mirror of
https://github.com/inspec/inspec
synced 2024-12-11 22:02:47 +00:00
224935e9cf
* Created pg_hba_conf resource Signed-off-by: Rony Xavier <rx294@nyu.edu> * Created pg_hba_conf resource Signed-off-by: Rony Xavier <rx294@nyu.edu> * Corrections * updated to parse auth-options Signed-off-by: Aaron Lippold <lippold@gmail.com> * updated `conf_path` instance var to `conf_file` for consistancy. Signed-off-by: Aaron Lippold <lippold@gmail.com> * pg_hba_conf - updated the parse_line method added test and doc files Signed-off-by: Rony Xavier <rx294@nyu.edu> * Updated few bugs on pg_hba_conf updated test files and docs Signed-off-by: Rony Xavier <rx294@nyu.edu> * Updated docs Signed-off-by: Rony Xavier <rx294@nyu.edu> * Made updates based on the reccomendations Signed-off-by: Rony Xavier <rx294@nyu.edu> * PR commit Signed-off-by: Rony Xavier <rx294@nyu.edu> * PR Commit Signed-off-by: Rony Xavier <rx294@nyu.edu> * Update Gemfile.lock * PR Commit Signed-off-by: Rony Xavier <rx294@nyu.edu> * Updated doc file for postgres_hba_conf resource to use 'cmp' matcher instead of 'eq' Signed-off-by: Rony Xavier <rx294@nyu.edu> * Made requested changes, except for SimpleConfig - will address that later. Signed-off-by: Aaron Lippold <lippold@gmail.com>
101 lines
2.8 KiB
Ruby
101 lines
2.8 KiB
Ruby
# encoding: utf-8
|
|
# author: Rony Xavier,rx294@nyu.edu
|
|
# author: Aaron Lippold, lippold@gmail.com
|
|
|
|
require 'resources/postgres'
|
|
|
|
module Inspec::Resources
|
|
class PostgresHbaConf < Inspec.resource(1)
|
|
name 'postgres_hba_conf'
|
|
desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client
|
|
authentication data defined in the pg_hba.conf file.'
|
|
example "
|
|
describe postgres_hba_conf.where { type == 'local' } do
|
|
its('auth_method') { should eq ['peer'] }
|
|
end
|
|
"
|
|
|
|
attr_reader :conf_file, :params
|
|
|
|
# @todo add checks to ensure that we have data in our file
|
|
def initialize(hba_conf_path = nil)
|
|
return skip_resource 'The `postgres_hba_conf` resource is not supported on your OS.' unless inspec.os.linux?
|
|
@conf_file = hba_conf_path || File.expand_path('pg_hba.conf', inspec.postgres.conf_dir)
|
|
@content = ''
|
|
@params = {}
|
|
read_content
|
|
end
|
|
|
|
filter = FilterTable.create
|
|
filter.add_accessor(:where)
|
|
.add_accessor(:entries)
|
|
.add(:type, field: 'type')
|
|
.add(:database, field: 'database')
|
|
.add(:user, field: 'user')
|
|
.add(:address, field: 'address')
|
|
.add(:auth_method, field: 'auth_method')
|
|
.add(:auth_params, field: 'auth_params')
|
|
|
|
filter.connect(self, :params)
|
|
|
|
def to_s
|
|
"Postgres Hba Config #{@conf_file}"
|
|
end
|
|
|
|
private
|
|
|
|
def clean_conf_file(conf_file = @conf_file)
|
|
data = inspec.file(conf_file).content.to_s.lines
|
|
content = []
|
|
data.each do |line|
|
|
line.chomp!
|
|
content << line unless line.match(/^\s*#/) || line.empty?
|
|
end
|
|
content
|
|
end
|
|
|
|
def read_content(config_file = @conf_file)
|
|
file = inspec.file(config_file)
|
|
|
|
if !file.file?
|
|
return skip_resource "Can't find file \"#{@conf_file}\""
|
|
end
|
|
|
|
raw_conf = file.content
|
|
|
|
if raw_conf.empty? && !file.empty?
|
|
return skip_resource("Can't read the contents of \"#{@conf_file}\"")
|
|
end
|
|
|
|
# @todo use SimpleConfig here if we can
|
|
# ^\s*(\S+)\s+(\S+)\s+(\S+)\s(?:(\d*.\d*.\d*.\d*\/\d*)|(::\/\d+))\s+(\S+)\s*(.*)?\s*$
|
|
|
|
@content = clean_conf_file(@conf_file)
|
|
@params = parse_conf(@content)
|
|
@params.each do |line|
|
|
if line['type'] == 'local'
|
|
line['auth_method'] = line['address']
|
|
line['address'] = ''
|
|
end
|
|
end
|
|
end
|
|
|
|
def parse_conf(content)
|
|
content.map do |line|
|
|
parse_line(line)
|
|
end.compact
|
|
end
|
|
|
|
def parse_line(line)
|
|
x = line.split(/\s+/)
|
|
{
|
|
'type' => x[0],
|
|
'database' => x[1],
|
|
'user' => x[2],
|
|
'address' => x[3],
|
|
'auth_method' => x[4],
|
|
'auth_params' => ('' if x.length == 4) || x[5..-1].join(' '),
|
|
}
|
|
end
|
|
end
|
|
end
|