inspec 4.22.1

data/lib/resources/aws/aws_security_group.rb

@@ -0,0 +1,314 @@
+require "set"
+require "ipaddr"
+
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsSecurityGroup < Inspec.resource(1)
+  name "aws_security_group"
+  desc "Verifies settings for an individual AWS Security Group."
+  example <<~EXAMPLE
+    describe aws_security_group('sg-12345678') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :description, :group_id, :group_name, :vpc_id, :inbound_rules, :outbound_rules, :inbound_rules_count, :outbound_rules_count
+
+  def to_s
+    "EC2 Security Group #{@group_id}"
+  end
+
+  def allow_in?(criteria = {})
+    allow(inbound_rules, criteria.dup)
+  end
+  RSpec::Matchers.alias_matcher :allow_in, :be_allow_in
+
+  def allow_out?(criteria = {})
+    allow(outbound_rules, criteria.dup)
+  end
+  RSpec::Matchers.alias_matcher :allow_out, :be_allow_out
+
+  def allow_in_only?(criteria = {})
+    allow_only(inbound_rules, criteria.dup)
+  end
+  RSpec::Matchers.alias_matcher :allow_in_only, :be_allow_in_only
+
+  def allow_out_only?(criteria = {})
+    allow_only(outbound_rules, criteria.dup)
+  end
+  RSpec::Matchers.alias_matcher :allow_out_only, :be_allow_out_only
+
+  private
+
+  def allow_only(rules, criteria)
+    rules = allow__focus_on_position(rules, criteria)
+    # allow_{in_out}_only require either a single-rule group, or you
+    # to select a rule using position.
+    return false unless rules.count == 1 || criteria.key?(:position)
+
+    if criteria.key?(:security_group)
+      if criteria.key?(:position)
+        pos = criteria[:position] - 1
+      else
+        pos = 0
+      end
+      return false unless rules[pos].key?(:user_id_group_pairs) && rules[pos][:user_id_group_pairs].count == 1
+    end
+    criteria[:exact] = true
+    allow(rules, criteria)
+  end
+
+  def allow(rules, criteria)
+    criteria = allow__check_criteria(criteria)
+    rules = allow__focus_on_position(rules, criteria)
+
+    rules.any? do |rule|
+      matched = true
+      matched &&= allow__match_port(rule, criteria)
+      matched &&= allow__match_protocol(rule, criteria)
+      matched &&= allow__match_ipv4_range(rule, criteria)
+      matched &&= allow__match_ipv6_range(rule, criteria)
+      matched &&= allow__match_security_group(rule, criteria)
+      matched
+    end
+  end
+
+  def allow__check_criteria(raw_criteria)
+    allowed_criteria = [
+      :from_port,
+      :ipv4_range,
+      :ipv6_range,
+      :security_group,
+      :port,
+      :position,
+      :protocol,
+      :to_port,
+      :exact, # Internal
+    ]
+    recognized_criteria = {}
+    allowed_criteria.each do |expected_criterion|
+      if raw_criteria.key?(expected_criterion)
+        recognized_criteria[expected_criterion] = raw_criteria.delete(expected_criterion)
+      end
+    end
+
+    # Any leftovers are unwelcome
+    unless raw_criteria.empty?
+      raise ArgumentError, "Unrecognized security group rule 'allow' criteria '#{raw_criteria.keys.join(",")}'. Expected criteria: #{allowed_criteria.join(", ")}"
+    end
+
+    recognized_criteria
+  end
+
+  def allow__focus_on_position(rules, criteria)
+    return rules unless criteria.key?(:position)
+
+    idx = criteria.delete(:position)
+
+    # Normalize to a zero-based numeric index
+    case # rubocop: disable Style/EmptyCaseCondition
+    when idx.is_a?(Symbol) && idx == :first
+      idx = 0
+    when idx.is_a?(Symbol) && idx == :last
+      idx = rules.count - 1
+    when idx.is_a?(String)
+      idx = idx.to_i - 1 # We document this as 1-based, so adjust to be zero-based.
+    when idx.is_a?(Numeric)
+      idx -= 1 # We document this as 1-based, so adjust to be zero-based.
+    else
+      raise ArgumentError, "aws_security_group 'allow' 'position' criteria must be an integer or the symbols :first or :last"
+    end
+
+    unless idx < rules.count
+      raise ArgumentError, "aws_security_group 'allow' 'position' criteria #{idx + 1} is out of range - there are only #{rules.count} rules for security group #{group_id}."
+    end
+
+    [rules[idx]]
+  end
+
+  def allow__match_port(rule, criteria) # rubocop: disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize
+    if criteria[:exact] || criteria[:from_port] || criteria[:to_port]
+      # Exact match mode
+      # :port is shorthand for a single-valued port range.
