2015-04-09 20:01:23 +00:00
|
|
|
# encoding: utf-8
|
2015-07-15 13:15:18 +00:00
|
|
|
# copyright: 2015, Vulcano Security GmbH
|
2015-10-06 16:55:44 +00:00
|
|
|
# author: Dominik Richter
|
|
|
|
# author: Christoph Hartmann
|
2015-04-09 20:01:23 +00:00
|
|
|
# license: All rights reserved
|
|
|
|
|
2015-08-28 19:37:03 +00:00
|
|
|
class Lines
|
2015-09-03 18:43:58 +00:00
|
|
|
def initialize(raw, desc)
|
2015-08-28 19:37:03 +00:00
|
|
|
@raw = raw
|
|
|
|
@desc = desc
|
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
|
2015-08-28 19:37:03 +00:00
|
|
|
def output
|
|
|
|
@raw
|
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
|
2015-08-28 19:37:03 +00:00
|
|
|
def lines
|
|
|
|
@raw.split("\n")
|
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
|
2015-08-28 19:37:03 +00:00
|
|
|
def to_s
|
|
|
|
@desc
|
2015-04-09 20:01:23 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-10-26 15:47:45 +00:00
|
|
|
class PostgresSession < Inspec.resource(1)
|
|
|
|
name 'postgres_session'
|
2015-11-27 13:02:38 +00:00
|
|
|
desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
|
|
|
|
example "
|
|
|
|
sql = postgres_session('username', 'password')
|
|
|
|
|
|
|
|
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
|
|
|
|
its('output') { should eq('') }
|
|
|
|
end
|
|
|
|
"
|
2015-10-26 15:47:45 +00:00
|
|
|
|
2015-09-03 18:43:58 +00:00
|
|
|
def initialize(user, pass)
|
2015-04-09 20:01:23 +00:00
|
|
|
@user = user || 'postgres'
|
|
|
|
@pass = pass
|
|
|
|
end
|
|
|
|
|
2015-10-26 15:59:46 +00:00
|
|
|
def query(query, db = [], &block)
|
2015-09-05 14:07:54 +00:00
|
|
|
dbs = db.map { |x| "-d #{x}" }.join(' ')
|
2015-04-09 20:01:23 +00:00
|
|
|
# TODO: simple escape, must be handled by a library
|
|
|
|
# that does this securely
|
2015-09-05 14:07:54 +00:00
|
|
|
escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
|
2015-04-09 20:01:23 +00:00
|
|
|
# run the query
|
2015-10-26 03:04:18 +00:00
|
|
|
cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -c \"#{escaped_query}\"")
|
2015-04-09 20:01:23 +00:00
|
|
|
out = cmd.stdout + "\n" + cmd.stderr
|
2015-05-14 16:29:55 +00:00
|
|
|
if out =~ /could not connect to .*/ or
|
2015-04-09 20:01:23 +00:00
|
|
|
out.downcase =~ /^error/
|
|
|
|
# skip this test if the server can't run the query
|
2015-09-05 14:07:54 +00:00
|
|
|
RSpec.describe(cmd) do
|
2015-09-03 21:18:28 +00:00
|
|
|
it 'is skipped', skip: out do
|
2015-04-09 20:01:23 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
else
|
2015-10-26 03:39:16 +00:00
|
|
|
# remove the whole header (i.e. up to the first ^-----+------+------$)
|
|
|
|
# remove the tail
|
|
|
|
lines = cmd.stdout
|
2016-01-15 02:59:00 +00:00
|
|
|
.sub(/(.*\n)+([-]+[+])*[-]+\n/, '')
|
|
|
|
.sub(/\n[^\n]*\n\n$/, '')
|
2015-08-28 19:37:03 +00:00
|
|
|
l = Lines.new(lines.strip, "PostgreSQL query: #{query}")
|
2015-09-05 14:07:54 +00:00
|
|
|
RSpec.__send__('describe', l, &block)
|
2015-04-09 20:01:23 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|