inspec-core 2.1.67

data/lib/resources/postgres.rb

@@ -0,0 +1,131 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+module Inspec::Resources
+  class Postgres < Inspec.resource(1)
+    name 'postgres'
+    supports platform: 'unix'
+    desc 'The \'postgres\' resource is a helper for the \'postgres_conf\', \'postgres_hba_conf\', \'postgres_ident_conf\' & \'postgres_session\' resources.  Please use those instead.'
+
+    attr_reader :service, :data_dir, :conf_dir, :conf_path, :version, :cluster
+    def initialize
+      if inspec.os.debian?
+        #
+        # https://wiki.debian.org/PostgreSql
+        #
+        # Debian allows multiple versions of postgresql to be
+        # installed as well as multiple "clusters" to be configured.
+        #
+        @version = version_from_psql || version_from_dir('/etc/postgresql')
+        @cluster = cluster_from_dir("/etc/postgresql/#{@version}")
+        @conf_dir = "/etc/postgresql/#{@version}/#{@cluster}"
+        @data_dir = "/var/lib/postgresql/#{@version}/#{@cluster}"
+      else
+        @version = version_from_psql
+        if @version.nil?
+          if inspec.directory('/var/lib/pgsql/data').exist?
+            warn 'Unable to determine PostgreSQL version: psql did not return
+             a version number and unversioned data directories were found.'
+            nil
+          else
+            @version = version_from_dir('/var/lib/pgsql')
+          end
+        end
+        @data_dir = locate_data_dir_location_by_version(@version)
+      end
+
+      @service = 'postgresql'
+      @service += "-#{@version}" if @version.to_f >= 9.4
+      @conf_dir ||= @data_dir
+
+      verify_dirs
+      if !@version.nil? && !@conf_dir.empty?
+        @conf_path = File.join @conf_dir, 'postgresql.conf'
+      else
+        @conf_path = nil
+        return skip_resource 'Seems like PostgreSQL is not installed on your system'
+      end
+    end
+
+    def to_s
+      'PostgreSQL'
+    end
+
+    private
+
+    def verify_dirs
+      warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \
+        "Postgresql may not be installed or we've misidentified the configuration " \
+        'directory.' unless inspec.directory(@conf_dir).exist?
+
+      warn "Default postgresql data directory: #{@data_dir} does not exist. " \
+        "Postgresql may not be installed or we've misidentified the data " \
+        'directory.' unless inspec.directory(@data_dir).exist?
+    end
+
+    def version_from_psql
+      return unless inspec.command('psql').exist?
+      inspec.command("psql --version | awk '{ print $NF }' | awk -F. '{ print $1\".\"$2 }'").stdout.strip
+    end
+
+    def locate_data_dir_location_by_version(ver = @version)
+      data_dir_loc = nil
+      dir_list = [
+        "/var/lib/pgsql/#{ver}/data",
+        '/var/lib/pgsql/data',
+        '/var/lib/postgres/data',
+        '/var/lib/postgresql/data',
+      ]
+
+      dir_list.each do |dir|
+        data_dir_loc = dir if inspec.directory(dir).exist?
+        break
+      end
+
+      if data_dir_loc.nil?
+        warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
+        execute "psql -t -A -p <port> -h <host> -c "show hba_file";" as the PostgreSQL
+        DBA to find the non-standard data_dir location.'
+      end
+      data_dir_loc
+    end
+
+    def version_from_dir(dir)
+      dirs = inspec.command("ls -d #{dir}/*/").stdout
+      entries = dirs.lines.count
+      case entries
+      when 0
+        warn "Could not determine version of installed postgresql by inspecting #{dir}"
+        nil
+      when 1
+        warn "Using #{dirs}: #{dir_to_version(dirs)}"
+        dir_to_version(dirs)
+      else
+        warn "Multiple versions of postgresql installed or incorrect base dir #{dir}"
+        first = dir_to_version(dirs.lines.first)
+        warn "Using the first version found: #{first}"
+        first
+      end
+    end
+
+    def dir_to_version(dir)
+      dir.chomp.split('/').last
+    end
+
+    def cluster_from_dir(dir)
+      # Main is the default cluster name on debian use it if it
+      # exists.
+      if inspec.directory("#{dir}/main").exist?
+        'main'
+      else
+        dirs = inspec.command("ls -d #{dir}/*/").stdout.lines
+        first = dirs.first.chomp.split('/').last
+        if dirs.count > 1
+          warn "Multiple postgresql clusters configured or incorrect base dir #{dir}"
+          warn "Using the first directory found: #{first}"
+        end
+        first
+      end
+    end
+  end
+end

