lib/resources/host.rb
# encoding: utf-8 # Usage: # describe host('example.com') do # it { should be_resolvable } # it { should be_reachable } # its('ipaddress') { should include '93.184.216.34' } # end # # To verify a hostname with protocol and port # describe host('example.com', port: 443, protocol: 'tcp') do # it { should be_reachable } # end # # We do not support the following serverspec syntax: # describe host('example.com') do # it { should be_reachable.with( :port => 22 ) } # it { should be_reachable.with( :port => 22, :proto => 'tcp' ) } # it { should be_reachable.with( :port => 53, :proto => 'udp' ) } # # it { should be_resolvable.by('hosts') } # it { should be_resolvable.by('dns') } # end require 'resolv' module Inspec::Resources class Host < Inspec.resource(1) name 'host' supports platform: 'unix' supports platform: 'windows' desc 'Use the host InSpec audit resource to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.' example " describe host('example.com') do it { should be_reachable } it { should be_resolvable } its('ipaddress') { should include '12.34.56.78' } end describe host('example.com', port: '80', protocol: 'tcp') do it { should be_reachable } end " attr_reader :hostname, :port, :protocol def initialize(hostname, params = {}) @hostname = hostname @port = params[:port] if params[:proto] warn '[DEPRECATION] The `proto` parameter is deprecated. Use `protocol` instead.' @protocol = params[:proto] else @protocol = params.fetch(:protocol, 'icmp') end @host_provider = nil if inspec.os.linux? @host_provider = LinuxHostProvider.new(inspec) elsif inspec.os.windows? return skip_resource 'Invalid protocol: only `tcp` and `icmp` protocols are support for the `host` resource on your OS.' unless %w{icmp tcp}.include?(@protocol) @host_provider = WindowsHostProvider.new(inspec) elsif inspec.os.darwin? @host_provider = DarwinHostProvider.new(inspec) else return skip_resource 'The `host` resource is not supported on your OS yet.' end missing_requirements = @host_provider.missing_requirements(protocol) return skip_resource 'The following requirements are not met for this resource: ' \ "#{missing_requirements.join(', ')}" unless missing_requirements.empty? end def proto warn '[DEPRECATION] The `proto` method is deprecated. Use `protocol` instead.' protocol end # if we get the IP address, the host is resolvable def resolvable?(type = nil) warn "The `host` resource ignores #{type} parameters. Continue to resolve host." if !type.nil? resolve.nil? || resolve.empty? ? false : true end def reachable? # ping checks do not require port or protocol return ping.fetch(:success, false) if protocol == 'icmp' # if either port or protocol are specified but not both, we cannot proceed. if port.nil? || protocol.nil? raise "Protocol required with port. Use `host` resource with host('#{hostname}', port: 1234, proto: 'tcp') parameters." if port.nil? || protocol.nil? end # perform the protocol-specific reachability test ping.fetch(:success, false) end def connection ping[:connection] end def socket ping[:socket] end # returns all A records of the IP address, will return an array def ipaddress resolve.nil? || resolve.empty? ? nil : resolve end def to_s resource_name = "Host #{hostname}" resource_name += " port #{port} proto #{protocol}" if port resource_name end private def ping return @ping_cache if defined?(@ping_cache) return {} if @host_provider.nil? @ping_cache = @host_provider.ping(hostname, port, protocol) end def resolve return @ip_cache if defined?(@ip_cache) @ip_cache = @host_provider.resolve(hostname) if !@host_provider.nil? end end class HostProvider attr_reader :inspec def initialize(inspec) @inspec = inspec end def missing_requirements(_protocol) # each provider can return an array of missing requirements that can # be enumerated in a skip_resource message [] end end class UnixHostProvider < HostProvider def initialize(inspec) super @has_nc = inspec.command('nc').exist? @has_ncat = inspec.command('ncat').exist? @has_net_redirections = inspec.command("strings `which bash` | grep -qE '/dev/(tcp|udp)/'").exit_status == 0 end def missing_requirements(protocol) missing = [] if %w{tcp udp}.include?