inspec/lib/resources/mysql_session.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# license: All rights reserved

$__SCOPE = self

class MysqlSession < Vulcano.resource(1)
  name 'mysql_session'

  def initialize(user, pass)
    @user = user
    @pass = pass
    initialize_fallback if user.nil? or pass.nil?
    skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
  end

  def describe(query, db = '', &block)
    # TODO: simple escape, must be handled by a library
    # that does this securely
    escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
    # run the query
    cmd = vulcano.run_command("mysql -u#{@user} -p#{@pass} #{db} -s -e \"#{escaped_query}\"")
    out = cmd.stdout + "\n" + cmd.stderr
    if out =~ /Can't connect to .* MySQL server/ or
       out.downcase =~ /^error/
      # skip this test if the server can't run the query
      skip_resource("Can't connect to MySQL instance for SQL checks.")
    else
      $__SCOPE.describe(cmd, &block)
    end
  end

  private

  def initialize_fallback
    # support debian mysql administration login
    debian = vulcano.run_command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout
    unless debian.empty?
      user = debian.match(/^\s*user\s*=\s*([^ ]*)\s*$/)
      pass = debian.match(/^\s*password\s*=\s*([^ ]*)\s*$/)
      return if user.nil? or pass.nil?
      @user = user[1]
      @pass = pass[1]
      return
    end
  end
end
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# encoding: utf-8`
update copyright header 2015-07-15 13:15:18 +00:00			`# copyright: 2015, Vulcano Security GmbH`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# license: All rights reserved`

bugfix scope Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 16:21:09 +00:00			`$__SCOPE = self`
bugfix: scoping for ubuntu's ruby version Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 15:57:07 +00:00
migrate all mysql resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:41:48 +00:00			`class MysqlSession < Vulcano.resource(1)`
			`name 'mysql_session'`

harmonize method definition style 2015-09-03 18:43:58 +00:00			`def initialize(user, pass)`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`@user = user`
			`@pass = pass`
feature: mysql resource with debian login + skipping policy Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 13:24:35 +00:00			`initialize_fallback if user.nil? or pass.nil?`
bugfix: mysql resouce skipping and checking Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 14:18:40 +00:00			`skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`

fix rubocop issues 2015-09-05 14:07:54 +00:00			`def describe(query, db = '', &block)`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# TODO: simple escape, must be handled by a library`
			`# that does this securely`
fix rubocop issues 2015-09-05 14:07:54 +00:00			`escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# run the query`
rename backend reference @vulcano -> vulcano Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-30 02:33:15 +00:00			`cmd = vulcano.run_command("mysql -u#{@user} -p#{@pass} #{db} -s -e \"#{escaped_query}\"")`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`out = cmd.stdout + "\n" + cmd.stderr`
			`if out =~ /Can't connect to .* MySQL server/ or`
			`out.downcase =~ /^error/`
			`# skip this test if the server can't run the query`
bugfix: mysql dynamic describe Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 14:33:22 +00:00			`skip_resource("Can't connect to MySQL instance for SQL checks.")`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`else`
bugfix: scoping for ubuntu's ruby version Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 15:57:07 +00:00			`$__SCOPE.describe(cmd, &block)`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`
			`end`

feature: mysql resource with debian login + skipping policy Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 13:24:35 +00:00			`private`

			`def initialize_fallback`
			`# support debian mysql administration login`
more rubocop fixes 2015-09-04 07:59:30 +00:00			`debian = vulcano.run_command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout`
feature: mysql resource with debian login + skipping policy Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 13:24:35 +00:00			`unless debian.empty?`
			`user = debian.match(/^\suser\s=\s([^ ])\s*$/)`
			`pass = debian.match(/^\spassword\s=\s([^ ])\s*$/)`
			`return if user.nil? or pass.nil?`
			`@user = user[1]`
			`@pass = pass[1]`
			`return`
			`end`
			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`