mirror of
https://github.com/inspec/inspec
synced 2024-11-23 05:03:07 +00:00
c7e87ca3e3
* Create file-check functionality into utility file There are the similar issues as PR #2302. Almost resources return false positives when a file does not exist or is not read. * Replace to file-check functionality * Fix dh_params and x509_certificate resources If a file is empty, OpenSSL::PKey::DH and OpenSSL::X509::Certificate have raised an exception and have skipped the inspection. Thus x509_certificate and dh_params resources are not allowed to read a empty file. * to_s of shadow expects filters is not nil * Remove workaround of sshd_config Removes the workaround of sshd_config since Travis CI fails due to a bug of dev-sec/ssh-baseline and the PR #100 will fix it. * Use init block variable in methods Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
226 lines
6.6 KiB
Ruby
226 lines
6.6 KiB
Ruby
# encoding: utf-8
|
|
|
|
require 'utils/nginx_parser'
|
|
require 'utils/find_files'
|
|
require 'utils/file_reader'
|
|
require 'forwardable'
|
|
|
|
# STABILITY: Experimental
|
|
# This resouce needs a proper interace to the underlying data, which is currently missing.
|
|
# Until it is added, we will keep it experimental.
|
|
#
|
|
# TODO: Support it on Windows. To do so, we need to recognize the base os and how
|
|
# it combines the file path. Calling `File.join` or similar methods may lead to errors
|
|
# when running remotely.
|
|
module Inspec::Resources
|
|
class NginxConf < Inspec.resource(1)
|
|
name 'nginx_conf'
|
|
supports platform: 'unix'
|
|
desc 'Use the nginx_conf InSpec resource to test configuration data '\
|
|
'for the NginX web server located in /etc/nginx/nginx.conf on '\
|
|
'Linux and UNIX platforms.'
|
|
example "
|
|
describe nginx_conf.params ...
|
|
describe nginx_conf('/path/to/my/nginx.conf').params ...
|
|
"
|
|
|
|
extend Forwardable
|
|
|
|
include FindFiles
|
|
include FileReader
|
|
|
|
attr_reader :contents
|
|
|
|
def initialize(conf_path = nil)
|
|
@conf_path = conf_path || '/etc/nginx/nginx.conf'
|
|
@contents = {}
|
|
return skip_resource 'The `nginx_conf` resource is currently not supported on Windows.' if inspec.os.windows?
|
|
read_content(@conf_path)
|
|
end
|
|
|
|
def params
|
|
@params ||= parse_nginx(@conf_path)
|
|
rescue StandardError => e
|
|
skip_resource e.message
|
|
@params = {}
|
|
end
|
|
|
|
def http
|
|
NginxConfHttp.new(params['http'], self)
|
|
end
|
|
|
|
def_delegators :http, :servers, :locations
|
|
|
|
def to_s
|
|
"nginx_conf #{@conf_path}"
|
|
end
|
|
|
|
private
|
|
|
|
def read_content(path)
|
|
return @contents[path] if @contents.key?(path)
|
|
@contents[path] = read_file_content(path, allow_empty: true)
|
|
end
|
|
|
|
def parse_nginx(path)
|
|
return nil if inspec.os.windows?
|
|
content = read_content(path)
|
|
data = NginxConfig.parse(content)
|
|
resolve_references(data, File.dirname(path))
|
|
rescue StandardError => _
|
|
raise "Cannot parse NginX config in #{path}."
|
|
end
|
|
|
|
# Cycle through the complete parsed data structure and try to find any
|
|
# calls to `include`. In NginX, this is used to embed data from other
|
|
# files into the current data structure.
|
|
#
|
|
# The method steps through the object structure that is passed in to
|
|
# find any calls to 'include' and returns the object structure with the
|
|
# included data merged in.
|
|
#
|
|
# @param data [Hash] data structure from NginxConfig.parse
|
|
# @param rel_path [String] the relative path from which this config is read
|
|
# @return [Hash] data structure with references included
|
|
def resolve_references(data, rel_path)
|
|
# Walk through all array entries to find more references
|
|
return data.map { |x| resolve_references(x, rel_path) } if data.is_a?(Array)
|
|
|
|
# Return any data that we cannot step into to find more `include` calls
|
|
return data unless data.is_a?(Hash)
|
|
|
|
# Any call to `include` gets its data read, parsed, and merged back
|
|
# into the current data structure
|
|
if data.key?('include')
|
|
data.delete('include').flatten
|
|
.map { |x| File.expand_path(x, rel_path) }
|
|
.map { |x| find_files(x) }.flatten
|
|
.map { |path| parse_nginx(path) }
|
|
.each { |conf| merge_config!(data, conf) }
|
|
end
|
|
|
|
# Walk through the remaining hash fields to find more references
|
|
Hash[data.map { |k, v| [k, resolve_references(v, rel_path)] }]
