added unit tests for auditd resource and updated auditd_rules_test to match new entries in auditctl
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Removed all legacy code for audit < 2.3. Removed parens to create consistency.
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated method names and removed unnecessary content based on review
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Add wildcard/multiple server support to nginx_conf
Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
* separate the merge function for maps in nginx_conf
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Support profile versions for automate profiles storage
Signed-off-by: Alex Pop <apop@chef.io>
* Add unit tests for inspec-compliance bundle
Signed-off-by: Alex Pop <apop@chef.io>
* Refactor target_url method, fix tests, fix rubocop errors
Signed-off-by: Adam Leff <adam@leff.co>
* package resource: assume a default Homebrew path
Homebrew's `brew` script is installed to /usr/local/bin by default which
is usually not in a non-interactive PATH. We will now first check to see
if `brew` is in PATH, and if not, assume a default of `/usr/local/bin/brew`
Signed-off-by: Adam Leff <adam@leff.co>
* Ignore linked container names when parsing docker containers
If a container is linked to another container, the normal `docker ps` output
does not include this information. However, when pulling the `.Names` field
with `docker ps --format`, the linked container is listed in the name. This
is confusing for users trying to use InSpec to audit a container.
This change strips any linked container names from the actual container name.
Signed-off-by: Adam Leff <adam@leff.co>
* Linked container names aren't guaranteed to be last depending on how they were linked
Signed-off-by: Adam Leff <adam@leff.co>
* Adding support for fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* New Resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to new resource - etc_fstab
Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
* Modifications to docs of new resource etc_fstab
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* Modifications to new resource etc_fstab
Signed-off-by: dromazmj <dromazmj@dukes.jmu.edu>
* wip: extend nginx_conf for http+servers+locations
... well `http` entries really, but we couldnt just call it `https`.
the goal is to `nginx_conf.http` / `nginx_conf.servers` / `nginx_conf.locations` and then also have these calls cascaded down to simplify the access to these fields. the current pattern is rather tedious since we need to check for nil everywhere.
* add test for new nginx accessors
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* add docs for nginx-conf
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* fix all incorrect NGINX spellings in docs
* prevent edge-cases where nginx params are nil
for location, http, and servers
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* more descriptive to_s for nginx servers
as suggested by @adamleff, thank you!
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* add more descriptive to_s for nginx location
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Modify linux regular expression to handle process names with spaces
Signed-off-by: Chad Scott <cscott@chadikins.com>
* Add mocks, tests, etc.
Signed-off-by: Chad Scott <cscott@chadikins.com>
* Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* TDD Red for setgid/setuid/sticky File matchers
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add documentation for file resource sgid, sticky, and suid matchers
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add matchers to File for setgid, setuid, and sticky by aliasing existing predicates; TDD green
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Rubocop prefers alias to alias_method.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Lint before pushing, of course
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Correct spelling of setgid and setuid matchers in docs
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add be_setgid, be_setuid, be_sticky matcher integration tests for File.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Revert "Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here."
This reverts commit 42e672f3b1.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Revert "TDD Red for setgid/setuid/sticky File matchers"
This reverts commit a4f891fc7e.
Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
* Add support for XML files
Signed-off-by: Morley, Jonathan <jmorley@cvent.com>
* Use REXML instead of nokogiri
Signed-off-by: Morley, Jonathan <jmorley@cvent.com>
* port resource: support ss instead of netstat
`netstat` is officially deprecated and is replaced with `ss`. This PR
changes the port resource to use `ss` if it's available on the target
system.
Signed-off-by: Adam Leff <adam@leff.co>
* Disable Metrics/ClassLength cop on the LinuxPorts class
Signed-off-by: Adam Leff <adam@leff.co>
* Update pip resource for #516 allow user to set path to pip executable
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* support virtualenv path, pip file exec and better logic
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* add tests for the change to the pip path and resource
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* tests are case sensitive, although command line is not
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* use a path verification method instead of a class method
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* use guard clauses instead of conditionals
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* change the control flow to return nil when commands are not available
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* fix the return values when custom pip path is not valid
Signed-off-by: Anthony Shaw <anthonyshaw@apache.org>
* Refactor pip path detection to fix unit tests
Signed-off-by: Adam Leff <adam@leff.co>
* Support mixed-case group entries
The `group` resource downcased the input parameter unless the target
was a Windows node. However, it's completely legitimate for a Unix-y
node to have mixed case group and passwd entries.
This change does have the potential to break people that did not carefully
match their case when searching for a group, but we're currently blocking
people from using the group resource properly if they have mixed-case
entries.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix unit tests
Signed-off-by: Adam Leff <adam@leff.co>
Currently, if you check two properties of a http resource, such as
status and body, two different http requests are made to the server.
However, the response is already stored in an instance variable, so this
change just checks to see if a response is already available and uses it
rather than making another http request.
Signed-off-by: Mark Harrison <mark@mivok.net>
* Added line to fix bug when no key in file rule and updated test to validate bug fix
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated to consider corner case
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Filter check output based on sensitive flag
-Updated check in formatters to filter check output during failures based on
sensitive metadata flag
-Added functional test of output filtering
-Updated documentation with blerb on usage
* Update output format for sensitive resources
Signed-off-by: Kevin Formsma <kevin.formsma@gmail.com>
* Update color output on new test
Update the color output to match the newly-expected non-color format if there are no tests that match.
Signed-off-by: Adam Leff <adam@leff.co>
* Added aide_conf resource and subsequent files
* Updated to match on all selection lines
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Changed to use CommentParser and fixed typo
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Fix typo in test file
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Updated to address PR feedback
Signed-off-by: Jennifer Burns <jburns@mitre.org>
* Refine the profile/test summary output of the CLI formatter
* The "Profile Summary" is misleading as it's not a summary of profile
success/failure but rather the controls within the profile(s). Altered
the output to be clear. I still like calling it the "profile summary"
but wanted to add clarity that the numbers are about the controls.
* Made the colorized output dynamic. The success/failure will only be
green/red if there are controls/tests that fall into that category.
That way we are not printing red failure text when there are no
actual failures. Fixes#1752.
* Cleaned up some grammar issues. ("1 failure" vs "1 failures")
Signed-off-by: Adam Leff <adam@leff.co>
* check the proper field for dpkg installation state fixes#2006
Signed-off-by: Mathieu Sauve-Frankel <msf@kisoku.net>
* Properly handle held packages on dpkg-flavored OS
InSpec was looking at the wrong field in `dpkg -s` output to determine
whether a package was installed or not. An installed, held package was
incorrectly reported as uninstalled.
This adds the proper unit tests and also adds a `be_held` matcher.
Thanks to @kisoku for the initial work in #2007.
Signed-off-by: Adam Leff <adam@leff.co>
With last weeks tag fix, `ourorg/container` ended up having its `repo` reported as `container`.
With this it'll be `ourorg/container` again.
Signed-off-by: Stephan Renatus <srenatus@chef.io>
* New matcher 'be_in'
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* small fixes to wording.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Added code to use be_in for with the following use case:
describe nginx do
its(module_list) { should be_in AUTHORIZED_MODULE_LIST }
end
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Updates to the matcher
Fixes#2018
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Added tests for the be_in matcher
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* Requested updates completed
Signed-off-by: Rony Xavier <rx294@nyu.edu>
Add a newline symbol to the end of the parsed input.
