inspec/lib/resources/mysql_session.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Dominik Richter
# author: Christoph Hartmann
# author: Aaron Lippold

module Inspec::Resources
  class MysqlSession < Inspec.resource(1)
    name 'mysql_session'
    desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'
    example "
      sql = mysql_session('my_user','password','host')
      describe sql.query('show databases like \'test\';') do
        its('stdout') { should_not match(/test/) }
      end
    "

    def initialize(user = nil, pass = nil, host = 'localhost', port = nil, socket = nil)
      @user = user
      @pass = pass
      @host = host
      @port = port
      @socket = socket
      init_fallback if user.nil? or pass.nil?
      skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
    end

    def query(q, db = '')
      # TODO: simple escape, must be handled by a library
      # that does this securely
      escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')

      # run the query
      command = "mysql -u#{@user} -p#{@pass}"
      if !@socket.nil?
        command += " -S #{@socket}"
      else
        command += " -h #{@host}"
      end
      command += " --port #{@port}" unless @port.nil?
      command += " #{db} -s -S #{@socket} -e \"#{escaped_query}\""

      cmd = inspec.command(command)
      out = cmd.stdout + "\n" + cmd.stderr
      if out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error/
        # skip this test if the server can't run the query
        warn("Can't connect to MySQL instance for SQL checks.")
      end

      # return the raw command output
      cmd
    end

    def to_s
      'MySQL Session'
    end

    private

    def init_fallback
      # support debian mysql administration login
      debian = inspec.command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout
      return if debian.empty?

      user = debian.match(/^\s*user\s*=\s*([^ ]*)\s*$/)
      pass = debian.match(/^\s*password\s*=\s*([^ ]*)\s*$/)
      return if user.nil? or pass.nil?
      @user = user[1]
      @pass = pass[1]
    end
  end
end
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`# encoding: utf-8`
update copyright header 2015-07-15 13:15:18 +00:00			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Dominik Richter`
			`# author: Christoph Hartmann`
updated to have feature parity with other sql resources Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-05-06 00:06:28 +00:00			`# author: Aaron Lippold`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`module Inspec::Resources`
			`class MysqlSession < Inspec.resource(1)`
			`name 'mysql_session'`
			`desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'`
			`example "`
updated to have feature parity with other sql resources Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-05-06 00:06:28 +00:00			`sql = mysql_session('my_user','password','host')`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`describe sql.query('show databases like \'test\';') do`
Use only strings in resource examples, docs and tests 2016-05-03 22:14:33 +00:00			`its('stdout') { should_not match(/test/) }`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`end`
			`"`

Mysql socket (#1933) * showing how to shellout in docs Signed-off-by: Richard Shade <rshade@rightscale.com> * adding basic example Signed-off-by: Richard Shade <rshade@rightscale.com> * cleanup Signed-off-by: Richard Shade <rshade@rightscale.com> * adding in mysql socket, as this doesn't work with non-default installs Signed-off-by: Richard Shade <rshade@rightscale.com> * updating per peer review to make socket not a req, and adding port Signed-off-by: Richard Shade <rshade@rightscale.com> * updating docs Signed-off-by: Richard Shade <rshade@rightscale.com> 2017-06-23 15:28:15 +00:00			`def initialize(user = nil, pass = nil, host = 'localhost', port = nil, socket = nil)`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`@user = user`
			`@pass = pass`
updated to have feature parity with other sql resources Signed-off-by: Aaron Lippold <lippold@gmail.com> 2017-05-06 00:06:28 +00:00			`@host = host`
Mysql socket (#1933) * showing how to shellout in docs Signed-off-by: Richard Shade <rshade@rightscale.com> * adding basic example Signed-off-by: Richard Shade <rshade@rightscale.com> * cleanup Signed-off-by: Richard Shade <rshade@rightscale.com> * adding in mysql socket, as this doesn't work with non-default installs Signed-off-by: Richard Shade <rshade@rightscale.com> * updating per peer review to make socket not a req, and adding port Signed-off-by: Richard Shade <rshade@rightscale.com> * updating docs Signed-off-by: Richard Shade <rshade@rightscale.com> 2017-06-23 15:28:15 +00:00			`@port = port`
			`@socket = socket`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`init_fallback if user.nil? or pass.nil?`
			`skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?`
add inline documentation 2015-11-27 13:02:38 +00:00			`end`
migrate all mysql resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:41:48 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def query(q, db = '')`
			`# TODO: simple escape, must be handled by a library`
			`# that does this securely`
			`escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')`

			`# run the query`
Mysql socket (#1933) * showing how to shellout in docs Signed-off-by: Richard Shade <rshade@rightscale.com> * adding basic example Signed-off-by: Richard Shade <rshade@rightscale.com> * cleanup Signed-off-by: Richard Shade <rshade@rightscale.com> * adding in mysql socket, as this doesn't work with non-default installs Signed-off-by: Richard Shade <rshade@rightscale.com> * updating per peer review to make socket not a req, and adding port Signed-off-by: Richard Shade <rshade@rightscale.com> * updating docs Signed-off-by: Richard Shade <rshade@rightscale.com> 2017-06-23 15:28:15 +00:00			`command = "mysql -u#{@user} -p#{@pass}"`
fix mysql resource (#1971) Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2017-06-27 10:26:47 +00:00			`if !@socket.nil?`
Mysql socket (#1933) * showing how to shellout in docs Signed-off-by: Richard Shade <rshade@rightscale.com> * adding basic example Signed-off-by: Richard Shade <rshade@rightscale.com> * cleanup Signed-off-by: Richard Shade <rshade@rightscale.com> * adding in mysql socket, as this doesn't work with non-default installs Signed-off-by: Richard Shade <rshade@rightscale.com> * updating per peer review to make socket not a req, and adding port Signed-off-by: Richard Shade <rshade@rightscale.com> * updating docs Signed-off-by: Richard Shade <rshade@rightscale.com> 2017-06-23 15:28:15 +00:00			`command += " -S #{@socket}"`
			`else`
			`command += " -h #{@host}"`
			`end`
			`command += " --port #{@port}" unless @port.nil?`
			`command += " #{db} -s -S #{@socket} -e \"#{escaped_query}\""`

			`cmd = inspec.command(command)`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`out = cmd.stdout + "\n" + cmd.stderr`
fix mysql resource (#1971) Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2017-06-27 10:26:47 +00:00			`if out =~ /Can't connect to .* MySQL server/ \|\| out.downcase =~ /^error/`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# skip this test if the server can't run the query`
fix mysql resource (#1971) Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2017-06-27 10:26:47 +00:00			`warn("Can't connect to MySQL instance for SQL checks.")`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`end`

			`# return the raw command output`
			`cmd`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`
lint mysql Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-26 09:56:49 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def to_s`
			`'MySQL Session'`
			`end`
add to_s methods to resources, fixes #98 2015-10-12 11:01:58 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`private`
feature: mysql resource with debian login + skipping policy Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 13:24:35 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def init_fallback`
			`# support debian mysql administration login`
			`debian = inspec.command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout`
			`return if debian.empty?`
lint resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-09-09 16:37:16 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`user = debian.match(/^\suser\s=\s([^ ])\s*$/)`
			`pass = debian.match(/^\spassword\s=\s([^ ])\s*$/)`
			`return if user.nil? or pass.nil?`
			`@user = user[1]`
			`@pass = pass[1]`
			`end`
feature: mysql resource with debian login + skipping policy Signed-off-by: Dominik Richter <dominik@vulcanosec.com> 2015-06-22 13:24:35 +00:00			`end`
import resources Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-04-09 20:01:23 +00:00			`end`