inspec 4.22.1

data/lib/resources/aws/aws_iam_access_key.rb

@@ -0,0 +1,112 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamAccessKey < Inspec.resource(1)
+  name "aws_iam_access_key"
+  desc "Verifies settings for an individual IAM access key"
+  example <<~EXAMPLE
+    describe aws_iam_access_key(username: 'username', id: 'access-key id') do
+      it { should exist }
+      it { should_not be_active }
+      its('create_date') { should be > Time.now - 365 * 86400 }
+      its('last_used_date') { should be > Time.now - 90 * 86400 }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :access_key_id, :create_date, :status, :username
+  alias id access_key_id
+
+  def validate_params(raw_params)
+    recognized_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{username id access_key_id},
+      allowed_scalar_name: :access_key_id,
+      allowed_scalar_type: String
+    )
+
+    # id and access_key_id are aliases; standardize on access_key_id
+    recognized_params[:access_key_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
+
+    # Validate format of access_key_id
+    if recognized_params[:access_key_id] &&
+        recognized_params[:access_key_id] !~ (/^AKIA[0-9A-Z]{16}$/)
+      raise ArgumentError, "Incorrect format for Access Key ID - expected AKIA followed " \
+            "by 16 letters or numbers"
+    end
+
+    # One of username and access_key_id is required
+    if recognized_params[:username].nil? && recognized_params[:access_key_id].nil?
+      raise ArgumentError, "You must provide at lease one of access_key_id or username to aws_iam_access_key"
+    end
+
+    recognized_params
+  end
+
+  def active?
+    return nil unless exists?
+
+    status == "Active"
+  end
+
+  def to_s
+    "IAM Access-Key #{access_key_id}"
+  end
+
+  def last_used_date
+    return nil unless exists?
+    return @last_used_date if defined? @last_used_date
+
+    backend = BackendFactory.create(inspec_runner)
+    catch_aws_errors do
+      @last_used_date = backend.get_access_key_last_used({ access_key_id: access_key_id }).access_key_last_used.last_used_date
+    end
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    query = {}
+    query[:user_name] = username if username
+
+    response = backend.list_access_keys(query)
+
+    access_keys = response.access_key_metadata.select do |key|
+      if access_key_id
+        key.access_key_id == access_key_id
+      else
+        true
+      end
+    end
+
+    if access_keys.empty?
+      @exists = false
+      return
+    end
+
+    if access_keys.count > 1
+      raise "More than one access key matched for aws_iam_access_key.  Use more specific paramaters, such as access_key_id."
+    end
+
+    @exists = true
+    @access_key_id = access_keys[0].access_key_id
+    @username = access_keys[0].user_name
+    @create_date = access_keys[0].create_date
+    @status = access_keys[0].status
+    # Last used date is lazily loaded, separate API call
+  rescue Aws::IAM::Errors::NoSuchEntity
+    @exists = false
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      def list_access_keys(query)
+        aws_service_client.list_access_keys(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_access_keys.rb