Sample hexdump of a file deployed by xinetd cookbook:
$ hexdump -C /var/chef/cache/cookbooks/xinetd/templates/default/xinetd.conf.erb | tail -2
000000b0 72 20 2f 65 74 63 2f 78 69 6e 65 74 64 2e 64 |r /etc/xinetd.d|
000000bf
Signed-off-by: Simonas Kareiva <simonas@5grupe.lt>
* bugfix: empty file strings from archive readers
Empty files in archives are sometimes possible (we just ran into this with TGZ), but is never a valid file to extract. So remove it and discount it altogether. Changed structure to support testing of these global calls.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* lint and rebuild
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
If a profile has a data files directory that looks like this:
```
files/platforms/one/data.json
files/platforms/two/data.json
files/platforms/three/data.json
```
... the source reader will return the directories in the list of files but with
nil contents. This causes an issue when Inspec::Profile tries to create a sha256
checksum of the profile contents only to try to cast nil to a string when
building the null-delimited profile contents string.
Files that are empty will have an empty string as its contents, so it's safe to
assume that file entries with nil contents are actually a directory and have no
affect on the profile's checksum. Therefore, this change will eliminate any file
entries in responses from the source readers where the contents are nil.
Signed-off-by: Adam Leff <adam@leff.co>
* Change host resource to use getent ahosts on Linux
In InSpec 1.31, we changed the `host` resource to use `dig` instead of `getent
hosts` for name resolution because `getent hosts` does not return all entries
(only the first v6 entry if it exists, then the first v4 entry) and we wanted to
keep the Darwin and Linux implementation as close as possible. Unfortunately,
this affected users' ability to do resolution checks for entried stored in their
/etc/hosts file.
This change goes back to using `getent` for Linux and changes to `getent ahosts`
which returns both v4 and v6 records. Additionally, the Darwin provider's dig
implementation was reordered to return v4 addresses before v6 addresses to be
consistent with how `getent ahosts` returns records.
Signed-off-by: Adam Leff <adam@leff.co>
* Update unit tests for resolve_with_getent with proper output
Signed-off-by: Adam Leff <adam@leff.co>
The logic used to determine whether a viable netcat binary exists is wrong and
prevents Linux hosts from doing TCP reachability checks.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix formatter when two profiles have the same name
In the event that an InSpec runner has two profiles that are named the same
(such as when InSpec generates a profile for the Flat source reader, and Test
Kitchen is running concurrently), InSpec could hand back a profile that does not
contain the example. This leads to nil control data and ugly NilClass errors
when TK runs concurrently.
This change modifies the method that finds the profile by control to not only
match on profile name but also match on example ID.
Signed-off-by: Adam Leff <adam@leff.co>
CoreOS is considered a member of the Linux family, and the `host` resource tries
to use `nc` on Linux hosts to test TCP reachability. Unfortunately, `nc` is not
available on CoreOS, but `ncat` is.
This change attempts to use `nc` first, then `ncat` if it's available.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix host resolution on Darwin, use dig wherever possible
The `host` and `dig` commands do not return non-zero if a query returns NXDOMAIN
or NOERROR, but the DarwinHostProvider was expecting it when deciding whether to
fall back to IPv4 if a IPv6 query failed. Therefore, the `host` resource would
not function properly when resolving hostnames on Darwin. The logic has been
changed to use `dig` short output and query for both v6 and v4 addresses.
Additionally, the LinuxHostProvider has been modified to prefer `dig` if it's
available to keep behavior similar between Darwin and Linux whenever possible.
This has the added benefit of providing v6 and v4 resolution if possible where
`getent hosts` only returns v6 if v6 records exist.
Signed-off-by: Adam Leff <adam@leff.co>
* Fix up methods, add command mock, do string matching in ruby instead of command
Fixes#1643Fixes#1673
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed a small courner case in the error detection - error: vs error
fixed resource to use 'shellwords' module to escape the query
requested chances in method architecture for testing
added unit tests
Fixes: #1814
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* updated resource and tests with requested review changes
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed unneeded call to `escaped_query` in the `create_sql_cmd`.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed license info
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Remove any "All Rights Reserved" references
InSpec is licensed and released under the Apache 2.0 license. This
change removes all reference to legacy code files that still had
any Copyright or License lines referring to "All Rights Reserved".
Signed-off-by: Adam Leff <adam@leff.co>
* fix functional tests
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
The resource itself only offers contents and params right now. It resolved
all include calls it can find and creates the aggregated config object.
This is limited in functionality. One last (set of) PR(s) is needed to
add an interface that makes querying this config file easier. It is due
to the file's inherent complexity that I want to explore which methods
are needed to be effective. In the meantime, this resource offers accessors
to the underlying data that are stable.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* make postgres resource working in mock runner (for inspec check)
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
* keep nil for empty states
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
For cleanliness and ease of testing, I've moved the logic that
parses the server version from the compliance config to a
separate method.
Signed-off-by: Adam Leff <adam@leff.co>
* showing how to shellout in docs
Signed-off-by: Richard Shade <rshade@rightscale.com>
* adding basic example
Signed-off-by: Richard Shade <rshade@rightscale.com>
* cleanup
Signed-off-by: Richard Shade <rshade@rightscale.com>
* adding in mysql socket, as this doesn't work with non-default installs
Signed-off-by: Richard Shade <rshade@rightscale.com>
* updating per peer review to make socket not a req, and adding port
Signed-off-by: Richard Shade <rshade@rightscale.com>
* updating docs
Signed-off-by: Richard Shade <rshade@rightscale.com>
* Fix to_s on directory resource
The `to_s` method on the `directory` resource is not defined
in the correct class, leading `directory` resources to be printed
as the parent resource (`file`) instead.
Signed-off-by: Adam Leff <adam@leff.co>
* Directory existence should check to see if it's a directory
Signed-off-by: Adam Leff <adam@leff.co>
Net::HTTP does not gracefully handle HTTP options/headers
that have nil values. This updates Fetchers::Url to verify
that all headers we attempt to configure have non-nil,
non-empty values.
This originally surfaced via the audit cookbook with the
chef-automate fetcher in use without the data_collector
token being set.
Signed-off-by: Adam Leff <adam@leff.co>
* Adding toml resource
This adds a `toml` resource that inherits from the json resource and
behaves the same way as the JSON and YAML resources.
Signed-off-by: Nolan Davidson <ndavidson@chef.io>
* s/package/service/ on service unit test descriptions
Signed-off-by: Kristian Vlaardingerbroek <kvlaardingerbroek@schubergphilis.com>
* Add support for CoreOS to the service resource
Signed-off-by: Kristian Vlaardingerbroek <kvlaardingerbroek@schubergphilis.com>
* Remove some apparently unused test setup to remove some warnings.
* Initialize some instance variables before use to silence warnings.
* Remove an unused variable to remove a warning.
* Remove some indirection.
* Silence logger during tests.
* Check if an instance variable was defined before referencing to remove a warning.
* Define duplicated constant once in root rakefile.
* Initialize an instance variable to remove a warning.
* Remove PROJECT_DIR to reduce coupling.
