# encoding: utf-8 # author: Nolan Davidson # author: Christoph Hartmann # author: Dominik Richter require 'hashie/mash' require 'utils/database_helpers' module Inspec::Resources # STABILITY: Experimental # This resource needs further testing and refinement # # This requires the `sqlcmd` tool available on platform # @see https://docs.microsoft.com/en-us/sql/relational-databases/scripting/sqlcmd-use-the-utility # @see https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-connect-and-query-sqlcmd class MssqlSession < Inspec.resource(1) name 'mssql_session' desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.' example " # Using SQL authentication sql = mssql_session(user: 'myuser', pass: 'mypassword') describe sql.query('SELECT * FROM table').row(0).column('columnname') do its('value') { should cmp == 1 } end # Passing no credentials to mssql_session forces it to use Windows authentication sql_windows_auth = mssql_session describe sql.query(\"SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as \\\"login_mode\\\";\").row(0).column('login_mode') do its('value') { should_not be_empty } its('value') { should cmp == 1 } end " attr_reader :user, :password, :host def initialize(opts = {}) @user = opts[:user] @password = opts[:password] || opts[:pass] if opts[:pass] warn '[DEPRECATED] use `password` option to supply password instead of `pass`' end @host = opts[:host] || 'localhost' @instance = opts[:instance] # check if sqlcmd is available return skip_resource('sqlcmd is missing') if !inspec.command('sqlcmd').exist? # check that database is reachable return skip_resource("Can't connect to the MS SQL Server.") if !test_connection end def query(q) escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$') # surpress 'x rows affected' in SQLCMD with 'set nocount on;' cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','" cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil? if @instance.nil? cmd_string += " -S '#{@host}'" else cmd_string += " -S '#{@host}\\#{@instance}'" end cmd = inspec.command(cmd_string) out = cmd.stdout + "\n" + cmd.stderr if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/ # TODO: we need to throw an exception here # change once https://github.com/chef/inspec/issues/1205 is in warn "Could not execute the sql query #{out}" DatabaseHelper::SQLQueryResult.new(cmd, Hashie::Mash.new({})) else DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd)) end end def to_s 'MSSQL session' end private def test_connection !query('select getdate()').empty? end def parse_csv_result(cmd) require 'csv' table = CSV.parse(cmd.stdout, { headers: true }) # remove first row, since it will be a seperator line table.delete(0) # convert to hash headers = table.headers results = table.map { |row| res = {} headers.each { |header| res[header.downcase] = row[header] } Hashie::Mash.new(res) } results end end end