From a16877f4273c2952270d698f7f8ae3cc5ff9915b Mon Sep 17 00:00:00 2001 From: Stanislav Voroniy Date: Mon, 9 Jul 2018 19:57:45 +0200 Subject: [PATCH] A number of bug fixes and new features for oracledb_session resource (#3170) Signed-off-by: Stanislav Voroniy --- docs/resources/oracledb_session.md.erb | 41 ++++++++++++++++++++++++++ lib/resources/oracledb_session.rb | 26 +++++++++++----- lib/utils/database_helpers.rb | 12 ++++++++ test/helper.rb | 2 +- 4 files changed, 73 insertions(+), 8 deletions(-) diff --git a/docs/resources/oracledb_session.md.erb b/docs/resources/oracledb_session.md.erb index 6b4d83c6d..917abebf2 100644 --- a/docs/resources/oracledb_session.md.erb +++ b/docs/resources/oracledb_session.md.erb @@ -20,11 +20,17 @@ A `oracledb_session` resource block declares the username and password to use fo where * `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`). +* it is possible to run queries as sysdba/sysoper by using `as_db_role option`, see examples * `query('QUERY')` contains the query to be run * `its('value') { should eq('') }` compares the results of the query against the expected result in the test
+## oracledb_session(...).query method Properties +* rows the query result as array of hashes +* row(number) selected row from query result, where number is just a row number in the query result +* column(name) array with values from selected column + ## Examples The following examples show how to use this InSpec audit resource. @@ -45,6 +51,41 @@ The following examples show how to use this InSpec audit resource. its('value') { should cmp 'ORCL' } end +### Test for table contains a specified value in any row for the given column name + + sql = oracledb_session(user: 'my_user', pass: 'password', service: 'MYSID') + + describe sql.query('SELECT * FROM my_table;').column('my_column') do + it { should include 'my_value' } + end + +### Test tablespace exists as sysdba + The check will change user (with su) to specified user and run 'sqlplus / as sysdba' (sysoper, sysasm) + + sql = oracledb_session(as_os_user: 'oracle', as_db_role: 'sysdba', service: 'MYSID') + + describe sql.query('SELECT tablespace_name AS name FROM dba_tablespaces;').column('name') do + it { should include 'MYTABLESPACE' } + end + NOTE: option `as_os_user` available only on unix-like systems and not supported on Windows. Also this option requires that you are running inspec as `root` or with `--sudo` + +### Test number of rows in the query result + + sql = oracledb_session(user: 'my_user', pass: 'password') + + describe sql.query('SELECT * FROM my_table;').rows do + its('count') { should eq 20 } + end + +### Use data out of (remote) DB query to build other tests + + sql = oracledb_session(user: 'my_user', pass: 'password', host: 'my.remote.db', service: 'MYSID') + + sql.query('SELECT * FROM files;').rows.each do |file_row| + describe file(file_row['path']) do + its('owner') { should eq file_row['owner']} + end + end
## Matchers diff --git a/lib/resources/oracledb_session.rb b/lib/resources/oracledb_session.rb index 8f2892ff2..4c2817c9d 100644 --- a/lib/resources/oracledb_session.rb +++ b/lib/resources/oracledb_session.rb @@ -22,7 +22,8 @@ module Inspec::Resources end " - attr_reader :user, :password, :host, :service + attr_reader :user, :password, :host, :service, :as_os_user, :as_db_role + # rubocop:disable Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity def initialize(opts = {}) @user = opts[:user] @password = opts[:password] || opts[:pass] @@ -34,12 +35,17 @@ module Inspec::Resources @port = opts[:port] || '1521' @service = opts[:service] + # connection as sysdba stuff + return skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && opts[:as_os_user] + @su_user = opts[:as_os_user] + @db_role = opts[:as_db_role] + # we prefer sqlci although it is way slower than sqlplus, but it understands csv properly - @sqlcl_bin = 'sql' + @sqlcl_bin = 'sql' unless opts.key?(:sqlplus_bin) # don't use it if user specified sqlplus_bin option @sqlplus_bin = opts[:sqlplus_bin] || 'sqlplus' - return skip_resource "Can't run Oracle checks without authentication" if @user.nil? || @password.nil? - return skip_resource 'You must provide a service name for the session' if @service.nil? + return fail_resource "Can't run Oracle checks without authentication" if @su_user.nil? && (@user.nil? || @password.nil?) + return fail_resource 'You must provide a service name for the session' if @service.nil? end def query(q) @@ -49,19 +55,25 @@ module Inspec::Resources p = nil # use sqlplus if sqlcl is not available - if inspec.command(@sqlcl_bin).exist? + if @sqlcl_bin and inspec.command(@sqlcl_bin).exist? bin = @sqlcl_bin opts = "set sqlformat csv\nSET FEEDBACK OFF" p = :parse_csv_result else bin = @sqlplus_bin - opts = "SET MARKUP HTML ON\nSET FEEDBACK OFF" + opts = "SET MARKUP HTML ON\nSET PAGESIZE 32000\nSET FEEDBACK OFF" p = :parse_html_result end query = verify_query(escaped_query) query += ';' unless query.end_with?(';') - command = %{echo "#{opts}\n#{query}\nEXIT" | #{bin} "#{@user}"/"#{@password}"@#{@host}:#{@port}/#{@service}} + if @db_role.nil? + command = %{#{bin} "#{@user}"/"#{@password}"@#{@host}:#{@port}/#{@service} < cmd.call('mssql-result'), # oracle "bash -c 'type \"sqlplus\"'" => cmd.call('oracle-cmd'), - "527f243fe9b01fc7b7d78eb1ef5200e272b011aa07c9f59836d950107d6d2a5c" => cmd.call('oracle-result'), + "1998da5bc0f09bd5258fad51f45447556572b747f631661831d6fcb49269a448" => cmd.call('oracle-result'), # nginx mock cmd %{nginx -V 2>&1} => cmd.call('nginx-v'), %{/usr/sbin/nginx -V 2>&1} => cmd.call('nginx-v'),