@@ -0,0 +1,153 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamAccessKeys < Inspec.resource(1)
+  name "aws_iam_access_keys"
+  desc "Verifies settings for AWS IAM Access Keys in bulk"
+  example <<~EXAMPLE
+    describe aws_iam_access_keys do
+      it { should_not exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  def validate_params(raw_params)
+    recognized_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{username id access_key_id created_date},
+      allowed_scalar_name: :access_key_id,
+      allowed_scalar_type: String
+    )
+
+    # id and access_key_id are aliases; standardize on access_key_id
+    recognized_params[:access_key_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
+    if recognized_params[:access_key_id] &&
+        recognized_params[:access_key_id] !~ (/^AKIA[0-9A-Z]{16}$/)
+      raise "Incorrect format for Access Key ID - expected AKIA followed " \
+            "by 16 letters or numbers"
+    end
+
+    recognized_params
+  end
+
+  def fetch_from_api
+    # TODO: this interface should be normalized to match the AWS API
+    criteria = {}
+    criteria[:username] = @username if defined? @username
+    @table = BackendFactory.create(inspec_runner).fetch(criteria)
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:access_key_ids, field: :access_key_id)
+    .register_column(:created_date, field: :create_date)
+    .register_column(:created_days_ago, field: :created_days_ago)
+    .register_column(:created_with_user, field: :created_with_user)
+    .register_column(:created_hours_ago, field: :created_hours_ago)
+    .register_column(:usernames, field: :username)
+    .register_column(:active, field: :active)
+    .register_column(:inactive, field: :inactive)
+    .register_column(:last_used_date, field: :last_used_date)
+    .register_column(:last_used_hours_ago, field: :last_used_hours_ago)
+    .register_column(:last_used_days_ago,  field: :last_used_days_ago)
+    .register_column(:ever_used,           field: :ever_used)
+    .register_column(:never_used,          field: :never_used)
+    .register_column(:user_created_date,   field: :user_created_date)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "IAM Access Keys"
+  end
+
+  # Internal support class.  This is used to fetch
+  # the users and access keys.  We have an abstract
+  # class with a concrete AWS implementation provided here;
+  # a few mock implementations are also provided in the unit tests.
+  class Backend
+    # Implementation of AccessKeyProvider which operates by looping over
+    # all users, then fetching their access keys.
+    # TODO: An alternate, more scalable implementation could be made
+    # using the Credential Report.
+    class AwsUserIterator < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      def fetch(criteria)
+        iam_client = aws_service_client
+
+        user_details = {}
+        if criteria.key?(:username)
+          begin
+            user_details[criteria[:username]] = iam_client.get_user(user_name: criteria[:username]).user
+          rescue Aws::IAM::Errors::NoSuchEntity # rubocop:disable Lint/HandleExceptions
+            # Swallow - a miss on search results should return an empty table
+          end
+        else
+          pagination_opts = {}
+          loop do
+            api_result = iam_client.list_users(pagination_opts)
+            api_result.users.each do |info|
+              user_details[info.user_name] = info
+            end
+            break unless api_result.is_truncated
+
+            pagination_opts[:marker] = api_result.marker
+          end
+        end
+
+        access_key_data = []
+        user_details.each_key do |username|
+          begin
+            user_keys = iam_client.list_access_keys(user_name: username)
+              .access_key_metadata
+            user_keys = user_keys.map do |metadata|
+              {
+                access_key_id: metadata.access_key_id,
+                username: username,
+                status: metadata.status,
+                create_date: metadata.create_date, # DateTime.parse(metadata.create_date),
+              }
+            end
+
+            # Copy in from user data
+            # Synthetics
+            user_keys.each do |key_info|
+              add_synthetic_fields(key_info, user_details[username])
+            end
+            access_key_data.concat(user_keys)
+          rescue Aws::IAM::Errors::NoSuchEntity # rubocop:disable Lint/HandleExceptions
+            # Swallow - a miss on search results should return an empty table
+          end
+        end
+        access_key_data
+      end
+
+      def add_synthetic_fields(key_info, user_details) # rubocop:disable Metrics/AbcSize
+        key_info[:id] = key_info[:access_key_id]
+        key_info[:active] = key_info[:status] == "Active"
+        key_info[:inactive] = key_info[:status] != "Active"
+        key_info[:created_hours_ago] = ((Time.now - key_info[:create_date]) / (60 * 60)).to_i
+        key_info[:created_days_ago] = (key_info[:created_hours_ago] / 24).to_i
+        key_info[:user_created_date] = user_details[:create_date]
+        key_info[:created_with_user] = (key_info[:create_date] - key_info[:user_created_date]).abs < 1.0 / 24.0
+
+        # Last used is a separate API call
+        iam_client = aws_service_client
+        last_used =
+          iam_client.get_access_key_last_used(access_key_id: key_info[:access_key_id])
+            .access_key_last_used.last_used_date
+        key_info[:ever_used] = !last_used.nil?
+        key_info[:never_used] = last_used.nil?
+        key_info[:last_used_time] = last_used
+        return unless last_used
+
+        key_info[:last_used_hours_ago] = ((Time.now - last_used) / (60 * 60)).to_i
+        key_info[:last_used_days_ago] = (key_info[:last_used_hours_ago] / 24).to_i
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_group.rb