Signed-off-by: Pete Higgins <pete@peterhiggins.org>
The is_automate_server_pre_080? and is_automate_server_080_and_later?
methods needed some fixing. The Compliance configuration could have
a "version" key that was not nil but was an empty hash, indicating
that it came from a pre-0.8.x Automate server. What we really need
to look for is config['version']['version'] being nil?.
Signed-off-by: Adam Leff <adam@leff.co>
Due to limitations in Thor it is not possible to set an argument to be both optional and its value to be mandatory. E.g. the user supplying the --password argument is optional and not always required, but whenever it is used, it requires a value. Handle options that were defined with mandatory values in a way that fails with an `ArgumentError` if the value is missing, i.e.:
```
> inspec exec examples/profile --password
ArgumentError: Please provide a value for --password. For example: --password=hello.
```
It works without `--password` or with `--password=arg`. Also handled for `--sudo-password`.
Fixes: https://github.com/chef/inspec/issues/1901
As suggested: https://github.com/chef/inspec/pull/1904
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This is currently failing because both `alias` and `alias_method` create method imprints in the FileProvider. This leads to a failure where the TarProvider assumes it doesn't implement `binread`, which in fact it does, since it just calls `read`.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
* Add TCP reachability support on Linux for host resource
This enhances the `host` resource on Linux targets by using netcat
(if installed) to perform TCP reachability checks.
Signed-off-by: Adam Leff <adam@leff.co>
* documentation updates
Signed-off-by: Adam Leff <adam@leff.co>
* Appease rubocop
Signed-off-by: Adam Leff <adam@leff.co>
On Windows, `inspec archive` would sometimes produce incorrect archive files. These would look fine, as tgz files, but would not execute correctly. This would lead to bewildering error messages like this one:
```
Unable to parse inspec.yml: line 1, control characters are not allowed
```
Fix it by treating the files as binary before writing them to get around any encoding issues, since the stream handler is a raw io object anyway.
Closely related to https://github.com/chef/inspec/pull/1906
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
On Windows, we ran into the problem that the execution of inherited profiles would (sometimes) not work. This was due to the use of `File.read` and `File.write` and handling inside the file provider, which works in most cases (especially *nix systems), but does not behave as expected on Windows. A better and more correct way of treating these files is via binary read and write mode, which changes the underlying encoding of both strings that are passed along.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Generated duplicate messages due to the way that examples are aggregated in RSpec. Make sure we never show any duplicate test result messages, as they offer not value to any user.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
The Compliance::API.version method could potentially return
a hash containing no "version" key but would return an empty
hash upon any expected failure. Downstream callers of the
Compliance::API.version method were looking for a "version"
key to always be present when, in some cases, it would not be.
This change ensures that if a version is not available, there
is no "version" key in the hash, and downstream callers of this
method have been changed to check for nil instead of empty.
Signed-off-by: Adam Leff <adam@leff.co>
* add bitbucket repo url handling
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
* backout changes to .gitignore
* adding unit tests for bitbucket url transformers
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
* fixing some indents
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
* fix some indents
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
Calling the `digest` library directly unfortunately causes issues in FIPS 140-2 mode:
sha512.c(81): OpenSSL internal error, assertion failed: Low level API call to digest SHA512 forbidden in FIPS mode!
Switching to `OpenSSL` as the caller resolve these issues
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
When running `inspec exec` without the `target` option but against remote endpoints OR when executing it with the `localhost://` target AND having `--sudo` active it would abort the execution. `--target` is a helper to set the Train parameters for `backend`, `host`, `user`, `port`, and potentially `password`. The detection would fail on providing any of these separately without specifying `--target`. The same holds true for the `localhost` train backend or just `localhost://` target.
This type of detection has since moved to Train. The driving reason was to have this very useful check for localhost vs sudo run for any type of inspec (or for that matter: train) execution.
This PR depends on https://github.com/chef/train/pull/179 and the next release of train.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Unsupported operating systems AND the mockloader when using inspec analysis tools may lead to powershell being called with the command being `nil`, because the resource skips during the initialize phase. Instead, propagate an empty string so that `command` has a valid input and then skip the resource.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Non-url URIs may have lead to broader crashes than initially fixed. Overwrite all URL resolvers in the plugin to work with these non-schema URLs.
Fixes#1473
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Due to habitat-sh/habitat#2395, we shouldn't try to log stderr output
to a file for now. While this makes for a less-than-awesome UX, it's
better than a process locking up due to a buffer filling up!
This change redirects stderr from InSpec to stdout and adds some
helpful troubleshooting messages. Should InSpec be able to generate
unique exit codes for when controls fail (vs. a Ruby eval failure)
then we can fix this up some more, too.
Signed-off-by: Adam Leff <adam@leff.co>
The `interface` resource currently refers to methods that don't
yet exist. Fixing the docs for now and will add the features
later.
Signed-off-by: Adam Leff <adam@leff.co>
When attempting to parse the profile out of the target URL, we
were not raising an exception if we failed to do so. Such a situation
could arise if a user's inspec config.json is incorrect either due to
manual editing or failure to re-login after an upgrade past Automate
0.8.0.
This change provides a clear exception if this occurs and also adds
tests for the compliance_profile_name method.
Signed-off-by: Adam Leff <adam@leff.co>
Postgres configuration doesnt always include absolute paths. When using relative paths it will fail!
Also: We treat the include as either a string or an array; when the first condition succeeds and you get a string and the second fails you get a array => ruby tries to add a string with an array and fails. This is now fixed as well.
Fixes: https://github.com/chef/inspec/issues/1780
Fixes: https://github.com/chef/inspec/issues/1738
Signed-off-by: Aaron Lippold <lippold@gmail.com>
The gem resource used to determine if a gem is installed based on the exit
status of the `gem` command, however that command will return zero
if the package was found or not. This patch checks to ensure that the
`gem list` command actually includes the gem name or is empty to
determine if the gem is in fact installed.
If the gem command returns something other than a `0` exit code, then
it'll skip the resource.
Signed-off-by: Keith Walters <keith.walters@cattywamp.us>
This adds supports for connecting to MS SQL instances using Window
authentication rather than SQL authentication. By leaving either the
user or password parameters blank causes the sqlcmd to leave off the -U
and -P params. This will cause sqlcmd to authenticate as the current
Windows user.
Signed-off-by: Nolan Davidson <ndavidson@chef.io>
Inspired by #1640, this change cleans up the logic used when
reading in secrets files, provides clearer warnings when the
secrets files can't be parsed, and adds tests for those methods.
Signed-off-by: Adam Leff <adam@leff.co>
Switched the oracle_session resource to take an option hash and allow
for configuring hostname, DB_SID, and sqlplus binary path.
Added unit tests.
Signed-off-by: Nolan Davidson <ndavidson@chef.io>
Since the command to enable them is different, also make that change in
the output based on the shell used.
Signed-off-by: Nathan L Smith <smith@chef.io>
The CLI formatter is not currently honoring the --no-color flag
when outputting CLI output. This change cleans up how we format
with color and properly support the flag for use cases where
color-encoding characters make the output difficult to use
(i.e. when someone redirects CLI output to a text file for
sharing with others).
Signed-off-by: Adam Leff <adam@leff.co>
This adds an oracle_session resource similar to the existing resource
for MySQL and MSSQL. It assumes the sqlplus tool is installed and in
the path of the user InSpec connects as.
