oracle_session and mssql_session improvement

[chris-rock]

• fixes Inspec oracledb_session resource not connecting to the database. #1821
• fix: SID does not work with sqlplus, we need to use service names
• use password instead of pass as argument
• parse result table and make it accessible
• support oracle sqlci tool
• tested against oracle 12c and mysql server 2016

TODO:

• update docs
• unit tests

[aaronlippold]

no love for postgres_session? :)

[aaronlippold]

@chris-rock did you cover the case where the SID and SERVICE_NAME change? With one you need the port/host with the other you don't.

I don't see a service_name param in the current push.

    def db_conn
      if @sid
        "#{@user}/#{@password}@#{@host}:#{@port}/#{@sid}"
      else # using a 'service_name'
        "#{@user}/#{@password}@/#{@service_name}"
      end
    end

With a call like:

 escaped_query = Shellwords.escape(@query)
      cmd = inspec.command("echo -ne \"set heading off\nset echo off\n#{escaped_query}\" | #{@sqlplus_bin} -s #{db_conn_string}")

code:

require 'shellwords'

module Inspec::Resources
  class OracledbSession < Inspec.resource(1)
    name 'oracledb_session'
    desc 'Use the oracledb_session InSpec resource to test commands against an Oracle database'
    example "
      describe oracledb_session(user: 'my_user',
                                password: 'password',
                                host: '192.168.0.10',
                                service_name: 'TESTDB',
                                query: 'SELECT NAME FROM v$database;') do
        it { should be_successful }
        its('output') { should_not match /test/ }
      end

      Required values:
       - user
       - pass
       - sid or service_name
       - query

      Optional values:
       - host (default: localhost)
       - port (default: 1526)
    "

    attr_reader :user, :password, :host, :sid, :sqlplus_bin, :service_name, :port

    def initialize(opts = {})
      @user = opts[:user]
      @host = opts[:host] || 'localhost'
      @port = opts[:port] || '1526'
      @sid = opts[:sid]
      @query = opts[:query]
      @service_name = opts[:service_name]
      @sqlplus_bin = opts[:sqlplus_bin] || 'sqlplus'

      # legacy option was "pass" but we prefer "password" for clarity
      if opts[:pass]
        warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
        @password = opts[:pass]
      else
        @password = opts[:password]
      end

      return skip_resource 'The `oracledb_session` resource does not support Windows yet' if inspec.os.windows?
      return skip_resource 'Username and password are required' if @user.nil? || @password.nil?
      return skip_resource 'You must provide at least an SID and/or a Service Name for the session' if @sid.nil? && @service_name.nil?
    end

    def output
      run_query
      @output
    end

    def errors
      run_query
      @errors
    end

    def successful?
      run_query
      @errors.nil? || @errors.empty?
    end

    def query(q)
      warn '[DEPRECATED] pass query in as an option when creating oracledb_session resource'
      @query = q
      run_query
      self
    end

    def run_query
      return if @query_already_run

      db_conn_string = db_conn
      # escaped_query = @query.gsub(/\\/, '\\\\').gsub(/"/, '\\"')
      escaped_query = Shellwords.escape(@query)
      cmd = inspec.command("echo -ne \"set heading off\nset echo off\n#{escaped_query}\" | #{@sqlplus_bin} -s #{db_conn_string}")
      @output = cmd.stdout
      @errors = cmd.stderr
      @query_already_run = true
    end

    def stdout
      warn '[DEPRECATED] use the `output` method to get the output of the oracle query'
      @output
    end

    def stderr
      warn '[DEPRECATED] use the `errors` method to get the errors from the oracle query'
      @errors
    end

    def db_conn
      if @sid
        "#{@user}/#{@password}@#{@host}:#{@port}/#{@sid}"
      else # using a 'service_name'
        "#{@user}/#{@password}@/#{@service_name}"
      end
    end

    def to_s
      'Oracle Session'
    end
  end
end

[chris-rock]

@aaronlippold postgres is another iteration

[chris-rock]

@aaronlippold we always use a service name, no sid

[aaronlippold]

Hi In the case of Oracle shouldn't we support both side service name? On May 30, 2017 13:39, "Christoph Hartmann" <notifications@github.com> wrote: @aaronlippold <https://github.com/aaronlippold> we always use a service name, no sid — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1857 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABauaPuJopmLMeRNpk7ed4taPIu09_5Qks5r_FQ-gaJpZM4Npn-4> .

[adamleff]

@chris-rock I know this is a WIP, but I have some feedback I'm hoping you'll take into consideration during your next iteration.

[adamleff]

This should go in the gemspec since the InSpec core (and therefore users who install the gem) is relying on it.

[chris-rock]

My bad. Thank you for the reminder!

[adamleff]

parse_result doesn't exist... did you mean parse_csv_result which is below in line 68?

[adamleff]

Use || instead of or

[chris-rock]

+1

[adamleff]

Can we use Shellwords.shellescape instead of these gsubs?

[adamleff]

Let's use a better variable name here, such as parse_method, and since we're already going to convert it to a symbols, let's set it as a symbol here and avoid the indirection.

parse_method = :parse_csv_result

[chris-rock]

Yes, I like that

[adamleff]

Same comment here as on line 50.

[adamleff]

Are there plans to bring nokogiri back in? It has only caused us pain on multiple projects, especially since we support Windows. Can we just remove this TODO and continue to use htmlentities if we need it?

I don't suppose there's a non-HTML markup we can use with Oracle to avoid this?

[chris-rock]

I still try to find a way to circumvent htmlentities

[adamleff]

Can we move this to the top of the file and treat it as first class? I'd rather throw a compile-time error on this when the resource is loaded/eval'd rather than at runtime.

[chris-rock]

Yes

[adamleff]

I'm nitpicking, but this and stderr really bug me because it feels like we're exposing implementation-level details to the user. They shouldn't care that we're making command calls underneath to get the data.

Can we call these output and errors? That way if we ever change the implementation, the method names will still be truthful.

[chris-rock]

Good point. I agree on that. I am going to remove that since there is no need to expose this right now

[YarNhoj]

Since all we are doing is shelling out to sqlplus does this resource require that the stand alone sqlplus client be installed, or are we assuming that the user running the scans has all of the environment variables set up that sqlplus requires to run correctly?

As a non Oracle DB user I would have to set LD_LIBRARY_PATH, ORACLE_HOME, and a couple of other env variables before the sqlplus client would function correctly.

Here's a link to the sqlplus documentation from Oracle http://docs.oracle.com/database/121/SQPUG/ch_two.htm#SQPUG012

In my current use case I have an audit user that checks that seed data was populated correctly after install. This user isn't a DB user and won't have all of the env variables set.

[chris-rock]

@YarNhoj Right now, this expects that the sqlplus client is installed and configured. Do you see any way around this?

[chris-rock]

As discussed with @adamleff in #1857 (comment) we are going to remove stdout. Therefore this is a breaking change now.

[adamleff]

It doesn't have to be... why don't we deprecate stdout with a warning now, and we can add another item to our 2.0 depredations issue to remove it then. What do you think?

[chris-rock]

@adamleff great idea

[adamleff]

Just a few last cleanup things that I'm happy to do myself.

[adamleff]

s/resouce/resource

[adamleff]

Should remove this line.

[adamleff]

s/resouce/resource

[adamleff]

We should eliminate the reference to "SID" from this skip message since we only support service name.

[adamleff]

Sweet update, @chris-rock!