Merge pull request #5937 from inspec/vasundhara/fix-postgres-session-resource

CFINSPEC-154: postgres_session resource allow query errors to be treat as failures.
This commit is contained in:
Clinton Wolfe 2022-03-23 09:44:06 -04:00 committed by GitHub
commit a15280fcc5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 97 additions and 8 deletions

View file

@ -55,8 +55,10 @@ module Inspec::Resources
psql_cmd = create_psql_cmd(query, db) psql_cmd = create_psql_cmd(query, db)
cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)}) cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
out = cmd.stdout + "\n" + cmd.stderr out = cmd.stdout + "\n" + cmd.stderr
if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/ if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}" raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
elsif cmd.exit_status != 0 && out.downcase =~ /error:/
Lines.new(out, "PostgreSQL query with error: #{query}")
else else
Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}") Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
end end

View file

@ -0,0 +1 @@
psql: error: could not connect to server: Connection refused\n\tIs the server running on host \"127.0.0.1\" and accepting\n\tTCP/IP connections on port 5432?\n

View file

@ -0,0 +1 @@
psql: error: FATAL: password authentication failed for user "postgres"\nFATAL: password authentication failed for user

1
test/fixtures/cmd/psql-query-error vendored Normal file
View file

@ -0,0 +1 @@
ERROR: must be owner of table accounts\n

View file

@ -50,7 +50,8 @@ module Fake
stdout = stdout_path ? File.read(stdout_path) : "" stdout = stdout_path ? File.read(stdout_path) : ""
stderr = stderr_path ? File.read(stderr_path) : "" stderr = stderr_path ? File.read(stderr_path) : ""
::Fake::Command.new(stdout, stderr, 0) exit_code = exit || 0
::Fake::Command.new(stdout, stderr, exit_code)
end end
end end

View file

@ -33,13 +33,96 @@ describe "Inspec::Resources::PostgresSession" do
_(resource.resource_failed?).must_equal true _(resource.resource_failed?).must_equal true
_(resource.resource_exception_message).must_equal "Can't run PostgreSQL SQL checks without authentication." _(resource.resource_exception_message).must_equal "Can't run PostgreSQL SQL checks without authentication."
end end
it "fails when no connection established" do
resource = load_resource("postgres_session", "postgres", "postgres", "localhost", 5432)
_(proc { resource.send(:query, "Select 5;", ["mydatabase"]) }).must_raise Inspec::Exceptions::ResourceFailed
end
it "verify postgres_session create_psql_cmd in socket connection" do it "verify postgres_session create_psql_cmd in socket connection" do
resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1", 5432, "/var/run/postgresql") resource = load_resource("postgres_session", "myuser", "mypass", "127.0.0.1", 5432, "/var/run/postgresql")
_(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@/testdb?host=/var/run/postgresql -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;" _(resource.send(:create_psql_cmd, "SELECT * FROM STUDENTS;", ["testdb"])).must_equal "psql -d postgresql://myuser:mypass@/testdb?host=/var/run/postgresql -A -t -w -c SELECT\\ \\*\\ FROM\\ STUDENTS\\;"
end end
it "fails when no connection established in linux" do
resource = quick_resource(:postgres_session, :linux, "postgres", "postgres", "localhost", 5432) do |cmd, opts|
cmd.strip!
case cmd
when ("psql -d postgresql://postgres:postgres@localhost:5432/mydatabase -A -t -w -c Select\\ 5\\;") then
result(nil, "test/fixtures/cmd/psql-connection-error", 1)
else
raise cmd.inspect
end
end
ex = assert_raises(Inspec::Exceptions::ResourceFailed) { resource.query("Select 5;", ["mydatabase"]) }
_(ex.message).must_include("PostgreSQL connection error")
end
it "fails when no password authentication fails" do
resource = quick_resource(:postgres_session, :linux, "postgres", "wrongpassword", "localhost", 5432) do |cmd, opts|
cmd.strip!
case cmd
when ("psql -d postgresql://postgres:wrongpassword@localhost:5432/mydatabase -A -t -w -c Select\\ 5\\;") then
result(nil, "test/fixtures/cmd/psql-password-authentication-error", 1)
else
raise cmd.inspect
end
end
ex = assert_raises(Inspec::Exceptions::ResourceFailed) { resource.query("Select 5;", ["mydatabase"]) }
_(ex.message).must_include("PostgreSQL connection error")
end
it "returns stderr as output if there is error in the query." do
resource = quick_resource(:postgres_session, :linux, "postgres", "postgres", "localhost", 5432) do |cmd, opts|
cmd.strip!
case cmd
when ("psql -d postgresql://postgres:postgres@localhost:5432/mydatabase -A -t -w -c DROP\\ TABLE\\ accounts\\;") then
result(nil, "test/fixtures/cmd/psql-query-error", 1)
else
raise cmd.inspect
end
end
_(resource.resource_failed?).must_equal false
query = resource.query("DROP TABLE accounts;", ["mydatabase"])
_(query.output).must_match(/must be owner of table accounts/)
end
it "fails when no connection established on Windows" do
resource = quick_resource(:postgres_session, :windows, "postgres", "postgres", "localhost", 5432) do |cmd, opts|
cmd.strip!
case cmd
when ("psql -d postgresql://postgres:postgres@localhost:5432/mydatabase -A -t -w -c \"Select 5;\"") then
result(nil, "test/fixtures/cmd/psql-connection-error", 1)
else
raise cmd.inspect
end
end
ex = assert_raises(Inspec::Exceptions::ResourceFailed) { resource.query("Select 5;", ["mydatabase"]) }
_(ex.message).must_include("PostgreSQL connection error")
end
it "fails when no password authentication fails on Windows" do
resource = quick_resource(:postgres_session, :windows, "postgres", "wrongpassword", "localhost", 5432) do |cmd, opts|
cmd.strip!
case cmd
when ("psql -d postgresql://postgres:wrongpassword@localhost:5432/mydatabase -A -t -w -c \"Select 5;\"") then
result(nil, "test/fixtures/cmd/psql-password-authentication-error", 1)
else
raise cmd.inspect
end
end
ex = assert_raises(Inspec::Exceptions::ResourceFailed) { resource.query("Select 5;", ["mydatabase"]) }
_(ex.message).must_include("PostgreSQL connection error")
end
it "returns stderr as output if there is error in the query on Windows." do
resource = quick_resource(:postgres_session, :windows, "postgres", "postgres", "localhost", 5432) do |cmd, opts|
cmd.strip!
case cmd
when ("psql -d postgresql://postgres:postgres@localhost:5432/mydatabase -A -t -w -c \"DROP TABLE accounts;\"") then
result(nil, "test/fixtures/cmd/psql-query-error", 1)
else
raise cmd.inspect
end
end
_(resource.resource_failed?).must_equal false
query = resource.query("DROP TABLE accounts;", ["mydatabase"])
_(query.output).must_match(/must be owner of table accounts/)
end
end end