RubyGems - awspec - Versions diffs - 0.11.0 → 0.12.0 - Mend

awspec 0.11.0 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +4 -4
data/awspec.gemspec +1 -1
data/doc/_resource_types/iam_group.md +8 -0
data/doc/_resource_types/iam_role.md +8 -0
data/doc/_resource_types/iam_user.md +8 -0
data/doc/resource_types.md +27 -0
data/lib/awspec/generator/doc/type/iam_group.rb +1 -1
data/lib/awspec/generator/doc/type/iam_role.rb +1 -1
data/lib/awspec/generator/doc/type/iam_user.rb +1 -1
data/lib/awspec/helper/finder/iam.rb +10 -0
data/lib/awspec/matcher.rb +3 -0
data/lib/awspec/matcher/be_allowed_action.rb +12 -0
data/lib/awspec/stub/iam_group.rb +13 -0
data/lib/awspec/stub/iam_role.rb +13 -0
data/lib/awspec/stub/iam_user.rb +13 -0
data/lib/awspec/version.rb +1 -1
metadata +8 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 16910d9cda734c86c840666374dc2c4b76879fbb
-  data.tar.gz: 4155b14d91f07184993c5ae95e7a4145ac00ff04
+  metadata.gz: f2ff02288d8cfff552e9cf1211382f75e504247f
+  data.tar.gz: 96799ca4d6347c76dbfa421967252f5a6287672c
 SHA512:
-  metadata.gz: d2ebfcdabd2c5bc3510d267d8078c103af3342a616af6c73f32eaf1759799eba171b07161d33b31e9e7d38d16887f66663a210dde5ba8e552f850cb9dc62ff55
-  data.tar.gz: 134eb310c685f2a8fdc7686d54f6b1f2ae85996fc3e2d71f475e8d7e6a332b724c7720454c1598c16802a5371957d031784c5bff722053aac394f87d3ec69c41
+  metadata.gz: 4fa8b135318364c8f980bd8f8b8e756f3fe33a19de637b72d47c9ff65529019a562631526dac7a36645e0db959fc26f144449db1348f3a6125c840a53b5636bb
+  data.tar.gz: e1e32e85c6959ad7abb85cbb8edd76edf292044e1f1a6eadcafc6196062fef5adfd4d76a7358dc5f2d9ba8a264fc36928d665d2b8315803518179e1ee2964669

data/awspec.gemspec CHANGED Viewed

@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'rspec', '~> 3.0'
   spec.add_runtime_dependency 'rspec-its'
-  spec.add_runtime_dependency 'aws-sdk', '~> 2'
+  spec.add_runtime_dependency 'aws-sdk', '~> 2.1.20'
   spec.add_runtime_dependency 'thor'
   spec.add_runtime_dependency 'activesupport'
   spec.add_development_dependency 'bundler', '~> 1.9'

data/doc/_resource_types/iam_group.md ADDED Viewed

@@ -0,0 +1,8 @@
+### be_allowed_action
+```ruby
+describe iam_group('my-iam-group') do
+  it { should be_allowed_action('ec2:DescribeInstances') }
+  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
+end
+```

data/doc/_resource_types/iam_role.md ADDED Viewed

@@ -0,0 +1,8 @@
+### be_allowed_action
+```ruby
+describe iam_role('my-iam-role') do
+  it { should be_allowed_action('ec2:DescribeInstances') }
+  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
+end
+```

data/doc/_resource_types/iam_user.md ADDED Viewed

@@ -0,0 +1,8 @@
+### be_allowed_action
+```ruby
+describe iam_user('my-iam-user') do
+  it { should be_allowed_action('ec2:DescribeInstances') }
+  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
+end
+```

data/doc/resource_types.md CHANGED Viewed

@@ -280,6 +280,15 @@ IamUser resource type.
 ### exist
+### be_allowed_action
+```ruby
+describe iam_user('my-iam-user') do
+  it { should be_allowed_action('ec2:DescribeInstances') }
+  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
+end
+```
 ### have_iam_policy
 ### belong_to_iam_group
@@ -291,6 +300,15 @@ IamGroup resource type.
 ### exist
+### be_allowed_action
+```ruby
+describe iam_group('my-iam-group') do
+  it { should be_allowed_action('ec2:DescribeInstances') }
+  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
+end
+```
 ### have_iam_policy
 ### have_iam_user
@@ -302,6 +320,15 @@ IamRole resource type.
 ### exist
+### be_allowed_action
+```ruby
+describe iam_role('my-iam-role') do
+  it { should be_allowed_action('ec2:DescribeInstances') }
+  it { should be_allowed_action('s3:Put*').resource_arn('arn:aws:s3:::my-bucket-name/*') }
+end
+```
 ### have_iam_policy
 #### its(:path), its(:role_name), its(:role_id), its(:arn), its(:create_date), its(:assume_role_policy_document)

data/lib/awspec/generator/doc/type/iam_group.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Awspec::Generator
           @type_name = 'IamGroup'
           @type = Awspec::Type::IamGroup.new('my-iam-group')
           @ret = @type.resource
-          @matchers = []
+          @matchers = %w(be_allowed_action)
           @ignore_matchers = []
           @describes = []
         end