data/lib/resources/postgres_conf.rb

@@ -0,0 +1,114 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+require 'utils/simpleconfig'
+require 'utils/find_files'
+require 'utils/file_reader'
+require 'resources/postgres'
+
+module Inspec::Resources
+  class PostgresConf < Inspec.resource(1)
+    name 'postgres_conf'
+    supports platform: 'unix'
+    supports platform: 'windows'
+    desc 'Use the postgres_conf InSpec audit resource to test the contents of the configuration file for PostgreSQL, typically located at /etc/postgresql/<version>/main/postgresql.conf or /var/lib/postgres/data/postgresql.conf, depending on the platform.'
+    example "
+      describe postgres_conf do
+        its('max_connections') { should eq '5' }
+      end
+    "
+
+    include FindFiles
+    include FileReader
+    include ObjectTraverser
+
+    def initialize(conf_path = nil)
+      @conf_path = conf_path || inspec.postgres.conf_path
+      if @conf_path.nil?
+        return skip_resource 'PostgreSQL conf path is not set'
+      end
+      @conf_dir = File.expand_path(File.dirname(@conf_path))
+      @files_contents = {}
+      @content = nil
+      @params = nil
+      read_content
+    end
+
+    def content
+      @content ||= read_content
+    end
+
+    def params(*opts)
+      @params || read_content
+      res = @params
+      opts.each do |opt|
+        res = res[opt] unless res.nil?
+      end
+      res
+    end
+
+    def value(key)
+      extract_value(key, @params)
+    end
+
+    def method_missing(*keys)
+      keys.shift if keys.is_a?(Array) && keys[0] == :[]
+      param = value(keys)
+      return nil if param.nil?
+      # extract first value if we have only one value in array
+      return param[0] if param.length == 1
+      param
+    end
+
+    def to_s
+      'PostgreSQL Configuration'
+    end
+
+    private
+
+    def read_content
+      @content = ''
+      @params = {}
+
+      to_read = [@conf_path]
+      until to_read.empty?
+        base_dir = File.dirname(to_read[0])
+        raw_conf = read_file(to_read[0])
+        @content += raw_conf
+
+        opts = {
+          assignment_regex: /^\s*([^=]*?)\s*=\s*[']?\s*(.*?)\s*[']?\s*$/,
+        }
+        params = SimpleConfig.new(raw_conf, opts).params
+        @params.merge!(params)
+
+        to_read = to_read.drop(1)
+        # see if there is more config files to include
+
+        to_read += include_files(params, base_dir).find_all do |fp|
+          not @files_contents.key? fp
+        end
+      end
+      @content
+    end
+
+    def include_files(params, base_dir)
+      include_files = Array(params['include']) || []
+      include_files += Array(params['include_if_exists']) || []
+      include_files.map! do |f|
+        Pathname.new(f).absolute? ? f : File.join(base_dir, f)
+      end
+
+      dirs = Array(params['include_dir']) || []
+      dirs.each do |dir|
+        dir = File.join(base_dir, dir) if dir[0] != '/'
+        include_files += find_files(dir, depth: 1, type: 'file')
+      end
+      include_files
+    end
+
+    def read_file(path)
+      @files_contents[path] ||= read_file_content(path)
+    end
+  end
+end

data/lib/resources/postgres_hba_conf.rb

@@ -0,0 +1,90 @@
+# encoding: utf-8
+
+require 'resources/postgres'
+require 'utils/file_reader'
+
+module Inspec::Resources
+  class PostgresHbaConf < Inspec.resource(1)
+    name 'postgres_hba_conf'
+    supports platform: 'unix'
+    desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client
+          authentication data defined in the pg_hba.conf file.'
+    example "
+      describe postgres_hba_conf.where { type == 'local' } do
+        its('auth_method') { should eq ['peer'] }
+      end
+    "
+
+    include FileReader
+
+    attr_reader :conf_file, :params
+
+    # @todo add checks to ensure that we have data in our file
+    def initialize(hba_conf_path = nil)
+      @conf_file = hba_conf_path || File.expand_path('pg_hba.conf', inspec.postgres.conf_dir)
+      @content = ''
+      @params = {}
+      read_content
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:type,     field: 'type')
+          .add(:database, field: 'database')
+          .add(:user,     field: 'user')
+          .add(:address,  field: 'address')
+          .add(:auth_method, field: 'auth_method')
+          .add(:auth_params, field: 'auth_params')
+
+    filter.connect(self, :params)
+
+    def to_s
+      "Postgres Hba Config #{@conf_file}"
+    end
+
+    private
+
+    def clean_conf_file(conf_file = @conf_file)
+      data = read_file_content(conf_file).to_s.lines
+      content = []
+      data.each do |line|
+        line.chomp!
+        content << line unless line.match(/^\s*#/) || line.empty?
+      end
+      content
+    end
+
+    def read_content(config_file = @conf_file)
+      # @todo use SimpleConfig here if we can
+      # ^\s*(\S+)\s+(\S+)\s+(\S+)\s(?:(\d*.\d*.\d*.\d*\/\d*)|(::\/\d+))\s+(\S+)\s*(.*)?\s*$
+
+      @content = clean_conf_file(config_file)
+      @params = parse_conf(@content)
+      @params.each do |line|
+        if line['type'] == 'local'
+          line['auth_method'] = line['address']
+          line['address'] = ''
+        end
+      end
+    end
+
+    def parse_conf(content)
+      content.map do |line|
+        parse_line(line)
+      end.compact
+    end
+
+    def parse_line(line)
+      x = line.split(/\s+/)
+      {
+        'type' => x[0],
+        'database' => x[1],
+        'user' => x[2],
+        'address' => x[3],
+        'auth_method' => x[4],
+        'auth_params' =>  ('' if x.length == 4) || x[5..-1].join(' '),
+      }
+    end
+  end
+end

