inspec/lib/resources/postgres_session.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Dominik Richter
# author: Christoph Hartmann
# author: Aaron Lippold

require 'shellwords'

module Inspec::Resources
  class Lines
    attr_reader :output

    def initialize(raw, desc)
      @output = raw
      @desc = desc
    end

    def lines
      output.split("\n")
    end

    def to_s
      @desc
    end
  end

  class PostgresSession < Inspec.resource(1)
    name 'postgres_session'
    desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
    example "
      sql = postgres_session('username', 'password', 'host')
      query('sql_query', ['database_name'])` contains the query and (optional) database to execute

      # default values:
      # username: 'postgres'
      # host: 'localhost'
      # db: databse == db_user running the sql query

      describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
        its('output') { should eq '' }
      end
    "

    def initialize(user, pass, host = nil)
      @user = user || 'postgres'
      @pass = pass
      @host = host || 'localhost'
    end

    def query(query, db = [])
      psql_cmd = create_psql_cmd(query, db)
      cmd = inspec.command(psql_cmd)
      out = cmd.stdout + "\n" + cmd.stderr
      if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
        skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"
      else
        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
      end
    end

    private

    def escaped_query(query)
      Shellwords.escape(query)
    end

    def create_psql_cmd(query, db = [])
      dbs = db.map { |x| "-d #{x}" }.join(' ')
      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
    end
  end
end
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# encoding: utf-8`
update copyright header 2015-07-15 13:15:18 +00:00			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Dominik Richter`
			`# author: Christoph Hartmann`
psql doesn't print headers + extra output + cconfigurable host + docs Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-04-25 23:33:10 +00:00			`# author: Aaron Lippold`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00
updated postgres_session resource properly escape queries (#1939) * fixed a small courner case in the error detection - error: vs error fixed resource to use 'shellwords' module to escape the query requested chances in method architecture for testing added unit tests Fixes: #1814 Signed-off-by: Aaron Lippold <lippold@gmail.com> * updated resource and tests with requested review changes Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed unneeded call to `escaped_query` in the `create_sql_cmd`. Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed license info Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-07-03 06:10:27 +00:00			`require 'shellwords'`

Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`module Inspec::Resources`
			`class Lines`
			`attr_reader :output`
resource/postgres_session: add integration tests, change error handling this makes it work (tested with default-ubuntu-1404), but doesn't improve the error handling (i.e., the skip_resource doesn't really prevent the failure) 2015-12-08 11:32:23 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def initialize(raw, desc)`
			`@output = raw`
			`@desc = desc`
			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def lines`
			`output.split("\n")`
			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def to_s`
			`@desc`
			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`

Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`class PostgresSession < Inspec.resource(1)`
			`name 'postgres_session'`
			`desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'`
			`example "`
psql doesn't print headers + extra output + cconfigurable host + docs Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-04-25 23:33:10 +00:00			`sql = postgres_session('username', 'password', 'host')`
			query('sql_query', ['database_name'])` contains the query and (optional) database to execute

			`# default values:`
			`# username: 'postgres'`
			`# host: 'localhost'`
			`# db: databse == db_user running the sql query`
add inline documentation 2015-11-27 13:02:38 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do`
updated postgres_session resource properly escape queries (#1939) * fixed a small courner case in the error detection - error: vs error fixed resource to use 'shellwords' module to escape the query requested chances in method architecture for testing added unit tests Fixes: #1814 Signed-off-by: Aaron Lippold <lippold@gmail.com> * updated resource and tests with requested review changes Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed unneeded call to `escaped_query` in the `create_sql_cmd`. Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed license info Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-07-03 06:10:27 +00:00			`its('output') { should eq '' }`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`end`
			`"`
support postgres_session resource 2015-10-26 15:47:45 +00:00
psql doesn't print headers + extra output + cconfigurable host + docs Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-04-25 23:33:10 +00:00			`def initialize(user, pass, host = nil)`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`@user = user \|\| 'postgres'`
			`@pass = pass`
psql doesn't print headers + extra output + cconfigurable host + docs Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-04-25 23:33:10 +00:00			`@host = host \|\| 'localhost'`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def query(query, db = [])`
updated postgres_session resource properly escape queries (#1939) * fixed a small courner case in the error detection - error: vs error fixed resource to use 'shellwords' module to escape the query requested chances in method architecture for testing added unit tests Fixes: #1814 Signed-off-by: Aaron Lippold <lippold@gmail.com> * updated resource and tests with requested review changes Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed unneeded call to `escaped_query` in the `create_sql_cmd`. Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed license info Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-07-03 06:10:27 +00:00			`psql_cmd = create_psql_cmd(query, db)`
			`cmd = inspec.command(psql_cmd)`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`out = cmd.stdout + "\n" + cmd.stderr`
updated postgres_session resource properly escape queries (#1939) * fixed a small courner case in the error detection - error: vs error fixed resource to use 'shellwords' module to escape the query requested chances in method architecture for testing added unit tests Fixes: #1814 Signed-off-by: Aaron Lippold <lippold@gmail.com> * updated resource and tests with requested review changes Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed unneeded call to `escaped_query` in the `create_sql_cmd`. Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed license info Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-07-03 06:10:27 +00:00			`if cmd.exit_status != 0 \|\| out =~ /could not connect to ./ \|\| out.downcase =~ /^error:./`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"`
			`else`
psql doesn't print headers + extra output + cconfigurable host + docs Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-04-25 23:33:10 +00:00			`Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`
updated postgres_session resource properly escape queries (#1939) * fixed a small courner case in the error detection - error: vs error fixed resource to use 'shellwords' module to escape the query requested chances in method architecture for testing added unit tests Fixes: #1814 Signed-off-by: Aaron Lippold <lippold@gmail.com> * updated resource and tests with requested review changes Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed unneeded call to `escaped_query` in the `create_sql_cmd`. Signed-off-by: Aaron Lippold <lippold@gmail.com> * removed license info Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-07-03 06:10:27 +00:00
			`private`

			`def escaped_query(query)`
			`Shellwords.escape(query)`
			`end`

			`def create_psql_cmd(query, db = [])`
			`dbs = db.map { \|x\| "-d #{x}" }.join(' ')`
			`"PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"`
			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`
			`end`