From 964a5142f7905e10d15c78b7e6be36c09028373f Mon Sep 17 00:00:00 2001 From: Vasu1105 Date: Fri, 25 Jun 2021 13:59:21 +0530 Subject: [PATCH] Revert changes for password authentication removal Signed-off-by: Vasu1105 --- lib/inspec/resources/postgres.rb | 11 ++++++++--- lib/inspec/resources/postgres_session.rb | 16 +++++----------- test/unit/resources/postgres_session_test.rb | 19 ++++++++++++------- 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/lib/inspec/resources/postgres.rb b/lib/inspec/resources/postgres.rb index 2b56ede3e..26f0b02db 100644 --- a/lib/inspec/resources/postgres.rb +++ b/lib/inspec/resources/postgres.rb @@ -47,7 +47,7 @@ module Inspec::Resources end elsif inspec.os.windows? dir = "C:\\Program Files\\PostgreSQL" - @version = version_from_dir_windows(dir) + @version = version_from_psql || version_from_dir_windows(dir) unless @version.to_s.empty? @data_dir = "#{dir}\\#{@version}\\data\\" end @@ -92,11 +92,16 @@ module Inspec::Resources def version_from_psql return unless inspec.command("psql").exist? - version = inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip.split(".") + if inspec.os.windows? + version = inspec.command("psql --version | awk '{ print $NF }'").stdout.strip.split(".") + else + version = inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip.split(".") + end + if version.first.to_i >= 10 version.first else - version = "#{version[0]}.#{version[1]}" + "#{version[0]}.#{version[1]}" end end diff --git a/lib/inspec/resources/postgres_session.rb b/lib/inspec/resources/postgres_session.rb index 5f7107292..c2a401137 100644 --- a/lib/inspec/resources/postgres_session.rb +++ b/lib/inspec/resources/postgres_session.rb @@ -42,11 +42,10 @@ module Inspec::Resources def initialize(user, pass = nil, host = nil, port = nil) @user = user || "postgres" - # passing PGPASSWORD does not work for windows so we are not making password as mandatory. User needs to hand it thorought the .pgpass file or trust authentication - # mechanisum of the PostgreSQL database. @pass = pass @host = host || "localhost" @port = port || 5432 + raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil? test_connection end @@ -55,8 +54,7 @@ module Inspec::Resources raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed? psql_cmd = create_psql_cmd(query, db) - - cmd = inspec.command(psql_cmd, redact_regex: /(PGPASSWORD=').+(' psql .*)/) + cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)}) out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/ raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}" @@ -76,15 +74,11 @@ module Inspec::Resources end def create_psql_cmd(query, db = []) - dbs = db.map { |x| "-d #{x}" }.join(" ") + dbs = db.map { |x| "#{x}" }.join(" ") if inspec.os.windows? - "psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c '#{query}'" + "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\"" else - if @pass.nil? - "psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" - else - "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -p #{@port} -A -t -c #{escaped_query(query)}" - end + "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}" end end end diff --git a/test/unit/resources/postgres_session_test.rb b/test/unit/resources/postgres_session_test.rb index 9187b1a06..3ce815737 100644 --- a/test/unit/resources/postgres_session_test.rb +++ b/test/unit/resources/postgres_session_test.rb @@ -6,27 +6,32 @@ require "inspec/resources/command" describe "Inspec::Resources::PostgresSession" do it "verify postgres_session create_psql_cmd with a basic query" do resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1", 5432) - _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" end it "verify postgres_session escaped_query with a complex query" do resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1", 5432) - _(resource.send(:create_psql_cmd, "SELECT current_setting('client_min_messages')", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c SELECT\\ current_setting\\(\\'client_min_messages\\'\\)" + _(resource.send(:create_psql_cmd, "SELECT current_setting('client_min_messages')", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c SELECT\\ current_setting\\(\\'client_min_messages\\'\\)" end it "verify postgres_session redacts output" do - cmd = %q{PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c "SELECT current_setting('client_min_messages')"} - options = { redact_regex: /(PGPASSWORD=').+(' psql .*)/ } + cmd = %q{psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c "SELECT current_setting('client_min_messages')"} + options = { redact_regex: %r{(:\/\/[a-z]*:).*(@)} } resource = load_resource("command", cmd, options) - expected_to_s = %q{Command: `PGPASSWORD='REDACTED' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c "SELECT current_setting('client_min_messages')"`} + expected_to_s = %q{Command: `psql -d postgresql://myuser:REDACTED@127.0.0.1:5432/testdb -A -t -w -c "SELECT current_setting('client_min_messages')"`} _(resource.to_s).must_equal(expected_to_s) end it "verify postgres_session works with empty port value" do resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1") - _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h 127.0.0.1 -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@127.0.0.1:5432/testdb -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" end it "verify postgres_session works with empty host and port value" do resource = load_resource("postgres_session", "myuser", "mypass") - _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "PGPASSWORD='mypass' psql -U myuser -d testdb -h localhost -p 5432 -A -t -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@localhost:5432/testdb -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" + end + it "fails when no user, password" do + resource = load_resource("postgres_session", nil, nil, "localhost", 5432) + _(resource.resource_failed?).must_equal true + _(resource.resource_exception_message).must_equal "Can't run PostgreSQL SQL checks without authentication." end it "fails when no connection established" do resource = load_resource("postgres_session", "postgres", "postgres", "localhost", 5432)