data/lib/resources/postgres_ident_conf.rb

@@ -0,0 +1,79 @@
+# encoding: utf-8
+
+require 'utils/file_reader'
+require 'resources/postgres'
+
+module Inspec::Resources
+  class PostgresIdentConf < Inspec.resource(1)
+    name 'postgres_ident_conf'
+    supports platform: 'unix'
+    desc 'Use the postgres_ident_conf InSpec audit resource to test the client
+          authentication data is controlled by a pg_ident.conf file.'
+    example "
+      describe postgres_ident_conf.where { pg_username == 'acme_user' } do
+        its('map_name') { should eq ['ssl-test'] }
+      end
+    "
+
+    include FileReader
+
+    attr_reader :params, :conf_file
+
+    def initialize(ident_conf_path = nil)
+      @conf_file = ident_conf_path || File.expand_path('pg_ident.conf', inspec.postgres.conf_dir)
+      @content = nil
+      @params = nil
+      read_content
+    end
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:map_name,        field: 'map_name')
+          .add(:system_username, field: 'system_username')
+          .add(:pg_username,     field: 'pg_username')
+
+    filter.connect(self, :params)
+
+    def to_s
+      "PostgreSQL Ident Config #{@conf_file}"
+    end
+
+    private
+
+    def filter_comments(data)
+      content = []
+      data.each do |line|
+        line.chomp!
+        content << line unless line.match(/^\s*#/) || line.empty?
+      end
+      content
+    end
+
+    def read_content
+      @content = ''
+      @params = {}
+      @content = filter_comments(read_file(@conf_file))
+      @params = parse_conf(@content)
+    end
+
+    def parse_conf(content)
+      content.map do |line|
+        parse_line(line)
+      end.compact
+    end
+
+    def parse_line(line)
+      x = line.split(/\s+/)
+      {
+        'map_name' => x[0],
+        'system_username' => x[1],
+        'pg_username' => x[2],
+      }
+    end
+
+    def read_file(conf_file = @conf_file)
+      read_file_content(conf_file, allow_empty: true).lines
+    end
+  end
+end

data/lib/resources/postgres_session.rb

@@ -0,0 +1,71 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+
+require 'shellwords'
+
+module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def lines
+      output.split("\n")
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class PostgresSession < Inspec.resource(1)
+    name 'postgres_session'
+    supports platform: 'unix'
+    supports platform: 'windows'
+    desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
+    example "
+      sql = postgres_session('username', 'password', 'host')
+      query('sql_query', ['database_name'])` contains the query and (optional) database to execute
+
+      # default values:
+      # username: 'postgres'
+      # host: 'localhost'
+      # db: databse == db_user running the sql query
+
+      describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
+        its('output') { should eq '' }
+      end
+    "
+
+    def initialize(user, pass, host = nil)
+      @user = user || 'postgres'
+      @pass = pass
+      @host = host || 'localhost'
+    end
+
+    def query(query, db = [])
+      psql_cmd = create_psql_cmd(query, db)
+      cmd = inspec.command(psql_cmd)
+      out = cmd.stdout + "\n" + cmd.stderr
+      if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
+        Lines.new(out, "PostgreSQL query with errors: #{query}")
+      else
+        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
+      end
+    end
+
+    private
+
+    def escaped_query(query)
+      Shellwords.escape(query)
+    end
+
+    def create_psql_cmd(query, db = [])
+      dbs = db.map { |x| "-d #{x}" }.join(' ')
+      "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
+    end
+  end
+end