+      criteria[:to_port] = criteria[:from_port] = criteria[:port] if criteria[:port]
+      to = criteria[:to_port]
+      from = criteria[:from_port]
+      # It's a match if neither criteria was specified
+      return true if to.nil? && from.nil?
+
+      # Normalize to integers
+      to = to.to_i unless to.nil?
+      from = from.to_i unless from.nil?
+      # It's a match if either was specified and the other was not
+      return true if rule[:to_port] == to && from.nil?
+      return true if rule[:from_port] == from && to.nil?
+
+      # Finally, both must match.
+      rule[:to_port] == to && rule[:from_port] == from
+    elsif !criteria[:port]
+      # port not specified, match anything
+      true
+    else
+      # Range membership mode
+      rule_from = rule[:from_port] || 0
+      rule_to = rule[:to_port] || 65535
+      (rule_from..rule_to).cover?(criteria[:port].to_i)
+    end
+  end
+
+  def allow__match_protocol(rule, criteria)
+    return true unless criteria.key?(:protocol)
+
+    prot = criteria[:protocol]
+    # We provide a "fluency alias" for -1 (any).
+    prot = "-1" if prot == "any"
+
+    rule[:ip_protocol] == prot
+  end
+
+  def match_ipv4_or_6_range(rule, criteria)
+    if criteria.key?(:ipv4_range)
+      query = criteria[:ipv4_range]
+      query = [query] unless query.is_a?(Array)
+      ranges = rule[:ip_ranges].map { |rng| rng[:cidr_ip] }
+    else # IPv6
+      query = criteria[:ipv6_range]
+      query = [query] unless query.is_a?(Array)
+      ranges = rule[:ipv_6_ranges].map { |rng| rng[:cidr_ipv_6] }
+    end
+
+    if criteria[:exact]
+      Set.new(query) == Set.new(ranges)
+    else
+      # CIDR subset mode
+      # "Each of the provided IP ranges must be a member of one of the rule's listed IP ranges"
+      query.all? do |candidate|
+        candidate = IPAddr.new(candidate)
+        ranges.any? do |range|
+          range = IPAddr.new(range)
+          range.include?(candidate)
+        end
+      end
+    end
+  end
+
+  def allow__match_ipv4_range(rule, criteria)
+    return true unless criteria.key?(:ipv4_range)
+
+    match_ipv4_or_6_range(rule, criteria)
+  end
+
+  def allow__match_ipv6_range(rule, criteria)
+    return true unless criteria.key?(:ipv6_range)
+
+    match_ipv4_or_6_range(rule, criteria)
+  end
+
+  def allow__match_security_group(rule, criteria)
+    return true unless criteria.key?(:security_group)
+
+    query = criteria[:security_group]
+    return false unless rule[:user_id_group_pairs]
+
+    rule[:user_id_group_pairs].any? { |group| query == group[:group_id] }
+  end
+
+  def validate_params(raw_params)
+    recognized_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{id group_id group_name vpc_id},
+      allowed_scalar_name: :group_id,
+      allowed_scalar_type: String
+    )
+
+    # id is an alias for group_id
+    recognized_params[:group_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
+
+    if recognized_params.key?(:group_id) && recognized_params[:group_id] !~ /^sg\-[0-9a-f]{8}/
+      raise ArgumentError, 'aws_security_group security group ID must be in the format "sg-" followed by 8 hexadecimal characters.'
+    end
+
+    if recognized_params.key?(:vpc_id) && recognized_params[:vpc_id] !~ /^vpc\-[0-9a-f]{8}/
+      raise ArgumentError, 'aws_security_group VPC ID must be in the format "vpc-" followed by 8 hexadecimal characters.'
+    end
+
+    validated_params = recognized_params
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide parameters to aws_security_group, such as group_name, group_id, or vpc_id.g_group."
+    end
+
+    validated_params
+  end
+
+  def count_sg_rules(ip_permissions)
+    rule_count = 0
+    ip_permissions.each do |ip_permission|
+      %i{ip_ranges ipv_6_ranges user_id_group_pairs}.each do |key|
+        if ip_permission.key? key
+          rule_count += ip_permission[key].length
+        end
+      end
+    end
+    rule_count
+  end
+
+  def fetch_from_api # rubocop: disable Metrics/AbcSize
+    backend = BackendFactory.create(inspec_runner)
+
+    # Transform into filter format expected by AWS
+    filters = []
+    %i{
+      description
+      group_id
+      group_name
+      vpc_id
+    }.each do |criterion_name|
+      instance_var = "@#{criterion_name}".to_sym
+      next unless instance_variable_defined?(instance_var)
+
+      val = instance_variable_get(instance_var)
+      next if val.nil?
