A number of bug fixes and new features for oracledb_session resource (#3170)

Signed-off-by: Stanislav Voroniy <stas@voroniy.com>
This commit is contained in:
Stanislav Voroniy 2018-07-09 19:57:45 +02:00 committed by Clinton Wolfe
parent 5cb3caf4dc
commit a16877f427
4 changed files with 73 additions and 8 deletions

View file

@ -20,11 +20,17 @@ A `oracledb_session` resource block declares the username and password to use fo
where where
* `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`). * `oracledb_session` declares a username and password with permission to run the query (required), and an optional parameters for host (default: `localhost`), SID (default: `nil`, which uses the default SID, and path to the sqlplus binary (default: `sqlplus`).
* it is possible to run queries as sysdba/sysoper by using `as_db_role option`, see examples
* `query('QUERY')` contains the query to be run * `query('QUERY')` contains the query to be run
* `its('value') { should eq('') }` compares the results of the query against the expected result in the test * `its('value') { should eq('') }` compares the results of the query against the expected result in the test
<br> <br>
## oracledb_session(...).query method Properties
* rows the query result as array of hashes
* row(number) selected row from query result, where number is just a row number in the query result
* column(name) array with values from selected column
## Examples ## Examples
The following examples show how to use this InSpec audit resource. The following examples show how to use this InSpec audit resource.
@ -45,6 +51,41 @@ The following examples show how to use this InSpec audit resource.
its('value') { should cmp 'ORCL' } its('value') { should cmp 'ORCL' }
end end
### Test for table contains a specified value in any row for the given column name
sql = oracledb_session(user: 'my_user', pass: 'password', service: 'MYSID')
describe sql.query('SELECT * FROM my_table;').column('my_column') do
it { should include 'my_value' }
end
### Test tablespace exists as sysdba
The check will change user (with su) to specified user and run 'sqlplus / as sysdba' (sysoper, sysasm)
sql = oracledb_session(as_os_user: 'oracle', as_db_role: 'sysdba', service: 'MYSID')
describe sql.query('SELECT tablespace_name AS name FROM dba_tablespaces;').column('name') do
it { should include 'MYTABLESPACE' }
end
NOTE: option `as_os_user` available only on unix-like systems and not supported on Windows. Also this option requires that you are running inspec as `root` or with `--sudo`
### Test number of rows in the query result
sql = oracledb_session(user: 'my_user', pass: 'password')
describe sql.query('SELECT * FROM my_table;').rows do
its('count') { should eq 20 }
end
### Use data out of (remote) DB query to build other tests
sql = oracledb_session(user: 'my_user', pass: 'password', host: 'my.remote.db', service: 'MYSID')
sql.query('SELECT * FROM files;').rows.each do |file_row|
describe file(file_row['path']) do
its('owner') { should eq file_row['owner']}
end
end
<br> <br>
## Matchers ## Matchers