Signed-off-by: Nolan Davidson <ndavidson@chef.io>
Running `inspec exec` with --sudo locally produces unintended results
given that we cannot escalate local Ruby methods after we're already
running. --sudo is meant to only be used with remote targets. We do
not currently enforce that.
This change will print an error for the user if they attempt to use
--sudo with a local exec and exit non-zero.
Signed-off-by: Adam Leff <adam@leff.co>
The file resource's `#content` method will return nil if the file
cannot be read for permissions issues. If you try to run a profile
that uses the `xinetd` resource without sudo privileges, InSpec
would try to call `#empty` on nil.
This change fixes this issue by checking for nil before checking
for emptiness.
Signed-off-by: Adam Leff <adam@leff.co>
The exit status would never return "InSpec run completed successfully"
since the value of $RC was always an integer which never was prefixed
with an "x". This checks the return directly since we currently do not
have any complex logic which warrants the need to check different
return status values where a prefixed return code is necessary.
Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
* Fixed bug with install step where profile would include the .hart
files from previous builds.
* Updated the generated plan to support plan.sh syntax changes in
habitat 0.21.0 and later by removing the `pkg_source` and the
`do_download`, `do_verify`, and `do_unpack` overrides.
* Updated the generate run hook to leverage habitat to perform most of
the origin, package name, and path variable interpolations.
Signed-off-by: Ryan Hass <rhass@users.noreply.github.com>
Even though I couldn't find any docs around include_dir accepting anything other than a string I left the existing functionality alone.
This forces include_dir to check multiple directories as well as single string directories for additional conf files.
Signed-off-by: Elliott Davis <edavis@chef.io>
A new `help matchers` command will provide helpful examples on a few
of the standard matchers: be, cmp, include, etc.
I also cleaned up the formatting of the resources list and provided
better feedback if a user requests help for an unknown resource.
Resolves#1684
Signed-off-by: Adam Leff <adam@leff.co>
Instead of my favorite shortcut of `os.inspec` just finally add it as a global keyword.
Preparation for https://github.com/chef/inspec/issues/1396
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This is always bothersome when debugging code and drilling down objects, since it will just a return a two-layer anonymous class with no help at all.
Instead print a nice name and even give a bit of information on pretty-printing (which pry does naturally)
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Unindent has been misbehaving for control `desc`riptions by completely removing newlines. This is now fixed and the unindentation mechanism improved to behave as expected.
Removing empty lines at the beginning and end of string remains unchanged.
Tabs are not treated as multi-space indentations; supporting them as 8-space chars would require additional effort (please comment if this is important to you)
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
I.e. instead of printing them as:
```
desc "hello\nworld"
```
it would instead do:
```
desc "hello
world"
```
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
We needed to be able to run inspec against endpoints with self signed certificates and this was the quickest way for us to get there.
Signed-off-by: Elizabeth Uselton <elizabeth.uselton@gmail.com>
Because the sleep_time is not written to a config file but instead
only rendered into the run hook, hab-sup doesn't restart the running
process upon any config updates. This change moves the sleep_time to
a settings config file which is read in by the run hook. This will
allow Habitat to restart the InSpec process whenever a user changes
the sleep time.
I also cleaned up the non-zero exit error message to give the user
a better indication as to why the run may have "failed."
Signed-off-by: Adam Leff <adam@leff.co>
Many InSpec resources require root access to properly scan. Let's
default the run user to root until we need to accommodate different
options.
Signed-off-by: Adam Leff <adam@leff.co>
RubyGems on windows comes with a batch file that wraps the `gem` command
so it executes correctly. This change uses that batch file for windows
for our `gem` resource, and also properly handles when we receive no output
from the command.
Signed-off-by: Adam Leff <adam@leff.co>
SSL resource now adds the servername option in client hello,
utilizing the the great work of @adamcaudill to support
SNI in sslshake [1]
[1] https://github.com/arlimus/sslshake/pull/5
Signed-off-by: Christoph Kappel <kappel.christoph@gmail.com>
In #1454, we welcomed a newly-revamped JUnit formatter which has
a dependency on Nokogiri. Unfortunately, this had led us to problems
getting InSpec included in Chef omnibus builds (see chef/chef#5937)
because Chef is using Ruby 2.4.1 and the Nokogiri maintainers have
not yet released a windows binary gem that supports Ruby 2.4.x.
This has led to breaking builds in Chef's CI platform and would
block the acceptance of chef/chef#5937.
This change replaces Nokogiri use with REXML instead. While REXML
can be slower than Nokogiri, it does not require native extensions
and is supported on all Chef platforms.
Signed-off-by: Adam Leff <adam@leff.co>
* Enable customization of supermarket_url
It looks like this was originally supposed to work, but at some point
the default value was put in the method body rather than in the method
parameters.
This change allows you to configure the supermarket_url in test kitchen
like so:
```
verifier:
inspec_tests:
- name: linux-hardening
supermarket: som3guy/apache-disa-stig
supermarket_url: https://my.supermarket.com
```
Signed-off-by: Ryan Larson <ryan.mango.larson@gmail.com>
If a repo did not exist, running matchers against it (such as `exist`)
were failing due to a bug in `#to_s` when fetching the repo name. The
`info` method would return nil and we'd still try to treat it as a hash.
This change ensures that info is always a hash, possibly empty if the
repo doesn't exist, and uses the repo name provided by the user rather
than shortening it to be consistent with our other resources which don't
manipulate the user input in the formatter.
Also added a method_missing to allow users to interrogate repo options,
such as baseurl or gpgcheck.
Signed-off-by: Adam Leff <adam@leff.co>
The CLI output for the vendoring of profiles has been updated slightly
to be more clear, and the functional tests have been modified to match
as well.
Signed-off-by: Adam Leff <adam@leff.co>
Per PR feedback, `Inspec::ProfileVendor` is created to centralize
the logic and data of vendoring profile dependencies. The `BaseCLI`
class and the `Habitat::Profile` class have been modified to use it
Signed-off-by: Adam Leff <adam@leff.co>
This change adds support in Habitat-packaged profiles for
profiles that depend on other profiles. When `inspec habitat
profile create` or `inspec habitat profile upload` is run,
it will see if the profile's dependencies have been vendored
yet, and if not, it will vendor them before creating the
habitat artifact.
For the git and URL fetchers, more explicit creation of the
target directories for the vendored profiles is done. This
is implicitly done via normal CLI interactions a user may
go through, but in our case, we want to ensure those directories
are there before the fetchers try to write out content.
By adding this support, we also fix a bug experienced in Habitat
where a profile that was packaged before an `inspec exec` was run
for the profile would cause a failure in Habitat. This is caused
by `inspec exec` doing a vendor of the dependencies if necessary
and generating the inspec.lock file. In Habitat, the package dir
is not writable by the hab user and InSpec would fail to run due
to an inability to write out an inspec.lock.
Signed-off-by: Adam Leff <adam@leff.co>
Netstat will sometimes output an IPv6 address that is not
formatted correctly; the address is either truncated or uses
or implies the `::` shorthand notation twice. This yields an
invalid IPv6 address and causes IPAddr.new to choke.
This change guards against invalid IP addresses and ensures they
do not end up in the port resource's entries list.
