inspec/lib/resources/shadow.rb
Miah Johnson 75f39e74f2 Refine deprecated methods to be consisten with supported fields in (#2801)
shadow file.

After much thought the deprecations from #2642 were for the wrong methods.

Plural method names feel much more natural when working with this
resource because you can have more than a single result.

Consider a match like `shadow.user(/^www/)`, this could return multiple
users, so `shadow.users` feels more natural here.

The problem is that the fields we're matching in the shadow file itself
are singular. Each entry is for a user, which has a password, and some
other fields. A user never has `passwords` in the shadow file, only a
`password`.

This is made more obvious when you use the `filter` method.

When we use this filter: `shadow.filter(min_days: 20, max_days: 30)` we
are matching fields in the shadow file and not using our matcher
methods. This means that if there is a discrepancy between our matcher
methods, and the shadow fields the user could end up confused. Like I did =)

This PR changes:

Changed matchers to match shadow fields.
Updated documentation to reflect changes.
Updated tests to reflect changes.
Re-add `filter` method, and add a test for it.
Renamed variable for FilterTable to be less confusing.
Renamed query argument for methods to be consistent.
Cleanup docs based on comments from @jerryaldrichiii
Make Rubocop happy <3

Signed-off-by: Miah Johnson <miah@chia-pet.org>
2018-03-08 17:26:08 -05:00

146 lines
4.3 KiB
Ruby

# encoding: utf-8
# copyright: 2016, Chef Software Inc.
require 'utils/filter'
# The file format consists of
# - user
# - password
# - last_change
# - min_days before password change
# - max_days until password change
# - warn_days before warning about expiry
# - inactive_days before deactivating the account
# - expiry_date when this account will expire
module Inspec::Resources
class Shadow < Inspec.resource(1)
name 'shadow'
supports platform: 'unix'
desc 'Use the shadow InSpec resource to test the contents of /etc/shadow, '\
'which contains information for users that may log into '\
'the system and/or as users that own running processes.'
example "
describe shadow do
its('user') { should_not include 'forbidden_user' }
end
describe shadow.user('bin') do
its('password') { should cmp 'x' }
its('count') { should eq 1 }
end
"
attr_reader :params
attr_reader :lines
def initialize(path = '/etc/shadow', opts = nil)
opts ||= {}
@path = path || '/etc/shadow'
@raw_content = opts[:content] || inspec.file(@path).content
@lines = @raw_content.to_s.split("\n")
@filters = opts[:filters] || ''
@params = @lines.map { |l| parse_shadow_line(l) }
end
filtertable = FilterTable.create
filtertable
.add_accessor(:where)
.add_accessor(:entries)
.add(:user, field: 'user')
.add(:password, field: 'password')
.add(:last_change, field: 'last_change')
.add(:min_days, field: 'min_days')
.add(:max_days, field: 'max_days')
.add(:warn_days, field: 'warn_days')
.add(:inactive_days, field: 'inactive_days')
.add(:expiry_date, field: 'expiry_date')
.add(:reserved, field: 'reserved')
filtertable.add(:content) { |t, _|
t.entries.map do |e|
[e.user, e.password, e.last_change, e.min_days, e.max_days, e.warn_days, e.inactive_days, e.expiry_date].compact.join(':')
end.join("\n")
}
filtertable.add(:count) { |i, _|
i.entries.length
}
filtertable.connect(self, :params)
def filter(query = {})
return self if query.nil? || query.empty?
res = @params
filters = ''
query.each do |attr, condition|
condition = condition.to_s if condition.is_a? Integer
filters += " #{attr} = #{condition.inspect}"
res = res.find_all do |line|
case line[attr.to_s]
when condition
true
else
false
end
end
end
content = res.map { |x| x.values.join(':') }.join("\n")
Shadow.new(@path, content: content, filters: @filters + filters)
end
def users(query = nil)
warn '[DEPRECATION] The shadow `users` property is deprecated and will be removed' \
' in InSpec 3.0. Please use `user` instead.'
query.nil? ? user : user(query)
end
def passwords(query = nil)
warn '[DEPRECATION] The shadow `passwords` property is deprecated and will be removed' \
' in InSpec 3.0. Please use `password` instead.'
query.nil? ? password : password(query)
end
def last_changes(query = nil)
warn '[DEPRECATION] The shadow `last_changes` property is deprecated and will be removed' \
' in InSpec 3.0. Please use `last_change` instead.'
query.nil? ? last_change : last_change(query)
end
def expiry_dates(query = nil)
warn '[DEPRECATION] The shadow `expiry_dates` property is deprecated and will be removed' \
' in InSpec 3.0. Please use `expiry_date` instead.'
query.nil? ? expiry_date : expiry_date(query)
end
def to_s
f = @filters.empty? ? '' : ' with'+@filters
"/etc/shadow#{f}"
end
private
def map_data(id)
@params.map { |x| x[id] }
end
# Parse a line of /etc/shadow
#
# @param [String] line a line of /etc/shadow
# @return [Hash] Map of entries in this line
def parse_shadow_line(line)
x = line.split(':')
{
'user' => x.at(0),
'password' => x.at(1),
'last_change' => x.at(2),
'min_days' => x.at(3),
'max_days' => x.at(4),
'warn_days' => x.at(5),
'inactive_days' => x.at(6),
'expiry_date' => x.at(7),
'reserved' => x.at(8),
}
end
end
end