+
+      filters.push(
+        {
+          name: criterion_name.to_s.tr("_", "-"),
+          values: [val],
+        }
+      )
+    end
+    dsg_response = backend.describe_security_groups(filters: filters)
+
+    if dsg_response.security_groups.empty?
+      @exists = false
+      @inbound_rules = []
+      @outbound_rules = []
+      return
+    end
+
+    @exists = true
+    @description = dsg_response.security_groups[0].description
+    @group_id   = dsg_response.security_groups[0].group_id
+    @group_name = dsg_response.security_groups[0].group_name
+    @vpc_id     = dsg_response.security_groups[0].vpc_id
+    @inbound_rules = dsg_response.security_groups[0].ip_permissions.map(&:to_h)
+    @inbound_rules_count = count_sg_rules(dsg_response.security_groups[0].ip_permissions.map(&:to_h))
+    @outbound_rules = dsg_response.security_groups[0].ip_permissions_egress.map(&:to_h)
+    @outbound_rules_count = count_sg_rules(dsg_response.security_groups[0].ip_permissions_egress.map(&:to_h))
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend self
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_security_groups(query)
+        aws_service_client.describe_security_groups(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_security_groups.rb

@@ -0,0 +1,71 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsSecurityGroups < Inspec.resource(1)
+  name "aws_security_groups"
+  desc "Verifies settings for AWS Security Groups in bulk"
+  example <<~EXAMPLE
+    # Verify that you have security groups defined
+    describe aws_security_groups do
+      it { should exist }
+    end
+
+    # Verify you have more than the default security group
+    describe aws_security_groups do
+      its('entries.count') { should be > 1 }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:group_ids, field: :group_id)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "EC2 Security Groups"
+  end
+
+  private
+
+  def validate_params(raw_criteria)
+    unless raw_criteria.is_a? Hash
+      raise "Unrecognized criteria for fetching Security Groups. " \
+            "Use 'criteria: value' format."
+    end
+
+    # No criteria yet
+    unless raw_criteria.empty?
+      raise ArgumentError, "aws_ec2_security_groups does not currently accept resource parameters."
+    end
+
+    raw_criteria
+  end
+
+  def fetch_from_api
+    @table = []
+    backend = BackendFactory.create(inspec_runner)
+    backend.describe_security_groups({}).security_groups.each do |sg_info|
+      @table.push({
+                    group_id: sg_info.group_id,
+                    group_name: sg_info.group_name,
+                    vpc_id: sg_info.vpc_id,
+                  })
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend self
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_security_groups(query)
+        aws_service_client.describe_security_groups(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_sns_subscription.rb

@@ -0,0 +1,82 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-sns"
+
+class AwsSnsSubscription < Inspec.resource(1)
+  name "aws_sns_subscription"
+  desc "Verifies settings for an SNS Subscription"
+  example <<~EXAMPLE
+    describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
+      it { should_not have_raw_message_delivery }
+      it { should be_confirmation_authenticated }
+      its('owner') { should cmp '12345678' }
+      its('topic_arn') { should cmp 'arn:aws:sns:us-east-1::test-topic-01' }
+      its('endpoint') { should cmp 'arn:aws:sqs:us-east-1::test-queue-01' }
+      its('protocol') { should cmp 'sqs' }
+    end
+  EXAMPLE
+
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :arn, :owner, :raw_message_delivery, :topic_arn, :endpoint, :protocol,
+              :confirmation_was_authenticated, :aws_response
+
+  alias confirmation_authenticated? confirmation_was_authenticated
+  alias raw_message_delivery? raw_message_delivery
+
+  def has_raw_message_delivery?
+    raw_message_delivery
+  end
+
+  def to_s
+    "SNS Subscription #{@arn}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:subscription_arn],
+      allowed_scalar_name: :subscription_arn,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide a subscription_arn to aws_sns_subscription."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    catch_aws_errors do
+      begin
+        aws_response = backend.get_subscription_attributes(subscription_arn: @subscription_arn).attributes
+        @exists = true
+        @owner = aws_response["Owner"]
+        @raw_message_delivery = aws_response["RawMessageDelivery"].eql?("true")
+        @topic_arn = aws_response["TopicArn"]
+        @endpoint = aws_response["Endpoint"]
+        @protocol = aws_response["Protocol"]
+        @confirmation_was_authenticated = aws_response["ConfirmationWasAuthenticated"].eql?("true")
+      rescue Aws::SNS::Errors::NotFound
+        @exists = false
+        return
+      end
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend self
+      self.aws_client_class = Aws::SNS::Client
+
+      def get_subscription_attributes(criteria)
+        aws_service_client.get_subscription_attributes(criteria)
+      end
+    end
+  end
+end