mirror of
https://github.com/inspec/inspec
synced 2024-12-12 14:22:38 +00:00
9c1b7eb6a2
* Added db_name flag * removed trailing whitespace * Added comment to disable metrics Signed-off-by: Kayleigh <kayleigh.doores@gmail.com>
118 lines
3.8 KiB
Ruby
118 lines
3.8 KiB
Ruby
# encoding: utf-8
|
|
|
|
require 'hashie/mash'
|
|
require 'utils/database_helpers'
|
|
|
|
module Inspec::Resources
|
|
# STABILITY: Experimental
|
|
# This resource needs further testing and refinement
|
|
#
|
|
# This requires the `sqlcmd` tool available on platform
|
|
# @see https://docs.microsoft.com/en-us/sql/relational-databases/scripting/sqlcmd-use-the-utility
|
|
# @see https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-connect-and-query-sqlcmd
|
|
class MssqlSession < Inspec.resource(1)
|
|
name 'mssql_session'
|
|
supports platform: 'windows'
|
|
desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
|
|
example "
|
|
# Using SQL authentication
|
|
sql = mssql_session(user: 'myuser', pass: 'mypassword')
|
|
describe sql.query('SELECT * FROM table').row(0).column('columnname') do
|
|
its('value') { should cmp == 1 }
|
|
end
|
|
|
|
# Passing no credentials to mssql_session forces it to use Windows authentication
|
|
sql_windows_auth = mssql_session
|
|
describe sql_windows_auth.query(\"SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as \\\"login_mode\\\";\").row(0).column('login_mode') do
|
|
its('value') { should_not be_empty }
|
|
its('value') { should cmp == 1 }
|
|
end
|
|
"
|
|
|
|
attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name
|
|
def initialize(opts = {})
|
|
@user = opts[:user]
|
|
@password = opts[:password] || opts[:pass]
|
|
if opts[:pass]
|
|
warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
|
|
end
|
|
@local_mode = opts[:local_mode]
|
|
unless local_mode?
|
|
@host = opts[:host] || 'localhost'
|
|
if opts.key?(:port)
|
|
@port = opts[:port]
|
|
else
|
|
@port = '1433'
|
|
end
|
|
end
|
|
@instance = opts[:instance]
|
|
@db_name = opts[:db_name]
|
|
|
|
# check if sqlcmd is available
|
|
raise Inspec::Exceptions::ResourceSkipped, 'sqlcmd is missing' unless inspec.command('sqlcmd').exist?
|
|
# check that database is reachable
|
|
raise Inspec::Exceptions::ResourceSkipped, "Can't connect to the MS SQL Server." unless test_connection
|
|
end
|
|
|
|
def query(q) # rubocop:disable Metrics/PerceivedComplexity
|
|
escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
|
|
# surpress 'x rows affected' in SQLCMD with 'set nocount on;'
|
|
cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
|
|
cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
|
|
cmd_string += " -d '#{@db_name}'" unless @db_name.nil?
|
|
unless local_mode?
|
|
if @port.nil?
|
|
cmd_string += " -S '#{@host}"
|
|
else
|
|
cmd_string += " -S '#{@host},#{@port}"
|
|
end
|
|
if @instance.nil?
|
|
cmd_string += "'"
|
|
else
|
|
cmd_string += "\\#{@instance}'"
|
|
end
|
|
end
|
|
cmd = inspec.command(cmd_string)
|
|
out = cmd.stdout + "\n" + cmd.stderr
|
|
if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
|
|
raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
|
|
else
|
|
DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
|
|
end
|
|
end
|
|
|
|
def to_s
|
|
'MSSQL session'
|
|
end
|
|
|
|
private
|
|
|
|
def local_mode?
|
|
!!@local_mode # rubocop:disable Style/DoubleNegation
|
|
end
|
|
|
|
def test_connection
|
|
!query('select getdate()').empty?
|
|
end
|
|
|
|
def parse_csv_result(cmd)
|
|
require 'csv'
|
|
table = CSV.parse(cmd.stdout, { headers: true })
|
|
|
|
# remove first row, since it will be a seperator line
|
|
table.delete(0)
|
|
|
|
# convert to hash
|
|
headers = table.headers
|
|
|
|
results = table.map { |row|
|
|
res = {}
|
|
headers.each { |header|
|
|
res[header.downcase] = row[header]
|
|
}
|
|
Hashie::Mash.new(res)
|
|
}
|
|
results
|
|
end
|
|
end
|
|
end
|