mirror of
https://github.com/inspec/inspec
synced 2025-02-22 08:58:44 +00:00
Merge pull request #5572 from inspec/vasundhara/add_mongodb_session
Add mongodb_session resource and docs.
This commit is contained in:
commit
48c5e22fc0
6 changed files with 220 additions and 7 deletions
|
@ -60,10 +60,3 @@ The following examples show how to use this Chef InSpec audit resource.
|
|||
|
||||
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||
|
||||
### setting
|
||||
|
||||
The `setting` matcher tests specific, named settings in the `mongod.conf` file:
|
||||
|
||||
its(['setting') { should eq 'value' }
|
||||
|
||||
Use a `setting` matcher for each setting to be tested.
|
||||
|
|
113
docs-chef-io/content/inspec/resources/mongodb_session.md
Normal file
113
docs-chef-io/content/inspec/resources/mongodb_session.md
Normal file
|
@ -0,0 +1,113 @@
|
|||
+++
|
||||
title = "mongodb_session resource"
|
||||
draft = false
|
||||
gh_repo = "inspec"
|
||||
platform = "os"
|
||||
|
||||
[menu]
|
||||
[menu.inspec]
|
||||
title = "mongodb_session"
|
||||
identifier = "inspec/resources/os/mongodb_session.md mongodb_session resource"
|
||||
parent = "inspec/resources/os"
|
||||
+++
|
||||
|
||||
Use the `mongodb_session` Chef InSpec audit resource to run MongoDB command against a MongoDB Database.
|
||||
|
||||
## Availability
|
||||
|
||||
### Installation
|
||||
|
||||
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||
|
||||
## Syntax
|
||||
|
||||
A `mongodb_session` resource block declares the `user`, `password`, and `database` to use for the session and then the command to be run:
|
||||
|
||||
describe mongodb_session(user: "username", password: "password", database: "test").query(key: value) do
|
||||
its("params") { should match(/expected-result/) }
|
||||
end
|
||||
|
||||
where
|
||||
|
||||
- `mongodb_session` declares a user, password, and database, connecting locally, with permission to run the query.
|
||||
- `query` contains the query to be run.
|
||||
- `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test
|
||||
|
||||
### Optional Parameters
|
||||
|
||||
The `mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, and `auth_mech_properties` parameters.
|
||||
|
||||
In Particular:
|
||||
|
||||
#### `host`
|
||||
|
||||
The server host IP address. Default value: `127.0.0.1`.
|
||||
|
||||
#### `port`
|
||||
|
||||
The server port. Default value: `27017`.
|
||||
|
||||
#### `auth_mech`
|
||||
|
||||
The authentication mechanism. The available options are: `:scram`, `:scram256`, `:mongodb_x509`, and `:aws`. Default value: `:scram`.
|
||||
|
||||
See the MongoDB documentation on [Ruby driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) for more information.
|
||||
|
||||
#### `auth_source`
|
||||
|
||||
The database where the user’s authentication credentials are stored. The default value is the database name that is passed as a parameter to the resource.
|
||||
|
||||
#### `ssl`
|
||||
|
||||
Whether to use the SSL security protocol or not. Set to `true` to use SSL transport, default value: `false`. See the MongoDB documentation on [Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#client-certificate-x-509) for more information.
|
||||
|
||||
#### 'ssl_cert'
|
||||
|
||||
Path to the SSL certificate file.
|
||||
|
||||
#### `ssl_ca_cert`
|
||||
|
||||
Path to the SSL Certificate Authority (CA) certificate file.
|
||||
|
||||
#### `ssl_key`
|
||||
|
||||
Path to SSL key file.
|
||||
|
||||
#### `auth_mech_properties`
|
||||
|
||||
A hash of the authentication mechanism properties. This option is generally used with the AWS authentication mechanism. See the MongoDB documentation on [Ruby Driver authentication using AWS](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#aws) for more information.
|
||||
|
||||
### MongodDB Query Reference Documentation
|
||||
|
||||
This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) to fetch the data.
|
||||
|
||||
## Examples
|
||||
|
||||
The following examples show how to use this Chef InSpec audit resource.
|
||||
|
||||
### Test the roles information using the `rolesInfo` command in MongoDB.
|
||||
|
||||
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do
|
||||
its(["role"]) { should eq "dbAdmin" }
|
||||
end
|
||||
|
||||
### Test the MongoDB user role.
|
||||
|
||||
describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "foo").params["users"].first["roles"].first do
|
||||
its(["role"]) { should eq "readWrite" }
|
||||
end
|
||||
|
||||
### Test the database parameters.
|
||||
|
||||
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do
|
||||
its("params") { should_not be_empty }
|
||||
its("params") { should include "roles" }
|
||||
end
|
||||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||
|
||||
### params
|
||||
|
||||
The `params` contains all the query data.