(protocol) && !@has_nc && !@has_ncat if @has_net_redirections missing << "#{timeout} (part of coreutils) or netcat must be installed" unless inspec.command(timeout).exist? else missing << 'netcat must be installed' end end missing end def ping(hostname, port, protocol) if %w{tcp udp}.include?(protocol) if @has_nc || @has_ncat resp = inspec.command(netcat_check_command(hostname, port, protocol)) else resp = inspec.command("#{timeout} 1 bash -c \"< /dev/#{protocol}/#{hostname}/#{port}\"") end else # fall back to ping, but we can only test ICMP packages with ping resp = inspec.command("ping -w 1 -c 1 #{hostname}") end { success: resp.exit_status.to_i.zero?, connection: resp.stderr, socket: resp.stdout, } end def netcat_check_command(hostname, port, protocol) if @has_nc base_cmd = 'nc' elsif @has_ncat base_cmd = 'ncat' else return end if protocol == 'udp' extra_flags = '-u' else extra_flags = '' end "echo | #{base_cmd} -v -w 1 #{extra_flags} #{hostname} #{port}" end def timeout 'timeout' end def resolve_with_dig(hostname) addresses = [] # look for IPv4 addresses cmd = inspec.command("dig +short A #{hostname}") cmd.stdout.lines.each do |line| matched = line.chomp.match(Resolv::IPv4::Regex) addresses << matched.to_s unless matched.nil? end # look for IPv6 addresses cmd = inspec.command("dig +short AAAA #{hostname}") cmd.stdout.lines.each do |line| matched = line.chomp.match(Resolv::IPv6::Regex) addresses << matched.to_s unless matched.nil? end addresses.empty? ? nil : addresses end def resolve_with_getent(hostname) cmd = inspec.command("getent ahosts #{hostname}") return nil unless cmd.exit_status.to_i.zero? # getent ahosts output is formatted like so: # $ getent ahosts www.google.com # 172.217.8.4 STREAM www.google.com # 172.217.8.4 DGRAM # 172.217.8.4 RAW # 2607:f8b0:4004:803::2004 STREAM # 2607:f8b0:4004:803::2004 DGRAM # 2607:f8b0:4004:803::2004 RAW addresses = [] cmd.stdout.lines.each do |line| ip, = line.split(/\s+/, 2) next unless ip.match(Resolv::IPv4::Regex) || ip.match(Resolv::IPv6::Regex) addresses << ip unless addresses.include?(ip) end addresses end end class DarwinHostProvider < UnixHostProvider def timeout 'gtimeout' end def resolve(hostname) resolve_with_dig(hostname) end end class LinuxHostProvider < UnixHostProvider def resolve(hostname) resolve_with_getent(hostname) end end # Windows # TODO: UDP is not supported yey, we need a custom ps1 script to add udp support # @see http://blogs.technet.com/b/josebda/archive/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup.aspx # @see http://blogs.technet.com/b/heyscriptingguy/archive/2014/03/19/creating-a-port-scanner-with-windows-powershell.aspx class WindowsHostProvider < HostProvider def ping(hostname, port = nil, _proto = nil) # ICMP: Test-NetConnection www.microsoft.com # TCP and port: Test-NetConnection -ComputerName www.microsoft.com -RemotePort 80 request = "Test-NetConnection -ComputerName #{hostname} -WarningAction SilentlyContinue" request += " -RemotePort #{port}" unless port.nil? request += '| Select-Object -Property ComputerName, TcpTestSucceeded, PingSucceeded | ConvertTo-Json' cmd = inspec.command(request) begin ping = JSON.parse(cmd.stdout) rescue JSON::ParserError => _e return {} end { success: port.nil? ? ping['PingSucceeded'] : ping['TcpTestSucceeded'] } end def resolve(hostname) cmd = inspec.command("Resolve-DnsName –Type A #{hostname} | ConvertTo-Json") begin resolv = JSON.parse(cmd.stdout) rescue JSON::ParserError => _e return nil end resolv = [resolv] unless resolv.is_a?(Array) resolv.map { |entry| entry['IPAddress'] } end end end