Signed-off-by: Adam Leff <adam@leff.co>
* add tag object
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
* add tests for to_hash function in tag
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
When SimpleConfig parses a config file that has sections, such as a mysqld
config file, the values within that section are returned via a Hash. However,
we do not provide an easy way to write tests for those deep hash values:
```
describe mysql_conf('/tmp/my.cnf') do
its('mysqld.expire_logs_days') { should cmp 10 }
end
MySQL Configuration
∅ undefined method `expire_logs_days' for #<Hash:0x007fe463795a00>
```
This change provides a method-based accessor for Hashes that are built via
SimpleConfig.
```
describe mysql_conf('/tmp/my.cnf') do
its('mysqld.expire_logs_days') { should cmp 10 }
end
MySQL Configuration
✔ mysqld.expire_logs_days should cmp == 10
```
Fixes#1541 by changing the way the attributes are fetched.
Signed-off-by: Adam Leff <adam@leff.co>
When attempting to access array values via the `json` resource:
```
describe json('/tmp/test.json') do
its(['array',0]) { should eq "zero" }
end
```
... the resulting data would be an array of the size of the original array
with all the values replaced with nils:
```
expected: "zero"
got: [nil, nil, nil]
```
This was due to a bug in the ObjectTraverser mixin that mapped array values
back through `extract_value` rather than properly handling the passed-in
key(s). This worked fine for the specific data format created by the `csv`
resource but did not work `json` or any other resource that subclassed the
`JsonConfig` resource.
This change fixes the logic when dealing with an array when it's encountered,
and fixes up the `csv` resource with its own `value` method.
This change also adds tests for ObjectTraverser.
Signed-off-by: Adam Leff <adam@leff.co>
As raised in #1526, adding an additional example showing how
a user can use the `where` accessor to find commands matching
a pattern and write a test using the results.
Signed-off-by: Adam Leff <adam@leff.co>
Currently, if the inspec.yml for a profile is invalid (such as including
an improperly-defined multi-line string), InSpec will throw an exception
from the YAML parser that does not given a clear indication that the
issue was encountered while parsing the inspec.yml file.
This change introduces a better exception message to clue the user into
where the problem actually lies.
Signed-off-by: Adam Leff <adam@leff.co>
On Linux, netstat may show a tcp6/udp6 protocol line but include a
v4 address. This happens with AF_INET6 sockets that can accept
both v4 and v6 traffic. The port check was not properly handling
this situation and trying to pass a v4 address to URI bracketed as
if it was a v6 address.
Signed-off-by: Adam Leff <adam@leff.co>
* Add open_timeout to NET::HTTP.start call
Signed-off-by: Makoto Nozaki <makoto.nozaki@twosigma.com>
* Code cleanup based on the discussion at #1538
Signed-off-by: Makoto Nozaki <makoto.nozaki@twosigma.com>
When running a InSpec profile built with Habitat, we now
write the formatter/reporter data to a JSON file in the
pkg.svc_var_path rather than STDOUT. This will allow for
programmatic collection of this data and future enhancements
to allow this data to be passed around a Habitat ring.
This also corrects an issue creating a Habitat profile if the
profile had never been in the local InSpec cache. By setting a
mock Backend when creating the profile object, similarly to what
the archivers do, this issue is avoided.
Signed-off-by: Adam Leff <adam@leff.co>
Fixes issue #1508
* Windows terminals don't support extended ANSI colours. Use basic + intensity
* Windows terminals don't support UTF-8 well so don't use special characters
Other OS'es get what they had before.
Signed-off-by: Richard Nixon <richard.nixon@btinternet.com>
Two new commands have been created:
* inspec habitat profile create /path/to/profile
* inspec habitat profile upload /path/to/profile
The `create` command creates a Habitat artifact that contains the contents
of the Habitat profile found at the provided path. This will be used later
in some Habitat + InSpec integrations.
The `upload` command does the same create process but then uploads the
resulting artifact to the Habitat Depot.
Signed-off-by: Adam Leff <adam@leff.co>
The following new resources have been added; however, they
presently only support FreeBSD and similar.
* `zfs_dataset`: tests if a named ZFS dataset is present
and/or has certain properties.
* `zfs_pool`: tests if a named ZFS pool is present and/or
has certain properties.
Additionally, the `mount` resource has been reworked to
include support for FreeBSD; while the existing class
was renamed to LinuxMountParser.
Unit-tests were added for all of the above.
Signed-off-by: Joseph Benden <joe@benden.us>
When in inspec shell, you need to type the `help` command to find out info
about your target system. This info would be super helpful right out of the
gate so users have confidence that they're targeting the correct system.
The target info is still available via the `help` command as it always has
been, as well.
Signed-off-by: Adam Leff <adam@leff.co>
The inline docs for SourceReaders::InspecReader#new state that it takes
a SourceReader object for the target... but we're trying to create the
SourceReader object! It actually takes a FileProvider object that is
capabile of listing files for the given profile and reading them.
Signed-off-by: Adam Leff <adam@leff.co>
When running InSpec with multiple profiles, and two or more of the profiles
are read in using the "Flat" SourceReader (i.e. they are not actual profiles
with a metadata file like inspec.yml, but rather just a folder containing
.rb files with controls and tests in them), InSpec would throw a NilClass
error when building the necessary objects for the formatter.
The cause was in `#profile_contains_example` in the formatter code which
checks to see if the profile name is the same as the profile_id in the given
example. However, if both of those were nil, it would potentially match the
wrong Flat-read profile.
This change fixes this in two ways: refusing to match if the profile name
or example profile ID is nil, and adding a default name to a profile if
it doesn't have a title or name. This will solve the matching issue and also
clean up the formatter output so users can more easily tell what tests
are from which profile/path.
Signed-off-by: Adam Leff <adam@leff.co>
The crontab resource parses a particular user's crontab file into
individual entries and allows the user to assert information about
each entry as needed.
Signed-off-by: Adam Leff <adam@leff.co>
The other Chef tooling (chef-client, chef, kitchen, berks, etc.)
support a `-v` flag to display the version. Currently, inspec
errors out with the following error:
```
Could not find command "_v".
```
This adds a Thor map so that `-v` executes the `version` command.
Signed-off-by: Adam Leff <adam@leff.co>
This pull request adds a packages resource so that we can check for pattern matches against all the packages on a system. This initially implements only dpkg support for debian-based platforms so we can cover this use case:
```ruby
describe packages(/^xserver-xorg.*/) do
its("list") { should be_empty }
end
```
This uses FilterTable so we can supply additional queries, too.
```ruby
describe packages(/vi.+/).where { status != 'installed' } do
its('statuses') { should be_empty }
end
```
Users can specify the name as a string or a regular expression. If it is a string, we will escape it and convert it to a regular expression to use in matching against the full returned list of packages. If it is a regular expression, we take that as is and use it to filter the results.
While some package management systems such as `dpkg` can take a shell glob argument to filter their results, we eschew this and require a regular expression to match multiple package names because we will need this to work across other platforms in the future. This means that the following:
```ruby
packages("vim")
```
Will return *all* the "vim" packages on the system. The `packages` resource will take `"vim"`, turn it into `/vim/`, and greedily match anything with "vim" in the name. To match only a single package named `vim`, it needs to be an anchored regular expression.
