add suse support (#15)

* add suse support

* lint

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

* add up to date logic for patches

* add control for patches

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>

Author: arlimus

README.md

@@ -9,6 +9,7 @@ This [InSpec](http://inspec.io/) profile verifies that all updates have been ins
 - RHEL 6/7
 - CentOS 6/7
 - Ubuntu 12.04+
+- OpenSUSE, SuSE 11/12
 
 ## License
 

controls/patches.rb

@@ -17,11 +17,21 @@
 
 control 'patches' do
   impact 0.3
-  title 'All operating system updates are installed'
+  title 'All operating system package updates are installed'
   linux_update.updates.each { |update|
     describe package(update['name']) do
       its('version') { should eq update['version'] }
     end
   }
   only_if { linux_update.updates.length > 0 }
 end
+
+control 'os-patches' do
+  impact 0.3
+  title 'All operating system patches are installed'
+  linux_update.patches.each do |patch|
+    describe patch do
+      it { should be_nil }
+    end
+  end
+end

libraries/linux_updates.rb

@@ -8,6 +8,7 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 require 'json'
+require 'rexml/document'
 
 class LinuxUpdateManager < Inspec.resource(1)
   name 'linux_update'
@@ -29,6 +30,8 @@ def initialize
       @update_mgmt = RHELUpdateFetcher.new(inspec)
     when 'debian'
       @update_mgmt = UbuntuUpdateFetcher.new(inspec)
+    when 'suse'
+      @update_mgmt = SuseUpdateFetcher.new(inspec)
     end
     return skip_resource 'The `linux_update` resource is not supported on your OS.' if @update_mgmt.nil?
   end
@@ -44,6 +47,8 @@ def uptodate?
     return nil if @update_mgmt.nil?
     u = @update_mgmt.updates
     return false if u.nil? || !u['available'].empty?
+    l = @update_mgmt.patches
+    return false if l.nil? || !l.empty?
     true
   end
 
@@ -54,6 +59,11 @@ def packages
     p['installed']
   end
 
+  def patches
+    return [] if @update_mgmt.nil?
+    @update_mgmt.patches || []
+  end
+
   def to_s
     'Linux Update'
   end
@@ -72,6 +82,10 @@ def updates
     []
   end
 
+  def patches
+    []
+  end
+
   def parse_json(script)
     cmd = @inspec.bash(script)
     begin
@@ -82,6 +96,52 @@ def parse_json(script)
   end
 end
 
+class SuseUpdateFetcher < UpdateFetcher
+  def patches
+    out = zypper_xml('list-updates -t patch')
+    xml = REXML::Document.new(out)
+
+    extract_xml_updates(REXML::XPath.first(xml, '//update-list')) +
+      extract_xml_updates(REXML::XPath.first(xml, '//blocked-update-list'))
+  end
+
+  def updates
+    out = zypper_xml('list-updates')
+    xml = REXML::Document.new(out)
+
+    res = extract_xml_updates(REXML::XPath.first(xml, '//update-list')) +
+          extract_xml_updates(REXML::XPath.first(xml, '//blocked-update-list'))
+
+    { 'available' => res }
+  end
+
+  private
+
+  def zypper_xml(cmd)
+    out = @inspec.command('zypper --xmlout '+cmd)
+    if out.exit_status != 0
+      fail_resource('Cannot retrieve package updates from the OS: '+out.stderr)
+    end
+    out.stdout.force_encoding('UTF-8')
+  end
+
+  def extract_xml_updates(updates_el)
+    res = []
+    return res if updates_el.nil?
+
+    REXML::XPath.each(updates_el, 'update') do |el|
+      a = el.attributes
+      r = { 'name' => a['name'] }
+      r['version'] = a['edition'] unless a['arch'].nil?
+      r['arch'] = a['arch'] unless a['arch'].nil?
+      r['category'] = a['category'] unless a['category'].nil?
+      r['severity'] = a['severity'] unless a['severity'].nil?
+      res.push(r)
+    end
+    res
+  end
+end
+
 class UbuntuUpdateFetcher < UpdateFetcher
   def packages
     ubuntu_packages = ubuntu_base + <<-EOH