2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2025-02-22 00:48:41 +00:00

Merge pull request from inspec/vasundhara/add_mongodb_session

Add mongodb_session resource and docs.
This commit is contained in:
Clinton Wolfe 2021-07-27 22:54:48 -04:00 committed by GitHub
commit 48c5e22fc0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 220 additions and 7 deletions
docs-chef-io/content/inspec/resources
inspec.gemspec
lib/inspec
test/unit/resources

View file

@ -60,10 +60,3 @@ The following examples show how to use this Chef InSpec audit resource.
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### setting
The `setting` matcher tests specific, named settings in the `mongod.conf` file:
its(['setting') { should eq 'value' }
Use a `setting` matcher for each setting to be tested.

View file

@ -0,0 +1,113 @@
+++
title = "mongodb_session resource"
draft = false
gh_repo = "inspec"
platform = "os"
[menu]
[menu.inspec]
title = "mongodb_session"
identifier = "inspec/resources/os/mongodb_session.md mongodb_session resource"
parent = "inspec/resources/os"
+++
Use the `mongodb_session` Chef InSpec audit resource to run MongoDB command against a MongoDB Database.
## Availability
### Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
## Syntax
A `mongodb_session` resource block declares the `user`, `password`, and `database` to use for the session and then the command to be run:
describe mongodb_session(user: "username", password: "password", database: "test").query(key: value) do
its("params") { should match(/expected-result/) }
end
where
- `mongodb_session` declares a user, password, and database, connecting locally, with permission to run the query.
- `query` contains the query to be run.
- `its("params") { should eq(/expected-result/) }` compares the results of the query against the expected result in the test
### Optional Parameters
The `mongodb_session` InSpec resource accepts `user`, `password`, `host`, `port`, `auth_source`, `auth_mech`, `ssl`, `ssl_cert`, `ssl_ca_cert`, and `auth_mech_properties` parameters.
In Particular:
#### `host`
The server host IP address. Default value: `127.0.0.1`.
#### `port`
The server port. Default value: `27017`.
#### `auth_mech`
The authentication mechanism. The available options are: `:scram`, `:scram256`, `:mongodb_x509`, and `:aws`. Default value: `:scram`.
See the MongoDB documentation on [Ruby driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) for more information.
#### `auth_source`
The database where the users authentication credentials are stored. The default value is the database name that is passed as a parameter to the resource.
#### `ssl`
Whether to use the SSL security protocol or not. Set to `true` to use SSL transport, default value: `false`. See the MongoDB documentation on [Ruby Driver authentication](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#client-certificate-x-509) for more information.
#### 'ssl_cert'
Path to the SSL certificate file.
#### `ssl_ca_cert`
Path to the SSL Certificate Authority (CA) certificate file.
#### `ssl_key`
Path to SSL key file.
#### `auth_mech_properties`
A hash of the authentication mechanism properties. This option is generally used with the AWS authentication mechanism. See the MongoDB documentation on [Ruby Driver authentication using AWS](https://docs.mongodb.com/ruby-driver/current/reference/authentication/#aws) for more information.
### MongodDB Query Reference Documentation
This resource uses the [MongoDB Ruby Driver](https://docs.mongodb.com/ruby-driver/current/reference/authentication/) to fetch the data.
## Examples
The following examples show how to use this Chef InSpec audit resource.
### Test the roles information using the `rolesInfo` command in MongoDB.
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin").params["roles"].first do
its(["role"]) { should eq "dbAdmin" }
end
### Test the MongoDB user role.
describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "foo").params["users"].first["roles"].first do
its(["role"]) { should eq "readWrite" }
end
### Test the database parameters.
describe mongodb_session(user: "foo", password: "bar", database: "test").query(rolesInfo: "dbAdmin") do
its("params") { should_not be_empty }
its("params") { should include "roles" }
end
## Matchers
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
### params
The `params` contains all the query data.

View file

@ -33,4 +33,5 @@ Gem::Specification.new do |spec|
spec.add_dependency "train-habitat", "~> 0.1"
spec.add_dependency "train-aws", "~> 0.1"
spec.add_dependency "train-winrm", "~> 0.2"
spec.add_dependency "mongo"
end

View file

@ -73,6 +73,7 @@ require "inspec/resources/limits_conf"
require "inspec/resources/login_defs"
require "inspec/resources/mongodb"
require "inspec/resources/mongodb_conf"
require "inspec/resources/mongodb_session"
require "inspec/resources/mount"
require "inspec/resources/mssql_session"
require "inspec/resources/mysql"

View file

@ -0,0 +1,88 @@
require "mongo"
module Inspec::Resources
class Lines
attr_reader :params
def initialize(raw, desc)
@params = raw
@desc = desc
end
def to_s
@desc
end
end
class MongodbSession < Inspec.resource(1)
name "mongodb_session"
supports platform: "unix"
supports platform: "windows"
desc "Use the mongodb_session InSpec audit resource to run MongoDB command against a MongoDB Database."
example <<~EXAMPLE
# default values:
# host: "127.0.0.1"
# port: "27017"
# auth_source - default to database name
# auth_mech - :scram
describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "ian").params["users"].first["roles"].first do
its(["role"]) { should eq "readWrite" }
end
EXAMPLE
attr_reader :user, :host, :port, :database, :params
def initialize(opts = {})
@user = opts[:user] || nil
@password = opts[:password] || nil
@host = opts[:host] || "127.0.0.1"
@port = opts[:port] || "27017"
@database = opts[:database] || nil
@auth_mech = opts[:auth_mech] || :scram
@auth_source = opts[:auth_source] || @database
@ssl = opts[:ssl] || false
@ssl_cert = opts[:ssl_cert] || nil
@ssl_key = opts[:ssl_key] || nil
@ssl_ca_cert = opts[:ssl_ca_cert] || nil
@auth_mech_properties = opts[:auth_mech_properties] || {}
@client = nil
fail_resource "Can't run MongoDB checks without authentication." unless user && @password
fail_resource "You must provide a database name for the session." unless database
create_session
end
def query(command)
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
Lines.new(@client.command(command).documents.first, "MongoDB query: #{command}")
rescue => e
raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}"
end
private
def create_session
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
options = { user: "#{user}",
password: "#{@password}",
database: "#{database}",
auth_source: "#{@auth_source}",
auth_mech: @auth_mech,
}
options[:auth_mech_properties] = @auth_mech_properties unless @auth_mech_properties.empty?
options[:ssl] = @ssl
opitons[:ssl_key] = @ssl_key unless @ssl_key.nil?
options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
@client = Mongo::Client.new([ "#{host}:#{port}" ], options)
rescue => e
raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command. Error: #{e.message}"
end
end
end

View file

@ -0,0 +1,17 @@
require "helper"
require "inspec/resource"
require "inspec/resources/mongodb_session"
describe "Inspec::Resources::MongodbSession" do
it "fails when no user, password" do
resource = load_resource("mongodb_session", host: "localhost", port: 27017, database: "test")
_(resource.resource_failed?).must_equal true
_(resource.resource_exception_message).must_equal "Can't run MongoDB command. Error: Can't run MongoDB checks without authentication."
end
it "fails when no database name is provided" do
resource = load_resource("mongodb_session", user: "foo", password: "bar", host: "localhost", port: 27017)
_(resource.resource_failed?).must_equal true
_(resource.resource_exception_message).must_equal "Can't run MongoDB command. Error: You must provide a database name for the session."
end
end