```ruby
packages(/^vim$/)
```
Signed-off-by: Joshua Timberman <joshua@chef.io>
Use entries instead of list
Added a few more tests and non installed package in output
Signed-off-by: Alex Pop <apop@chef.io>
fix lint
Signed-off-by: Alex Pop <apop@chef.io>
Signed-off-by: Joshua Timberman <joshua@chef.io>
We do not store a token in the config file but rather generate one on
each commmand. This is just a first pass and needs some work.
Signed-off-by: Montague, Brent <brent@bmontague.com>
Based on some feedback from @arlimus there were some methods that
were not part of the public inteface that I moved to private.
I changed the examples collection from a delete from the output_hash
to retrieve the controls.
Created a helper for the all_unique_controls which was used in two helper
methods.
Signed-off-by: Franklin Webber <franklin@chef.io>
The class size is too big and Rubocop is right. There are a few
more classes in there that could be extracted but I am going to
ignore it. The other issues that it presented were fair.
Signed-off-by: Franklin Webber <franklin@chef.io>
* Moved things around for better understanding of the class
* Used `private` to denote what was on the public interface
* Solved the ugly TODO which was calculating the state of the control's
summary
* Used `#examples` instead of `res = control[:results]` throughout the
#summary and #title methods
Signed-off-by: Franklin Webber <franklin@chef.io>
* Fixes an issue when specifying no profile
* Fixes an issue when displaying a profile that has included/required profiels
* Fixes an issue when specifying profiles with only metadata
* Fixes formatting for spacing to ensure it adheres to previous alignment
* Fixes issue with the Control object and the rolling up of failed
and skipped examples.
Signed-off-by: Franklin Webber <franklin@chef.io>
The profiles will display the controls with their results and
then display the examples not associated with any control but
within the profile.
Signed-off-by: Franklin Webber <franklin@chef.io>
A lot of the work in #flush_current_control is acting on the control.
I am starting the flip of the control and bringing those messages being
sent originating from a control class itself.
Signed-off-by: Franklin Webber <franklin@chef.io>
Cleans up the #stop action on the JSON formatter by creating more
methods that memoize values or provide values through a method
interface.
There is still more that can be done with the whole mapping
examples to controls through profiles.
Signed-off-by: Franklin Webber <franklin@chef.io>
The full JSON formatter was using the start step to setup the profiles_info.
I moved that to a memozied method so that the first time it is called it will
be created.
Signed-off-by: Franklin Webber <franklin@chef.io>
While rebasing the branch where I was working on the cli formatter I
noticed the addition of junit. However, it was not in the help.
Signed-off-by: Franklin Webber <franklin@chef.io>
Reverts the work-around that pulls down the latest 100 tools
and filters for type == 'compliance_profile' in the client.
Go back to using tool-search with the new type parameter.
Omit start:0 because that's the default.
Keep the number of items returned at 100, which is more than the
default 10.
Signed-off-by: Robb Kidd <robb@thekidds.org>
Previous, require_controls was including all controls from the named
profile, despite the documented behavior being that it only includes
controls explicitly pulled in by the user. The cause was two-fold:
1) A previous refactor meant that we weren't removing the rule from the
correct context, and
2) We weren't descending down the dependency tree when filtering rules.
This commit fixes the require_controls DSL method and adds a test to
help prevent future regressions.
Signed-off-by: Steven Danna <steve@chef.io>
Before, a URL based source might be downloaded multiple times during the
dependency fetching and lockfile creation. This commit tries to avoid
this by:
1) Memoizing data about the archive to avoid re-fetching the archive
2) Adding a CachedFetcher wrapper around the fetcher class to help
ensure that callers always consult the cache before fetching.
Signed-off-by: Steven Danna <steve@chef.io>
This commit threads through some state related to whether or not a
profile is "local", that is whether it is a directory on disk. If it
is, we then write out the lockfile to disk.
Signed-off-by: Steven Danna <steve@chef.io>
This allows users to run:
inspec exec ./ --cache PATH
which will use `PATH` as the dir to retrieve and store remote
dependencies. The hope is that this can eventually be used with
`inspec vendor PATH` to package up a profile for offline use.
Signed-off-by: Steven Danna <steve@chef.io>
If a URL based source does not match the shasum recorded in the
lockfile, it likely means a new version has been pushed to the remote
source. In this case, we fail to help ensure that when using a lockfile
we always run the same code as when the lockfile was created.
Signed-off-by: Steven Danna <steve@chef.io>
All resources from deps are added into the control_eval_context used by
the current profile. However, if there is a name conflict, the last
loaded resource wins. The new `require_resource` dsl method allows the
user to do the following:
require_resource(profile: 'profile_name',
resource: 'other',
as: 'renamed')
describe renamed do
...
end
Signed-off-by: Steven Danna <steve@chef.io>
This is a regression introduced by the changes from string to symbol
keys in v0.34.0. It seems that our test cookbook that had a nested
dependency example wasn't actually wired up to run.
This adds a basic functional test and corrects the typo.
Signed-off-by: Steven Danna <steve@chef.io>
The recent changes to provide isolated views of the available resources
was not extended to Rspec::ExampleGroups. This ensures that
ExampleGroups have access to the same resources as the enclosing
Inspec::Rule.
Signed-off-by: Steven Danna <steve@chef.io>
This adds a new git fetcher. In doing so, it also refactors how the
fetchers work a bit to better support fetchers that need to resolve
user-provided sources to fully specified sources appropriate for a
lockfile.
Signed-off-by: Steven Danna <steve@chef.io>
We already monkeypatch require so that it is redirected through the
require_loader. All of the tests pass with this removal. We might
cause some breakage with this removal that we aren't testing, but given
that we are mucking with `require` it seems preferable to have one
mechanism by which we do that and solve any bugs with that single path.
Signed-off-by: Steven Danna <steve@chef.io>
Previously, libraries were loaded by instance_eval'ing them against
the same execution context used for control files. All resources were
registered against a single global registry when the `name` dsl method
was invoked. To obtain seperation of resources, we would mutate the
instance variable holding the globale registry and then change it back
at the end.
Now, we instance_eval library files inside an anonymous class. This
class has its own version of `Inspec.resource` that returns another
class with the resource DSL method and the profile-specific resource
registry.
The goal of these changes is to ensure that the libraries from
dependencies are loaded even if their controls are never included. To
facilitate this, we break up the loading into seperate steps, and move
the loading code into the Profile which has acceess to the dependency
information.
Signed-off-by: Steven Danna <steve@chef.io>
Previously, all resources were loaded into a single resource registry.
Now, each profile context has a resource registry, when a profile's
library is loaded into the profile context, we update the
profile-context-specific resource registry. This local registry is
then used to populate the execution context that the rules are
evaluated in.
Signed-off-by: Steven Danna <steve@chef.io>
This is a minor refactor that I did while studying our loading code in
preparation for some deeper changes to how content loading works. The
overall goal of the refactor is to remove a few places where we were
passing a generic options hash and then only accessing a single item.
The comment hopefully clarifies to new developers in the code base how
content loading works at a high level.
