inspec/lib/resources/ssl.rb

# encoding: utf-8
# copyright: 2015, Chef Software Inc.
# author: Dominik Richter
# author: Christoph Hartmann

require 'sslshake'
require 'utils/filter'
require 'uri'
require 'parallel'

# Custom resource based on the InSpec resource DSL
class SSL < Inspec.resource(1)
  name 'ssl'

  desc "
    SSL test resource
  "

  example "
    describe ssl(port: 443) do
      it { should be_enabled }
    end

    # protocols: ssl2, ssl3, tls1.0, tls1.1, tls1.2
    describe ssl(port: 443).protocols('ssl2') do
      it { should_not be_enabled }
    end

    # any ciphers, filter by name or regex
    describe ssl(port: 443).ciphers(/rc4/i) do
      it { should_not be_enabled }
    end
  "

  VERSIONS = [
    'ssl2',
    'ssl3',
    'tls1.0',
    'tls1.1',
    'tls1.2',
  ].freeze

  attr_reader :host, :port, :timeout, :retries

  def initialize(opts = {})
    @host = opts[:host]
    if @host.nil?
      # Transports like SSH and WinRM will provide a hostname
      if inspec.backend.respond_to?('hostname')
        @host = inspec.backend.hostname
      elsif inspec.backend.class.to_s == 'Train::Transports::Local::Connection'
        @host = 'localhost'
      end
    end
    @port = opts[:port] || 443
    @timeout = opts[:timeout]
    @retries = opts[:retries]
  end

  filter = FilterTable.create
  filter.add(:enabled?) do |x|
    raise 'Cannot determine host for SSL test. Please specify it or use a different target.' if x.resource.host.nil?
    x.handshake.values.any? { |i| i['success'] }
  end
  filter.add_accessor(:where)
        .add_accessor(:entries)
        .add(:ciphers, field: 'cipher')
        .add(:protocols, field: 'protocol')
        .add(:handshake) { |x|
          groups = x.entries.group_by(&:protocol)
          res = Parallel.map(groups, in_threads: 8) do |proto, e|
            [proto, SSLShake.hello(x.resource.host, port: x.resource.port,
              protocol: proto, ciphers: e.map(&:cipher),
              timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
          end
          Hash[res]
        }
        .connect(self, :scan_config)

  def to_s
    "SSL/TLS on #{@host}:#{@port}"
  end

  private

  def scan_config
    [
      { 'protocol' => 'ssl2', 'ciphers' => SSLShake::SSLv2::CIPHERS.keys },
      { 'protocol' => 'ssl3', 'ciphers' => SSLShake::TLS::SSL3_CIPHERS.keys },
      { 'protocol' => 'tls1.0', 'ciphers' => SSLShake::TLS::TLS10_CIPHERS.keys },
      { 'protocol' => 'tls1.1', 'ciphers' => SSLShake::TLS::TLS10_CIPHERS.keys },
      { 'protocol' => 'tls1.2', 'ciphers' => SSLShake::TLS::TLS_CIPHERS.keys },
    ].map do |line|
      line['ciphers'].map do |cipher|
        { 'protocol' => line['protocol'], 'cipher' => cipher }
      end
    end.flatten
  end
end
add ssl resource (early access) 2016-08-15 05:15:06 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Chef Software Inc.`
			`# author: Dominik Richter`
			`# author: Christoph Hartmann`

			`require 'sslshake'`
			`require 'utils/filter'`
handled hostname differently for WinRM::Connection parallelize protocol checks to speed up the scan 2016-09-06 20:45:52 +00:00			`require 'uri'`
			`require 'parallel'`
add ssl resource (early access) 2016-08-15 05:15:06 +00:00
			`# Custom resource based on the InSpec resource DSL`
			`class SSL < Inspec.resource(1)`
			`name 'ssl'`

			`desc "`
			`SSL test resource`
			`"`

			`example "`
			`describe ssl(port: 443) do`
			`it { should be_enabled }`
			`end`

			`# protocols: ssl2, ssl3, tls1.0, tls1.1, tls1.2`
			`describe ssl(port: 443).protocols('ssl2') do`
			`it { should_not be_enabled }`
			`end`

			`# any ciphers, filter by name or regex`
			`describe ssl(port: 443).ciphers(/rc4/i) do`
			`it { should_not be_enabled }`
			`end`
			`"`