|
|
end
|
|
|
|
# Deep merge fields from NginxConfig.parse.
|
|
# A regular merge would overwrite values so a deep merge is needed.
|
|
# @param data [Hash] data structure from NginxConfig.parse
|
|
# @param conf [Hash] data structure to be deep merged into data
|
|
# @return [Hash] data structure with conf and data deep merged
|
|
def merge_config!(data, conf)
|
|
# Catch edge-cases
|
|
return if data.nil? || conf.nil?
|
|
# Step through all conf items and create combined return value
|
|
data.merge!(conf) do |_, v1, v2|
|
|
if v1.is_a?(Array) && v2.is_a?(Array)
|
|
# If both the data field and the conf field are arrays, then combine them
|
|
v1 + v2
|
|
elsif v1.is_a?(Hash) && v2.is_a?(Hash)
|
|
# If both the data field and the conf field are maps, then deep merge them
|
|
merge_config!(v1, v2)
|
|
else
|
|
# All other cases, just use the new value (regular merge behavior)
|
|
v2
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
class NginxConfHttp
|
|
attr_reader :entries
|
|
def initialize(params, parent)
|
|
@parent = parent
|
|
@entries = (params || []).map { |x| NginxConfHttpEntry.new(x, parent) }
|
|
end
|
|
|
|
def servers
|
|
@entries.map(&:servers).flatten
|
|
end
|
|
|
|
def locations
|
|
servers.map(&:locations).flatten
|
|
end
|
|
|
|
def to_s
|
|
@parent.to_s + ', http entries'
|
|
end
|
|
alias inspect to_s
|
|
end
|
|
|
|
class NginxConfHttpEntry
|
|
attr_reader :params, :parent
|
|
def initialize(params, parent)
|
|
@params = params || {}
|
|
@parent = parent
|
|
end
|
|
|
|
filter = FilterTable.create
|
|
filter.add_accessor(:where)
|
|
.add(:servers, field: 'server')
|
|
.connect(self, :server_table)
|
|
|
|
def locations
|
|
servers.map(&:locations).flatten
|
|
end
|
|
|
|
def to_s
|
|
@parent.to_s + ', http entry'
|
|
end
|
|
alias inspect to_s
|
|
|
|
private
|
|
|
|
def server_table
|
|
@server_table ||= (params['server'] || []).map { |x| { 'server' => NginxConfServer.new(x, self) } }
|
|
end
|
|
end
|
|
|
|
class NginxConfServer
|
|
attr_reader :params, :parent
|
|
def initialize(params, parent)
|
|
@parent = parent
|
|
@params = params || {}
|
|
end
|
|
|
|
filter = FilterTable.create
|
|
filter.add_accessor(:where)
|
|
.add(:locations, field: 'location')
|
|
.connect(self, :location_table)
|
|
|
|
def to_s
|
|
server = ''
|
|
name = Array(params['server_name']).flatten.first
|
|
unless name.nil?
|
|
server += name
|
|
listen = Array(params['listen']).flatten.first
|
|
server += ":#{listen}" unless listen.nil?
|
|
end
|
|
|
|
# go two levels up: 1. to the http entry and 2. to the root nginx conf
|
|
@parent.parent.to_s + ", server #{server}"
|
|
end
|
|
alias inspect to_s
|
|
|
|
private
|
|
|
|
def location_table
|
|
@location_table ||= (params['location'] || []).map { |x| { 'location' => NginxConfLocation.new(x, self) } }
|
|
end
|
|
end
|
|
|
|
class NginxConfLocation
|
|
attr_reader :params, :parent
|
|
def initialize(params, parent)
|
|
@parent = parent
|
|
@params = params || {}
|
|
end
|
|
|
|
def to_s
|
|
location = Array(params['_']).join(' ')
|
|
# go three levels up: 1. to the server entry, 2. http entry and 3. to the root nginx conf
|
|
@parent.parent.parent.to_s + ", location #{location.inspect}"
|
|
end
|
|
alias inspect to_s
|
|
end
|
|
end
|