Signed-off-by: Steven Danna <steve@chef.io>
The goal of this change is to provide an isolated view of the available
profiles when the user calls the include_controls or require_controls
APIs. Namely,
- A profile should only be able to reference profiles that are part of
its transitive dependency tree. That is, if the dependency tree for a
profile looks like the following:
A
|- B --> C
|
|- D --> E
Then profile B should only be able to see profile C and fail if it
tries to reference A, D, or E.
- The same profile should be include-able at different versions from
different parts of the tree without conflict. That is, if the
dependency tree for a profile looks like the following:
A
|- B --> C@1.0
|
|- D --> C@2.0
Then profile B should see the 1.0 version of C and profile D should
see the 2.0 profile C with respect to the included controls.
To achieve these goals we:
- Ensure that we construct ProfileContext objects with respect to the
correct dependencies in Inspec::DSL.
- Provide a method of accessing all transitively defined rules on a
ProfileContext without pushing all of the rules onto the same global
namespace.
This does not yet handle attributes or libraries.
Also: Log to STDERR by default
NB: This will result in absolute paths being rendered to lock files. We
think that is OK for now since we are going to build some UX around
path-based dependencies and lock files. Namely, we are going to tell
people it is a bad idea.
Signed-off-by: Steven Danna <steve@chef.io>
Resolved an issue checking ports on windows
The previous version wasn't really checking if a port was accessible as we were only validating if the ping succeeded. Using TcpTestSucceeded to determine if the connection worked or not.
The Molinillo library is a good library for systems that need a
constraint solver that will solve dependency problems requiring a single
version of each named dependency.
In our case, the eventual goal is to allow libraries to have conflicting
transitive dependencies at runtime. Isolation will be provided by
restricting all calls within a given profile to scope which can only see
that profile's dependencies.
To facilitate working on the isolation feature, I've replaced the
Molinillo-based resolver with a minimal resolver which will allow us to
load multiple versions of the same library.
Since we will likely want a good amount of logging around this feature
in the future, I've added a Inspec::Log singleton-style class, replacing
the previous Inpsec::Log which appeared unused in the code base.
Signed-off-by: Steven Danna <steve@chef.io>
This adds a basic prototype of inspec.lock. When the lockfile exists on
disk, the dependencies tree is constructed using the information in the
lock file rather than using the resolver.
Signed-off-by: Steven Danna <steve@chef.io>
This extends the dependency feature to include support for url-based
dependencies. It takes some deviations from the current support for
URLs that we'll likely want to make more consistent.
By default, we store downloaded archives in the cache rather than the
unpacked archive. However, to facilitate debugging, we will prefer the
unpacked archive if we find it in the cache.
Signed-off-by: Steven Danna <steve@chef.io>
This commit is the foundation of the dependency resolution as described in https://github.com/chef/inspec/issues/888 .
It currently only works with local dependencies, as seen in the example inheritance profile.
Tests and full resolution are coming next on the path to an MVP implementation.
Redhat conf_dir detection was regressed in 57d7275 which inadvertently
removed the setting of @conf_dir. Any attempt to use the postgres
resource on RHEL would rain an exception:
inspec> postgres.data_dir
TypeError: no implicit conversion of nil into String
Further, the redhat detection code appears to assume that RHEL always
uses versioned data directories. This however, does not appear to be the
case:
$ cat /etc/redhat-release
CentOS release 6.7 (Final)
$ sudo ls /var/lib/pgsql/
backups data pgstartup.log
The code now can handle both versioned and un-versioned directory
formats on RHEL. Further, it provides diagnostic warnings about
uncertainty in the discovered data directories and configuration
directories.
Signed-off-by: Steven Danna <steve@chef.io>
Previously, if you typed more than 20 characters at the prompt and
attempted pressed Ctrl+a (readline's "Move to start of line" command),
your prompt would appear at the ~11th character from the start of the
line, unable to go further back.
This was a result readline counting the terminal escape sequences we use
for color output as part of the line.
Wrapping these sequences in \001 and \002 instructs readline to ignore
them when doing calculations regarding line-length, resolving the
problem.
This adds a new subcommand:
inspec env [SHELL]
which outputs a shell-appropriate completion script that the user can
source into their shell:
eval "$(inspec env SHELL)"
Currently, we provide completions for ZSH and Bash. The completion
scripts are generated from the data Thor collects.
If the user doesn't provide SHELL we attempt to detect what the user's
shell may be using a number of methods.
Signed-off-by: Steven Danna <steve@chef.io>
(1) The field is not yet optimal, the calculations are great!
(2) Changing this field should go together with all other breaking json changes, especially if https://github.com/chef/inspec/pull/811 results in a change.
This allows the user to write:
describe port(22) do
it { should be_listening }
end
as well as
describe port('22') do
it { should be_listening }
end
without hitting an error.
Fixes#867
Signed-off-by: Steven Danna <steve@chef.io>
The output of `systemctl show SERVICENAME` can be misleading in the
case of non-native services (i.e. services configured via an init script
and integrated with systemd via a shim) or for more sophisticated unit
types.
For example, the UnitFileState of ntp is "bad":
> systemctl show ntp | grep UnitFileState
UnitFileState=bad
despite systemd reporting it as enabled:
> systemctl is-enabled ntp
ntp.service is not a native service, redirecting to
systemd-sysv-install
Executing /lib/systemd/systemd-sysv-install is-enabled ntp
enabled
Further, the old parsing code would have missed unit files in the
following states that are technically enabled:
enabled-runtime, indirect, generated, and transient
Using the `is-enabled` commands ensures that we report the same enabled
status that systemd reports, without having to update our own parsing in
the event that new unit states are added. Additionally, as shown above,
it handles the sysv compatibility helper.
Similarly, the is-active helper command ensures that we always report
the same active/not-active status as systemd would natively. For
instance, a quick reading of `src/systemctl/systemctl.c` in the systemd
source shows that systemctl reports units as active if they are in the
state `UNIT_ACTIVE` or `UNIT_RELOADING`.
Fixes#749
Signed-off-by: Steven Danna <steve@chef.io>
Mixing types in an array without specifying what these fields point to is not just confusing, but also causes issues with endpoints that may consume this data and dont process mixed types. We strive to have a stable api for 1.0 and this is a sin that was left after the major overhaul. Time to fix it.
reporters didnt stick to the formatters that were configured but looked for an old json one. this MR ensures that the formatter that is configured is pulled out to generate the report
this happens when the profile is run (exec) and also interpreted (via profile.params). It will load 2 profile context calls (both via Runner) which in turn gets 2 rounds of interpreter+runner executions. This is an issue with auto-generated IDs, due to their random component, which changes in this case
Full rewrite of all formatters. Create a minimal JSON, a full JSON, and a fallback RSpec formatter. The latter is only needed for corner cases and should not really be used. The former 2 are for (1) running `inspec json` followed by `inspec exec` (`--format json`) and (2) running just `inspec exec --format fulljson`.
When used in combination: `shadow[.filter(...)].entries.each { |entry| ... }`, these entries would not be very descriptive at all. You would basically only retrieve the full filter chain e.g. 20 times, without any information about what entry you are currently looking at. This fixes it, by providing the entry identified by the user name
Instead of just removing all tests because of OS support, supports now acts by adding all tests to the execution context, but doesnt actually execute them. Instead tests are set to skip before they get to the actual execution context
instead of keeping them as flat variables, prefix all internals with `__` to create consistency. Also add accessors on the class-level to expose these values in all rules. This way we keep all variable-names in one location and get some safety on access.