View file

@ -22,7 +22,8 @@ module Inspec::Resources
end end
" "
attr_reader :user, :password, :host, :service attr_reader :user, :password, :host, :service, :as_os_user, :as_db_role
# rubocop:disable Metrics/PerceivedComplexity,Metrics/CyclomaticComplexity
def initialize(opts = {}) def initialize(opts = {})
@user = opts[:user] @user = opts[:user]
@password = opts[:password] || opts[:pass] @password = opts[:password] || opts[:pass]
@ -34,12 +35,17 @@ module Inspec::Resources
@port = opts[:port] || '1521' @port = opts[:port] || '1521'
@service = opts[:service] @service = opts[:service]
# connection as sysdba stuff
return skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && opts[:as_os_user]
@su_user = opts[:as_os_user]
@db_role = opts[:as_db_role]
# we prefer sqlci although it is way slower than sqlplus, but it understands csv properly # we prefer sqlci although it is way slower than sqlplus, but it understands csv properly
@sqlcl_bin = 'sql' @sqlcl_bin = 'sql' unless opts.key?(:sqlplus_bin) # don't use it if user specified sqlplus_bin option
@sqlplus_bin = opts[:sqlplus_bin] || 'sqlplus' @sqlplus_bin = opts[:sqlplus_bin] || 'sqlplus'
return skip_resource "Can't run Oracle checks without authentication" if @user.nil? || @password.nil? return fail_resource "Can't run Oracle checks without authentication" if @su_user.nil? && (@user.nil? || @password.nil?)
return skip_resource 'You must provide a service name for the session' if @service.nil? return fail_resource 'You must provide a service name for the session' if @service.nil?
end end
def query(q) def query(q)
@ -49,19 +55,25 @@ module Inspec::Resources
p = nil p = nil
# use sqlplus if sqlcl is not available # use sqlplus if sqlcl is not available
if inspec.command(@sqlcl_bin).exist? if @sqlcl_bin and inspec.command(@sqlcl_bin).exist?
bin = @sqlcl_bin bin = @sqlcl_bin
opts = "set sqlformat csv\nSET FEEDBACK OFF" opts = "set sqlformat csv\nSET FEEDBACK OFF"
p = :parse_csv_result p = :parse_csv_result
else else
bin = @sqlplus_bin bin = @sqlplus_bin
opts = "SET MARKUP HTML ON\nSET FEEDBACK OFF" opts = "SET MARKUP HTML ON\nSET PAGESIZE 32000\nSET FEEDBACK OFF"
p = :parse_html_result p = :parse_html_result
end end
query = verify_query(escaped_query) query = verify_query(escaped_query)
query += ';' unless query.end_with?(';') query += ';' unless query.end_with?(';')
command = %{echo "#{opts}\n#{query}\nEXIT" | #{bin} "#{@user}"/"#{@password}"@#{@host}:#{@port}/#{@service}} if @db_role.nil?
command = %{#{bin} "#{@user}"/"#{@password}"@#{@host}:#{@port}/#{@service} <<EOC\n#{opts}\n#{query}\nEXIT\nEOC}
elsif @su_user.nil?
command = %{#{bin} "#{@user}"/"#{@password}"@#{@host}:#{@port}/#{@service} as #{@db_role} <<EOC\n#{opts}\n#{query}\nEXIT\nEOC}
else
command = %{su - #{@su_user} -c "env ORACLE_SID=#{@service} #{bin} / as #{@db_role} <<EOC\n#{opts}\n#{query}\nEXIT\nEOC"}
end
cmd = inspec.command(command) cmd = inspec.command(command)
out = cmd.stdout + "\n" + cmd.stderr out = cmd.stdout + "\n" + cmd.stderr

View file

@ -48,10 +48,22 @@ module DatabaseHelper
@cmd.exit_status == 0 && @error.nil? @cmd.exit_status == 0 && @error.nil?
end end
def rows
@results
end
def row(id) def row(id)
SQLRow.new(self, @results[id]) SQLRow.new(self, @results[id])
end end
def column(column)
result = []
@results.each do |row|
result << row[column]
end
result
end
def size def size
@results.size @results.size
end end

View file

@ -461,7 +461,7 @@ class MockLoader
"7d1a7a0f2bd1e7da9a6904e1f28981146ec01a0323623e12a8579d30a3960a79" => cmd.call('mssql-result'), "7d1a7a0f2bd1e7da9a6904e1f28981146ec01a0323623e12a8579d30a3960a79" => cmd.call('mssql-result'),
# oracle # oracle
"bash -c 'type \"sqlplus\"'" => cmd.call('oracle-cmd'), "bash -c 'type \"sqlplus\"'" => cmd.call('oracle-cmd'),
"527f243fe9b01fc7b7d78eb1ef5200e272b011aa07c9f59836d950107d6d2a5c" => cmd.call('oracle-result'), "1998da5bc0f09bd5258fad51f45447556572b747f631661831d6fcb49269a448" => cmd.call('oracle-result'),
# nginx mock cmd # nginx mock cmd
%{nginx -V 2>&1} => cmd.call('nginx-v'), %{nginx -V 2>&1} => cmd.call('nginx-v'),
%{/usr/sbin/nginx -V 2>&1} => cmd.call('nginx-v'), %{/usr/sbin/nginx -V 2>&1} => cmd.call('nginx-v'),