mirror of
https://github.com/inspec/inspec
synced 2024-11-13 08:27:08 +00:00
2857d07151
The opening and closing mechanic varied between all the various resources. This changes them all to use a HEREDOC with a tilde to remove leading whitespace. This removes the need for the special method to trim the `#print_example` method from shell. Signed-off-by: Franklin Webber <franklin.webber@gmail.com>
161 lines
5.3 KiB
Ruby
161 lines
5.3 KiB
Ruby
# encoding: utf-8
|
|
# copyright: 2016, Chef Software Inc.
|
|
|
|
require 'utils/filter'
|
|
require 'utils/file_reader'
|
|
|
|
# The file format consists of
|
|
# - user
|
|
# - password
|
|
# - last_change
|
|
# - min_days before password change
|
|
# - max_days until password change
|
|
# - warn_days before warning about expiry
|
|
# - inactive_days before deactivating the account
|
|
# - expiry_date when this account will expire
|
|
|
|
module Inspec::Resources
|
|
class Shadow < Inspec.resource(1)
|
|
name 'shadow'
|
|
supports platform: 'unix'
|
|
desc 'Use the shadow InSpec resource to test the contents of /etc/shadow, '\
|
|
'which contains information for users that may log into '\
|
|
'the system and/or as users that own running processes.'
|
|
example <<~EXAMPLE
|
|
describe shadow do
|
|
its('user') { should_not include 'forbidden_user' }
|
|
end
|
|
|
|
describe shadow.user('bin') do
|
|
its('password') { should cmp 'x' }
|
|
its('count') { should eq 1 }
|
|
end
|
|
EXAMPLE
|
|
|
|
include FileReader
|
|
|
|
attr_reader :params
|
|
|
|
def initialize(path = '/etc/shadow', opts = {})
|
|
@opts = opts
|
|
@path = path || '/etc/shadow'
|
|
@filters = @opts[:filters] || ''
|
|
end
|
|
|
|
filtertable = FilterTable.create
|
|
filtertable
|
|
.register_column(:users, field: 'user')
|
|
.register_column(:passwords, field: 'password')
|
|
.register_column(:last_changes, field: 'last_change')
|
|
.register_column(:min_days, field: 'min_days')
|
|
.register_column(:max_days, field: 'max_days')
|
|
.register_column(:warn_days, field: 'warn_days')
|
|
.register_column(:inactive_days, field: 'inactive_days')
|
|
.register_column(:expiry_dates, field: 'expiry_date')
|
|
.register_column(:reserved, field: 'reserved')
|
|
# These are deprecated, but we need to "alias" them
|
|
filtertable
|
|
.register_custom_property(:user) { |table, value| table.resource.user(value) }
|
|
.register_custom_property(:password) { |table, value| table.resource.password(value) }
|
|
.register_custom_property(:last_change) { |table, value| table.resource.last_change(value) }
|
|
.register_custom_property(:expiry_date) { |table, value| table.resource.expiry_date(value) }
|
|
|
|
filtertable.register_custom_property(:content) { |t, _|
|
|
t.entries.map do |e|
|
|
[e.user, e.password, e.last_change, e.min_days, e.max_days, e.warn_days, e.inactive_days, e.expiry_date].compact.join(':')
|
|
end.join("\n")
|
|
}
|
|
|
|
filtertable.install_filter_methods_on_resource(self, :set_params)
|
|
|
|
def filter(query = {})
|
|
return self if query.nil? || query.empty?
|
|
res = set_params
|
|
filters = ''
|
|
query.each do |attr, condition|
|
|
condition = condition.to_s if condition.is_a? Integer
|
|
filters += " #{attr} = #{condition.inspect}"
|
|
res = res.find_all do |line|
|
|
case line[attr.to_s]
|
|
when condition
|
|
true
|
|
else
|
|
false
|
|
end
|
|
end
|
|
end
|
|
content = res.map { |x| x.values.join(':') }.join("\n")
|
|
Shadow.new(@path, content: content, filters: @filters + filters)
|
|
end
|
|
|
|
# Next 4 are deprecated methods. We define them here so we can emit a deprecation message.
|
|
# They are also defined on the Table, above.
|
|
def user(query = nil)
|
|
warn '[DEPRECATION] The shadow `user` property is deprecated and will be removed' \
|
|
' in InSpec 3.0. Please use `users` instead.'
|
|
query.nil? ? where.users : where('user' => query)
|
|
end
|
|
|
|
def password(query = nil)
|
|
warn '[DEPRECATION] The shadow `password` property is deprecated and will be removed' \
|
|
' in InSpec 3.0. Please use `passwords` instead.'
|
|
query.nil? ? where.passwords : where('password' => query)
|
|
end
|
|
|
|
def last_change(query = nil)
|
|
warn '[DEPRECATION] The shadow `last_change` property is deprecated and will be removed' \
|
|
' in InSpec 3.0. Please use `last_changes` instead.'
|
|
query.nil? ? where.last_changes : where('last_change' => query)
|
|
end
|
|
|
|
def expiry_date(query = nil)
|
|
warn '[DEPRECATION] The shadow `expiry_date` property is deprecated and will be removed' \
|
|
' in InSpec 3.0. Please use `expiry_dates` instead.'
|
|
query.nil? ? where.expiry_dates : where('expiry_date' => query)
|
|
end
|
|
|
|
def lines
|
|
warn '[DEPRECATION] The shadow `lines` property is deprecated and will be removed' \
|
|
' in InSpec 3.0.'
|
|
shadow_content.to_s.split("\n")
|
|
end
|
|
|
|
def to_s
|
|
f = @filters.empty? ? '' : ' with'+@filters
|
|
"#{@path}#{f}"
|
|
end
|
|
|
|
private
|
|
|
|
def shadow_content
|
|
@opts[:content] || read_file_content(@path, allow_empty: true)
|
|
end
|
|
|
|
def set_params
|
|
@params ||= Array(shadow_content.to_s.split("\n")).map { |l| parse_shadow_line(l) }
|
|
end
|
|
|
|
def map_data(id)
|
|
set_params.collect { |x| x[id] }
|
|
end
|
|
|
|
# Parse a line of /etc/shadow
|
|
#
|
|
# @param [String] line a line of /etc/shadow
|
|
# @return [Hash] Map of entries in this line
|
|
def parse_shadow_line(line)
|
|
x = line.split(':')
|
|
{
|
|
'user' => x.at(0),
|
|
'password' => x.at(1),
|
|
'last_change' => x.at(2),
|
|
'min_days' => x.at(3),
|
|
'max_days' => x.at(4),
|
|
'warn_days' => x.at(5),
|
|
'inactive_days' => x.at(6),
|
|
'expiry_date' => x.at(7),
|
|
'reserved' => x.at(8),
|
|
}
|
|
end
|
|
end
|
|
end
|