inspec/lib/resources/mssql_session.rb
Kayleigh Doores 9c1b7eb6a2 Added db_name flag (#3383)
* Added db_name flag
* removed trailing whitespace
* Added comment to disable metrics

Signed-off-by: Kayleigh <kayleigh.doores@gmail.com>
2018-09-17 20:59:31 -04:00

118 lines
3.8 KiB
Ruby

# encoding: utf-8
require 'hashie/mash'
require 'utils/database_helpers'
module Inspec::Resources
# STABILITY: Experimental
# This resource needs further testing and refinement
#
# This requires the `sqlcmd` tool available on platform
# @see https://docs.microsoft.com/en-us/sql/relational-databases/scripting/sqlcmd-use-the-utility
# @see https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-connect-and-query-sqlcmd
class MssqlSession < Inspec.resource(1)
name 'mssql_session'
supports platform: 'windows'
desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
example "
# Using SQL authentication
sql = mssql_session(user: 'myuser', pass: 'mypassword')
describe sql.query('SELECT * FROM table').row(0).column('columnname') do
its('value') { should cmp == 1 }
end
# Passing no credentials to mssql_session forces it to use Windows authentication
sql_windows_auth = mssql_session
describe sql_windows_auth.query(\"SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as \\\"login_mode\\\";\").row(0).column('login_mode') do
its('value') { should_not be_empty }
its('value') { should cmp == 1 }
end
"
attr_reader :user, :password, :host, :port, :instance, :local_mode, :db_name
def initialize(opts = {})
@user = opts[:user]
@password = opts[:password] || opts[:pass]
if opts[:pass]
warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
end
@local_mode = opts[:local_mode]
unless local_mode?
@host = opts[:host] || 'localhost'
if opts.key?(:port)
@port = opts[:port]
else
@port = '1433'
end
end
@instance = opts[:instance]
@db_name = opts[:db_name]
# check if sqlcmd is available
raise Inspec::Exceptions::ResourceSkipped, 'sqlcmd is missing' unless inspec.command('sqlcmd').exist?
# check that database is reachable
raise Inspec::Exceptions::ResourceSkipped, "Can't connect to the MS SQL Server." unless test_connection
end
def query(q) # rubocop:disable Metrics/PerceivedComplexity
escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
# surpress 'x rows affected' in SQLCMD with 'set nocount on;'
cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
cmd_string += " -U '#{@user}' -P '#{@password}'" unless @user.nil? || @password.nil?
cmd_string += " -d '#{@db_name}'" unless @db_name.nil?
unless local_mode?
if @port.nil?
cmd_string += " -S '#{@host}"
else
cmd_string += " -S '#{@host},#{@port}"
end
if @instance.nil?
cmd_string += "'"
else
cmd_string += "\\#{@instance}'"
end
end
cmd = inspec.command(cmd_string)
out = cmd.stdout + "\n" + cmd.stderr
if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
else
DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
end
end
def to_s
'MSSQL session'
end
private
def local_mode?
!!@local_mode # rubocop:disable Style/DoubleNegation
end
def test_connection
!query('select getdate()').empty?
end
def parse_csv_result(cmd)
require 'csv'
table = CSV.parse(cmd.stdout, { headers: true })
# remove first row, since it will be a seperator line
table.delete(0)
# convert to hash
headers = table.headers
results = table.map { |row|
res = {}
headers.each { |header|
res[header.downcase] = row[header]
}
Hashie::Mash.new(res)
}
results
end
end
end