|
|
@ -33,4 +33,5 @@ Gem::Specification.new do |spec|
|
|||
spec.add_dependency "train-habitat", "~> 0.1"
|
||||
spec.add_dependency "train-aws", "~> 0.1"
|
||||
spec.add_dependency "train-winrm", "~> 0.2"
|
||||
spec.add_dependency "mongo"
|
||||
end
|
||||
|
|
|
@ -73,6 +73,7 @@ require "inspec/resources/limits_conf"
|
|||
require "inspec/resources/login_defs"
|
||||
require "inspec/resources/mongodb"
|
||||
require "inspec/resources/mongodb_conf"
|
||||
require "inspec/resources/mongodb_session"
|
||||
require "inspec/resources/mount"
|
||||
require "inspec/resources/mssql_session"
|
||||
require "inspec/resources/mysql"
|
||||
|
|
88
lib/inspec/resources/mongodb_session.rb
Normal file
88
lib/inspec/resources/mongodb_session.rb
Normal file
|
@ -0,0 +1,88 @@
|
|||
require "mongo"
|
||||
|
||||
module Inspec::Resources
|
||||
class Lines
|
||||
attr_reader :params
|
||||
|
||||
def initialize(raw, desc)
|
||||
@params = raw
|
||||
@desc = desc
|
||||
end
|
||||
|
||||
def to_s
|
||||
@desc
|
||||
end
|
||||
end
|
||||
|
||||
class MongodbSession < Inspec.resource(1)
|
||||
name "mongodb_session"
|
||||
supports platform: "unix"
|
||||
supports platform: "windows"
|
||||
|
||||
desc "Use the mongodb_session InSpec audit resource to run MongoDB command against a MongoDB Database."
|
||||
example <<~EXAMPLE
|
||||
# default values:
|
||||
# host: "127.0.0.1"
|
||||
# port: "27017"
|
||||
# auth_source - default to database name
|
||||
# auth_mech - :scram
|
||||
|
||||
describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "ian").params["users"].first["roles"].first do
|
||||
its(["role"]) { should eq "readWrite" }
|
||||
end
|
||||
EXAMPLE
|
||||
attr_reader :user, :host, :port, :database, :params
|
||||
|
||||
def initialize(opts = {})
|
||||
@user = opts[:user] || nil
|
||||
@password = opts[:password] || nil
|
||||
@host = opts[:host] || "127.0.0.1"
|
||||
@port = opts[:port] || "27017"
|
||||
@database = opts[:database] || nil
|
||||
@auth_mech = opts[:auth_mech] || :scram
|
||||
@auth_source = opts[:auth_source] || @database
|
||||
@ssl = opts[:ssl] || false
|
||||
@ssl_cert = opts[:ssl_cert] || nil
|
||||
@ssl_key = opts[:ssl_key] || nil
|
||||
@ssl_ca_cert = opts[:ssl_ca_cert] || nil
|
||||
@auth_mech_properties = opts[:auth_mech_properties] || {}
|
||||
@client = nil
|
||||
|
||||
fail_resource "Can't run MongoDB checks without authentication." unless user && @password
|
||||
fail_resource "You must provide a database name for the session." unless database
|
||||
|
||||
create_session
|
||||
end
|
||||
|
||||
def query(command)
|
||||
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
||||
|
||||
Lines.new(@client.command(command).documents.first, "MongoDB query: #{command}")
|
||||
rescue => e
|
||||
raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}"
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def create_session
|
||||
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
||||
|
||||
options = { user: "#{user}",
|
||||
password: "#{@password}",
|
||||
database: "#{database}",
|
||||
auth_source: "#{@auth_source}",
|
||||
auth_mech: @auth_mech,
|
||||
}
|
||||
options[:auth_mech_properties] = @auth_mech_properties unless @auth_mech_properties.empty?
|
||||
options[:ssl] = @ssl
|
||||
opitons[:ssl_key] = @ssl_key unless @ssl_key.nil?
|
||||
options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
|
||||
options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
|
||||
|
||||
@client = Mongo::Client.new([ "#{host}:#{port}" ], options)
|
||||
|
||||
rescue => e
|
||||
raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command. Error: #{e.message}"
|
||||
end
|
||||
end
|
||||
end
|
17
test/unit/resources/mongodb_session_test.rb
Normal file
17
test/unit/resources/mongodb_session_test.rb
Normal file
|
@ -0,0 +1,17 @@
|
|||
require "helper"
|
||||
require "inspec/resource"
|
||||
require "inspec/resources/mongodb_session"
|
||||
|
||||
describe "Inspec::Resources::MongodbSession" do
|
||||
it "fails when no user, password" do
|
||||
resource = load_resource("mongodb_session", host: "localhost", port: 27017, database: "test")
|
||||
_(resource.resource_failed?).must_equal true
|
||||
_(resource.resource_exception_message).must_equal "Can't run MongoDB command. Error: Can't run MongoDB checks without authentication."
|
||||
end
|
||||
|
||||
it "fails when no database name is provided" do
|
||||
resource = load_resource("mongodb_session", user: "foo", password: "bar", host: "localhost", port: 27017)
|
||||
_(resource.resource_failed?).must_equal true
|
||||
_(resource.resource_exception_message).must_equal "Can't run MongoDB command. Error: You must provide a database name for the session."
|
||||
end
|
||||
end
|
Loading…
Add table
Reference in a new issue