Deprecation of array matcher

[chris-rock]

Description

We should use plain Ruby mechanism instead of re-inventing the wheel. RSpec matchers have the disadvantage that they split up the implementation (resource + matcher). Instead the goal is to cover the use case without requiring matchers. Therefore we will deprecate 3 matcher:

• contain_duplicates
• contain_match
• contain_legacy_plus

InSpec and Platform Version

0.20.1

Replication Case

Case 1: contain_match

describe auditd_rules do
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/) }
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/) }
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)}
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)}
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)}
end

Case 2: contain_duplicates

describe etc_group.where(item: 'value', item: 'value') do
  its('gids') { should_not contain_duplicates }
end

Case 3: contain_legacy_plus

describe file('/etc/passwd') do
  it { should_not contain_legacy_plus }
end

Possible Solutions

We need a way to iterate over an array and use basic matchers or Ruby logic to do tests. One example could be:

Case 1: contain_match

# deprecated
describe auditd_rules do
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/) }
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/) }
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)}
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)}
  its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)}
end

# proposed solution
describe.one
  auditd_rules.LIST_RULES.each |entry| do
    describe entry do
      it {should match /^exit,always watch=\/etc\/group perm=wa key=identity/} 
    end
    describe entry do
      it {should match /^exit,always watch=\/etc\/passwd perm=wa key=identity/} 
    end
    describe entry do
      it {should match /^exit,always watch=\/etc\/gshadow perm=wa key=identity/)} 
    end
    describe entry do
      it {should match /^exit,always watch=\/etc\/shadow perm=wa key=identity/)} 
    end
    describe entry do
      it {should match /^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)} 
    end
  end
end

Case 2: contain_duplicates

# deprecated
describe etc_group.where(item: 'value', item: 'value') do
  its('gids') { should_not contain_duplicates }
end

# proposed solution 

gids = etc_group.where(item: 'value', item: 'value').gids
describe gids do
  its('length') { should eq gid.uniq.length }
end

Case 3: contain_legacy_plus

# deprecated:
describe file('/etc/passwd') do
  it { should_not contain_legacy_plus }
end

# proposed solution 
describe file('/etc/passwd') do
    its('content') { should_not match /^\+:/ }
end

• It does not cover the case where we would like to verify multiple regex's per array
• No obvious solution for the duplicates check

[arlimus]

Let's add a solution to test either all or at least one item in a list:

Describe at least one item from the list, for which the following condition succeeds:

describe.one auditd_rules.LIST_RULES do
  it { should match /^exit,always watch=\/etc\/group perm=wa key=identity/ }
end

Describe all items from a list and make sure they pass the test:

describe.all passwd.users do
  it { should_not be_empty }
end

Let's think some more on duplicate checking. It may end up sticking with the matcher, but i feel there may also be a different pattern...

[robinbowes]

Did you come up with a replacement for contain_duplicates yet?

[qvallance-ctc]

The documentation for the auditd_rules resource recommends using 'contain_match' as the preferred way of matching lines for audit >= 2.3. If 'contain_match' is being deprecated, what is the preferred method for matching lines with audit >= 2.3? Also, noticed that using 'contain_match' with the auditd_rules always returns success when matching a rule, even if the rule doesn't match (this is using inspec 1.7.2).

Example provided in resource documentation:

describe auditd_rules do
  its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
end

[poshpaws]

I am in the same boat as qvallance-ctc .
I am being directed to this issue when trying to use contain_duplicates , telling me its deprecated from inspec 1.0 .. .yet I am running 1.7.1

Whats my alternative ?

control 'check-passwd-duplicates' do
impact 1.0
title 'check for duplicate uids'
desc 'there should be no duplicate uids'
describe passwd.where(item: 'value', itemp: 'value') do
its('uids') { should_not contain_duplicates }
end
end

[aaronlippold]

@chris-rock @arlimus
Have we resolved this issue? There is no updated direction in the docs/examples, this usage is still as per the docs.

As of v1.19.2 I am still getting depreciation warnings:

AUDIT_LINES = attribute(
  'audit_lines',
  default: [
    '-w /etc/issue -p wa -k system-locale','-w /etc/group -p wa -k identity',
    '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change' ]
description: "The audit rules you want to ensure"

AUDIT_LINES.each do |line|
  describe auditd_rules do
    its('lines') { should contain_match(%r{#{line}}) }
  end
end

Error:

[DEPRECATION] `contain_match` is deprecated and will be removed for InSpec 1.0. 
See https://github.com/chef/inspec/issues/738 for more details