			`VERSIONS = [`
			`'ssl2',`
			`'ssl3',`
			`'tls1.0',`
			`'tls1.1',`
			`'tls1.2',`
			`].freeze`

fix nil timeout and retries Signed-off-by: Alex Pop <apop@chef.io> 2016-10-26 16:19:56 +00:00			`attr_reader :host, :port, :timeout, :retries`
add ssl resource (early access) 2016-08-15 05:15:06 +00:00
			`def initialize(opts = {})`
ssl resource to use inspec.backend.hostname and require train 0.19.1 2016-09-16 09:41:22 +00:00			`@host = opts[:host]`
add ssl resource (early access) 2016-08-15 05:15:06 +00:00			`if @host.nil?`
ssl resource to use inspec.backend.hostname and require train 0.19.1 2016-09-16 09:41:22 +00:00			`# Transports like SSH and WinRM will provide a hostname`
			`if inspec.backend.respond_to?('hostname')`
			`@host = inspec.backend.hostname`
			`elsif inspec.backend.class.to_s == 'Train::Transports::Local::Connection'`
			`@host = 'localhost'`
			`end`
add ssl resource (early access) 2016-08-15 05:15:06 +00:00			`end`
			`@port = opts[:port] \|\| 443`
			`@timeout = opts[:timeout]`
			`@retries = opts[:retries]`
			`end`

			`filter = FilterTable.create`
ssl resource: properly raise error when unable to determine if port is enabled (#2205) * Move raise condition for host into enabled method This is related to #1205. This will fix the ssl resource for now until we redo the exceptions. Still looking around the code and need to build some unit tests for the ssl resource. My fix here is to move the raise condition till later in the flow, specifically the enabled? method. This lets the raise get caught accordingly without killing the other tests. Signed-off-by: Jared Quick <jquick@chef.io> * Remove authors from ssl resource test Signed-off-by: Jared Quick <jquick@chef.io> 2017-10-06 17:38:22 +00:00			`filter.add(:enabled?) do \|x\|`
			`raise 'Cannot determine host for SSL test. Please specify it or use a different target.' if x.resource.host.nil?`
			`x.handshake.values.any? { \|i\| i['success'] }`
			`end`
add ssl resource (early access) 2016-08-15 05:15:06 +00:00			`filter.add_accessor(:where)`
			`.add_accessor(:entries)`
			`.add(:ciphers, field: 'cipher')`
			`.add(:protocols, field: 'protocol')`
			`.add(:handshake) { \|x\|`
			`groups = x.entries.group_by(&:protocol)`
handled hostname differently for WinRM::Connection parallelize protocol checks to speed up the scan 2016-09-06 20:45:52 +00:00			`res = Parallel.map(groups, in_threads: 8) do \|proto, e\|`
add ssl resource (early access) 2016-08-15 05:15:06 +00:00			`[proto, SSLShake.hello(x.resource.host, port: x.resource.port,`
			`protocol: proto, ciphers: e.map(&:cipher),`
Adding SNI utilization to ssl resource SSL resource now adds the servername option in client hello, utilizing the the great work of @adamcaudill to support SNI in sslshake [1] [1] https://github.com/arlimus/sslshake/pull/5 Signed-off-by: Christoph Kappel <kappel.christoph@gmail.com> 2017-04-04 09:09:15 +00:00			`timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]`
add ssl resource (early access) 2016-08-15 05:15:06 +00:00			`end`
			`Hash[res]`
			`}`
			`.connect(self, :scan_config)`

			`def to_s`
			`"SSL/TLS on #{@host}:#{@port}"`
			`end`

			`private`

			`def scan_config`
			`[`
			`{ 'protocol' => 'ssl2', 'ciphers' => SSLShake::SSLv2::CIPHERS.keys },`
			`{ 'protocol' => 'ssl3', 'ciphers' => SSLShake::TLS::SSL3_CIPHERS.keys },`
			`{ 'protocol' => 'tls1.0', 'ciphers' => SSLShake::TLS::TLS10_CIPHERS.keys },`
			`{ 'protocol' => 'tls1.1', 'ciphers' => SSLShake::TLS::TLS10_CIPHERS.keys },`
			`{ 'protocol' => 'tls1.2', 'ciphers' => SSLShake::TLS::TLS_CIPHERS.keys },`
			`].map do \|line\|`
			`line['ciphers'].map do \|cipher\|`
			`{ 'protocol' => line['protocol'], 'cipher' => cipher }`
			`end`
			`end.flatten`
			`end`
			`end`