In some instances, when running inspec shell, you dont get any resources inside of it. i.e. `inspec shell` and then `os` will lead to
```ruby
NameError: undefined local variable or method `os' for
from (pry):1:in `add_content'
```
This is because of instance_eval loading withing the given source/line
information and not attaching to the profile context which actually has
all the resources. Fix it by making sure that inspec shell always
attaches to the profile context with resources by providing nil for
source and line information.
This is just for simplicity. I expect other users to make the same mistake when using it, so I would rather our tests crash if we have this type of conflict again and prevent it in the first place. Renaming File to FileResource should take care of all important places
Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix.
Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes.
I strongly recommend viewing this diff with `git diff --ignore-space-change`
to see the *real* changes. :)
```
describe.one do
describe command("uname -r").stdout do
it { should_not match /x86_64/ }
end
describe test_sth_for_x64_processors do
...
end
end
```
i.e. make sure it doesnt crash just because no block was given due to source/line detection.
also return the result of the rule's delegated describe call and not the rule itself to the outer method. this is for consistency (and the following commits)
This helps reduce any folder structures, weather on disk or in archives, to their relative root paths; i.e. ignore all file-prefixes that are given and go directly to the underlying files, relative to the common folders that contain it
Bugfix: there were services that would get matched because of the way the regex was constructed, i.e. if the user inserted `.` or `*` or anything regexy. Even if the service only had part of the name you were interested in, it would match (e.g. `sshd` would find `my_sshdaemon`).
Apart from this, runlevels are now detected for SystemV. This is exposed in `#info`
I.e. we want to get access to the actual directory handler, with full exposure of the underlying directory resolver. e.g. Get the InspecProfileDirectory handler (which provides access to tests, metadata, libraries), but be able to get all data with that alone (e.g. an ArchiveHelper for ZIP which reads all files/folders from zip)
Basically make sure everyone understands these are only subcommands. we might consider adding plugins for options or existing commands instead of new subcommands. this just ensures everyone knows what registry is for
only load plugins through the binary, never through the library. This avoids issue we have in accidentally loading plugins in tests and integration work. They should only be loaded when users request them.
Note that this adds `ref: some/where/in/tarball/file` to the file
contents hash; it wasn't there before but it may be useful for error
reporting nonetheless.
current output:
$ inspec check test/unit/mock/profiles/complete-profile.tgz
I, [2016-02-03T10:22:21.377650 #13207] INFO -- : Checking profile in test/unit/mock/profiles/complete-profile.tgz
I, [2016-02-03T10:22:21.377745 #13207] INFO -- : Found 1 rules.
I, [2016-02-03T10:22:21.377771 #13207] INFO -- : Rule definitions OK.
If reporting is requested, register a "reporting formatter", i.e.,
Inspec::RSpecReporter, that does the same things JsonFormatter does, but
suppresses output.
When the report is then requested, it returns the output hash that
JsonFormatter aggregates.
this makes it work (tested with default-ubuntu-1404), but doesn't
improve the error handling (i.e., the skip_resource doesn't really
prevent the failure)
I.e.: Prevent users from writing `supports: linux` and similar. These are deprecated and will be removed. Also improve the warning to indicate what the user should do instead. Finally add tests to make sure we get all these.
Before introducing InSpec profiles in https://github.com/chef/inspec/pull/252 we had `metadata.rb` keep all information. This included an undisclosed field called `supports`. However, this field was never actually used in practice. So for legacy profiles, this means that `supports` was ignored. In order to keep old profiles running in exactly the way they were before, ignore this field when reading from metadata.rb
For reading the profiles metadata, we're using the train mock backend
through Inspec::Runner. The new `supports` feature never agrees with the
mock backend.
Now, it we figure out if this is a mock class and then just say that it
supports whatever we're asking for.
Tl;dr: there's probably a more beautiful solution to this.
Added a test case, but it fails -- while the command line interface
works fine.
Package release info (e.g. '19.el7') is often required to determine if
a system has been properly patched.
Lines like the following from rpm are messing up the version returned
by the package resource:
"...\nVersion : 1.8.6p3 Vendor: Red Hat, Inc.\n..."
Correcting this with a new conditional check.
Currently, #readable?, #writeable?, and #executable? will incorrectly
return true if the file does not exist.
In addition, I took the opportunity to refactor the File resource to
make it easier to write unit tests and supplied a full unit test
suite for this resource.
processes('bash').user does not actually make much sense for a resource
that is a list -- different entries can belong to different users.
Analogous for processes('bash').state.
The attributes 'users' and 'states' expose the unique values
corresponding to that property of entries in the process list.
Fixes#295.
before, the resource would throw an exception when include_files
returned nil (i.e., [].flatten!)
added basic unit tests capturing the include_files behaviour
This change builds on chef/kitchen-inspec#12. All test directories should
be on the `$LOAD_PATH` when `Inspec::Runner` executes the test suites with
`RSpec::Core::Runner`. This will allow things like `require 'spec_helper'`
to work as expected.
Since #its has its(pun) own way of handling calls with a dot-notation, the full call is never passed to the resource. For example:
```ruby
describe json('file') do
its('a.b.c') { should eq 123 }
end
```
This is resolved to calling `json('file').a.b.c` and thus doesnt work as an intended `json('file').send('a.b.c'). For now use
regular its-behavior of calling `json('file').params ... its(%w{a b c}) { should ... }`.
Its' behavior must be improved.
TODO: Remove this!! It is very dangerous to do this here. The goal of this is to make the audit DSL available to all describe blocks. Right now, these blocks are executed outside the scope of this run, thus not gaining ony of the DSL pieces. To circumvent this, the full DSL is attached to the examples
What is currently available as `vulcano` inside resources (e.g. to call `vulcano.file(...)`, is now wrapped inside `vulcano.backend`. All other resources are now added to `vulcano.<RESOURCE>`, e.g. `vulcano.user`.
* rename `--winrm-ssl` => `--ssl`, to be used by other transports as well
* rename `--winrm-self-signed` => `--self-signed`, to be used by other transports
It doesnt post the expected information in /etc/redhat-release:
Derived from Red Hat Enterprise Linux 7.1 (Source)
Additionally in /etc/os-release:
NAME="CentOS Linux"
VERSION="7 (Core)"
...
Combine both files to fix the detection.
* rename VulcanoBaseRule -> Vulcano::Rule
* initialize rule inside the ProfileContext
* attach all resources to ProfileContext and all rules created within
* rename rule.rb -> dsl.rb, now only containing DSL information
* rename base_rule.rb -> rule.rb, now containing everything for rule
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
PTY will effectively disable stderr output, so avoid it for now.
It will come up very soon when we get back to sudo; see if fifo or other solutions might be used. Stderr is important for accurate command execution...
For reference see this wonderful explanation:
http://unix.stackexchange.com/a/134169
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
Dont return empty strings when reading a directory or if the path doesnt exist. Instead return nil.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
provided the platform family hint == "unix" run tests for all supported unix systems
also clarify the role of linux detection as the last step
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
This is in line with Ruby 2.1 changes in renaming File and Dir exists? to exist?
See previous commit
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
