inspec/lib/resources/postgres_session.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Dominik Richter
# author: Christoph Hartmann
# license: All rights reserved

class Lines
  attr_reader :output

  def initialize(raw, desc)
    @output = raw
    @desc = desc
  end

  def lines
    output.split("\n")
  end

  def to_s
    @desc
  end
end

class PostgresSession < Inspec.resource(1)
  name 'postgres_session'
  desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
  example "
    sql = postgres_session('username', 'password')

    describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
      its('output') { should eq('') }
    end
  "

  def initialize(user, pass)
    @user = user || 'postgres'
    @pass = pass
  end

  def query(query, db = [])
    dbs = db.map { |x| "-d #{x}" }.join(' ')
    # TODO: simple escape, must be handled by a library
    # that does this securely
    escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
    # run the query
    cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h localhost -c \"#{escaped_query}\"")
    out = cmd.stdout + "\n" + cmd.stderr
    if cmd.exit_status != 0 or
       out =~ /could not connect to .*/ or
       out.downcase =~ /^error/
      # skip this test if the server can't run the query
      skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"
    else
      # remove the whole header (i.e. up to the first ^-----+------+------$)
      # remove the tail
      lines = cmd.stdout
                 .sub(/(.*\n)+([-]+[+])*[-]+\n/, '')
                 .sub(/\n[^\n]*\n\n$/, '')
      Lines.new(lines.strip, "PostgreSQL query: #{query}")
    end
  end
end
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# encoding: utf-8`
update copyright header 2015-07-15 13:15:18 +00:00			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Dominik Richter`
			`# author: Christoph Hartmann`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# license: All rights reserved`

migrated all postgres resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:37:03 +00:00			`class Lines`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`attr_reader :output`

harmonize method definition style 2015-09-03 18:43:58 +00:00			`def initialize(raw, desc)`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`@output = raw`
migrated all postgres resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:37:03 +00:00			`@desc = desc`
			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00
migrated all postgres resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:37:03 +00:00			`def lines`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`output.split("\n")`
migrated all postgres resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:37:03 +00:00			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00
migrated all postgres resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:37:03 +00:00			`def to_s`
			`@desc`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`
			`end`

support postgres_session resource 2015-10-26 15:47:45 +00:00			`class PostgresSession < Inspec.resource(1)`
			`name 'postgres_session'`
add inline documentation 2015-11-27 13:02:38 +00:00			`desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'`
			`example "`
			`sql = postgres_session('username', 'password')`

			`describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do`
			`its('output') { should eq('') }`
			`end`
			`"`
support postgres_session resource 2015-10-26 15:47:45 +00:00
harmonize method definition style 2015-09-03 18:43:58 +00:00			`def initialize(user, pass)`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`@user = user \|\| 'postgres'`
			`@pass = pass`
			`end`

resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`def query(query, db = [])`
fix rubocop issues 2015-09-05 14:07:54 +00:00			`dbs = db.map { \|x\| "-d #{x}" }.join(' ')`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# TODO: simple escape, must be handled by a library`
			`# that does this securely`
fix rubocop issues 2015-09-05 14:07:54 +00:00			`escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# run the query`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h localhost -c \"#{escaped_query}\"")`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`out = cmd.stdout + "\n" + cmd.stderr`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`if cmd.exit_status != 0 or`
			`out =~ /could not connect to .*/ or`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`out.downcase =~ /^error/`
			`# skip this test if the server can't run the query`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`else`
lint 2015-10-26 03:39:16 +00:00			`# remove the whole header (i.e. up to the first ^-----+------+------$)`
			`# remove the tail`
			`lines = cmd.stdout`
lint 2016-01-15 02:59:00 +00:00			`.sub(/(.\n)+([-]+[+])[-]+\n/, '')`
			`.sub(/\n[^\n]*\n\n$/, '')`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00			`Lines.new(lines.strip, "PostgreSQL query: #{query}")`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`
			`end`
			`end`