mirror of
https://github.com/inspec/inspec
synced 2024-11-14 00:47:10 +00:00
102 lines
3.4 KiB
Ruby
102 lines
3.4 KiB
Ruby
# encoding: utf-8
|
|
# author: Nolan Davidson
|
|
# author: Christoph Hartmann
|
|
# author: Dominik Richter
|
|
|
|
require 'hashie/mash'
|
|
require 'utils/database_helpers'
|
|
|
|
module Inspec::Resources
|
|
# STABILITY: Experimental
|
|
# This resource needs further testing and refinement
|
|
#
|
|
# This requires the `sqlcmd` tool available on platform
|
|
# @see https://docs.microsoft.com/en-us/sql/relational-databases/scripting/sqlcmd-use-the-utility
|
|
# @see https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-connect-and-query-sqlcmd
|
|
class MssqlSession < Inspec.resource(1)
|
|
name 'mssql_session'
|
|
desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
|
|
example "
|
|
# Using SQL authentication
|
|
sql = mssql_session(user: 'myuser', pass: 'mypassword')
|
|
describe sql.query('SELECT * FROM table').row(0).column('columnname') do
|
|
its('value') { should cmp == 1 }
|
|
end
|
|
|
|
# Passing no credentials to mssql_session forces it to use Windows authentication
|
|
sql_windows_auth = mssql_session
|
|
describe sql.query(\"SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as \\\"login_mode\\\";\").row(0).column('login_mode') do
|
|
its('value') { should_not be_empty }
|
|
its('value') { should cmp == 1 }
|
|
end
|
|
"
|
|
|
|
attr_reader :user, :password, :host
|
|
def initialize(opts = {})
|
|
@user = opts[:user]
|
|
@password = opts[:password] || opts[:pass]
|
|
if opts[:pass]
|
|
warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
|
|
end
|
|
@host = opts[:host] || 'localhost'
|
|
@instance = opts[:instance]
|
|
|
|
# check if sqlcmd is available
|
|
return skip_resource('sqlcmd is missing') if !inspec.command('sqlcmd').exist?
|
|
# check that database is reachable
|
|
return skip_resource("Can't connect to the MS SQL Server.") if !test_connection
|
|
end
|
|
|
|
def query(q)
|
|
escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
|
|
# surpress 'x rows affected' in SQLCMD with 'set nocount on;'
|
|
cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
|
|
cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
|
|
if @instance.nil?
|
|
cmd_string += " -S '#{@host}'"
|
|
else
|
|
cmd_string += " -S '#{@host}\\#{@instance}'"
|
|
end
|
|
cmd = inspec.command(cmd_string)
|
|
out = cmd.stdout + "\n" + cmd.stderr
|
|
if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
|
|
# TODO: we need to throw an exception here
|
|
# change once https://github.com/chef/inspec/issues/1205 is in
|
|
warn "Could not execute the sql query #{out}"
|
|
DatabaseHelper::SQLQueryResult.new(cmd, Hashie::Mash.new({}))
|
|
else
|
|
DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
|
|
end
|
|
end
|
|
|
|
def to_s
|
|
'MSSQL session'
|
|
end
|
|
|
|
private
|
|
|
|
def test_connection
|
|
!query('select getdate()').empty?
|
|
end
|
|
|
|
def parse_csv_result(cmd)
|
|
require 'csv'
|
|
table = CSV.parse(cmd.stdout, { headers: true })
|
|
|
|
# remove first row, since it will be a seperator line
|
|
table.delete(0)
|
|
|
|
# convert to hash
|
|
headers = table.headers
|
|
|
|
results = table.map { |row|
|
|
res = {}
|
|
headers.each { |header|
|
|
res[header.downcase] = row[header]
|
|
}
|
|
Hashie::Mash.new(res)
|
|
}
|
|
results
|
|
end
|
|
end
|
|
end
|