data/lib/awspec/generator/doc/type/iam_role.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Awspec::Generator
           @type_name = 'IamRole'
           @type = Awspec::Type::IamRole.new('my-iam-role')
           @ret = @type.resource
-          @matchers = []
+          @matchers = %w(be_allowed_action)
           @ignore_matchers = []
           @describes = []
         end

data/lib/awspec/generator/doc/type/iam_user.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Awspec::Generator
           @type_name = 'IamUser'
           @type = Awspec::Type::IamUser.new('my-iam-user')
           @ret = @type.resource
-          @matchers = %w(belong_to_iam_group)
+          @matchers = %w(belong_to_iam_group be_allowed_action)
           @ignore_matchers = []
           @describes = []
         end

data/lib/awspec/helper/finder/iam.rb CHANGED Viewed

@@ -19,6 +19,16 @@ module Awspec::Helper
         end
       end
+      def select_policy_evaluation_results(policy_arn, action_name, resource_arn = nil)
+        options = {
+          policy_source_arn: policy_arn,
+          action_names: [action_name]
+        }
+        options[:resource_arns] = [resource_arn] if resource_arn
+        res = @iam_client.simulate_principal_policy(options)
+        res.evaluation_results
+      end
       def select_iam_group_by_user_name(user_name)
         res = @iam_client.list_groups_for_user({
                                                  user_name: user_name

data/lib/awspec/matcher.rb CHANGED Viewed

@@ -16,3 +16,6 @@ require 'awspec/matcher/have_route'
 # IAM User
 require 'awspec/matcher/belong_to_iam_group'
+# IAM User/Group/Role
+require 'awspec/matcher/be_allowed_action'

data/lib/awspec/matcher/be_allowed_action.rb ADDED Viewed

@@ -0,0 +1,12 @@
+RSpec::Matchers.define :be_allowed_action do |action_name|
+  match do |resource|
+    results = resource.select_policy_evaluation_results(resource.resource[:arn], action_name, @resource_arn)
+    results.find do |result|
+      result.eval_decision == 'allowed'
+    end
+  end
+  chain :resource_arn do |arn|
+    @resource_arn = arn
+  end
+end

data/lib/awspec/stub/iam_group.rb CHANGED Viewed

@@ -38,6 +38,19 @@ Aws.config[:iam] = {
       ],
       is_truncated: false,
       marker: nil
+    },
+    simulate_principal_policy: {
+      evaluation_results: [
+        {
+          eval_action_name: 'ec2:DescribeInstances',
+          eval_resource_name: '*',
+          eval_decision: 'allowed',
+          matched_statements: [
+          ]
+        }
+      ],
+      is_truncated: false,
+      marker: nil
     }
   }
 }

data/lib/awspec/stub/iam_role.rb CHANGED Viewed

@@ -18,6 +18,19 @@ Aws.config[:iam] = {
       ],
       is_truncated: false,
       marker: nil
+    },
+    simulate_principal_policy: {
+      evaluation_results: [
+        {
+          eval_action_name: 'ec2:DescribeInstances',
+          eval_resource_name: '*',
+          eval_decision: 'allowed',
+          matched_statements: [
+          ]
+        }
+      ],
+      is_truncated: false,
+      marker: nil
     }
   }
 }

data/lib/awspec/stub/iam_user.rb CHANGED Viewed

@@ -29,6 +29,19 @@ Aws.config[:iam] = {
       ],
       is_truncated: false,
       marker: nil
+    },
+    simulate_principal_policy: {
+      evaluation_results: [
+        {
+          eval_action_name: 'ec2:DescribeInstances',
+          eval_resource_name: '*',
+          eval_decision: 'allowed',
+          matched_statements: [
+          ]
+        }
+      ],
+      is_truncated: false,
+      marker: nil
     }
   }
 }

data/lib/awspec/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Awspec
-  VERSION = '0.11.0'
+  VERSION = '0.12.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: awspec
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.12.0
 platform: ruby
 authors:
 - k1LoW
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-09-14 00:00:00.000000000 Z
+date: 2015-09-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: 2.1.20
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: 2.1.20
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -157,6 +157,9 @@ files:
 - bin/awspec
 - doc/_resource_types/ec2.md
 - doc/_resource_types/elb.md
+- doc/_resource_types/iam_group.md
+- doc/_resource_types/iam_role.md
+- doc/_resource_types/iam_user.md
 - doc/_resource_types/lambda.md
 - doc/_resource_types/rds_db_parameter_group.md
 - doc/_resource_types/security_group.md
@@ -210,6 +213,7 @@ files:
 - lib/awspec/helper/finder/vpc.rb
 - lib/awspec/helper/type.rb
 - lib/awspec/matcher.rb
+- lib/awspec/matcher/be_allowed_action.rb
 - lib/awspec/matcher/be_opened.rb
 - lib/awspec/matcher/belong_to_db_subnet_group.rb
 - lib/awspec/matcher/belong_to_iam_group.rb