@@ -0,0 +1,62 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamGroup < Inspec.resource(1)
+  name "aws_iam_group"
+  desc "Verifies settings for AWS IAM Group"
+  example <<~EXAMPLE
+    describe aws_iam_group('mygroup') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :group_name, :users
+
+  def to_s
+    "IAM Group #{group_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:group_name],
+      allowed_scalar_name: :group_name,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide a group_name to aws_iam_group."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = AwsIamGroup::BackendFactory.create(inspec_runner)
+
+    begin
+      resp = backend.get_group(group_name: group_name)
+      @exists = true
+      @aws_group_struct = resp[:group]
+      @users = resp[:users].map(&:user_name)
+    rescue Aws::IAM::Errors::NoSuchEntity
+      @exists = false
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      def get_group(query)
+        aws_service_client.get_group(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_groups.rb

@@ -0,0 +1,56 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamGroups < Inspec.resource(1)
+  name "aws_iam_groups"
+  desc "Verifies settings for AWS IAM groups in bulk"
+  example <<~EXAMPLE
+    describe aws_iam_groups do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_iam_groups does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_column(:group_names, field: :group_name)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "IAM Groups"
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = {}
+    loop do
+      api_result = backend.list_groups(pagination_opts)
+      @table += api_result.groups.map(&:to_h)
+      pagination_opts = { marker: api_result.marker }
+      break unless api_result.is_truncated
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      def list_groups(query = {})
+        aws_service_client.list_groups(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_password_policy.rb

@@ -0,0 +1,121 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamPasswordPolicy < Inspec.resource(1)
+  name "aws_iam_password_policy"
+  desc "Verifies iam password policy"
+
+  example <<~EXAMPLE
+    describe aws_iam_password_policy do
+      its('requires_lowercase_characters?') { should be true }
+    end
+
+    describe aws_iam_password_policy do
+      its('requires_uppercase_characters?') { should be true }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
+  def initialize(conn = nil)
+    catch_aws_errors do
+      begin
+        if conn
+          # We're in a mocked unit test.
+          @policy = conn.iam_resource.account_password_policy
+        else
+          # Don't use the resource approach.  It's a CRUD operation
+          # - if the policy does not exist, you get back a blank object to  populate and save.
+          # Using the Client will throw an exception if no policy exists.
+          @policy = inspec_runner.backend.aws_client(Aws::IAM::Client).get_account_password_policy.password_policy
+        end
+      rescue Aws::IAM::Errors::NoSuchEntity
+        @policy = nil
+      end
+    end
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_resource_mixin.rb
+  def catch_aws_errors
+    yield
+  rescue Aws::Errors::MissingCredentialsError
+    # The AWS error here is unhelpful:
+    # "unable to sign request without credentials set"
+    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
+    fail_resource("No AWS credentials available")
+  rescue Aws::Errors::ServiceError => e
+    fail_resource e.message
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
+  def inspec_runner
+    # When running under inspec-cli, we have an 'inspec' method that
+    # returns the runner. When running under unit tests, we don't
+    # have that, but we still have to call this to pass something
+    # (nil is OK) to the backend.
+    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
+    # TODO: remove after rewrite to include AwsSingularResource
+    inspec if respond_to?(:inspec)
+  end
+
+  def to_s
+    "IAM Password-Policy"
+  end
+
+  def exists?
+    !@policy.nil?
+  end
+
+  #-------------------------- Properties ----------------------------#
+
+  def minimum_password_length
+    @policy.minimum_password_length
+  end
+
+  def max_password_age_in_days
+    raise "this policy does not expire passwords" unless expire_passwords?
+
+    @policy.max_password_age
+  end
+
+  def number_of_passwords_to_remember
+    raise "this policy does not prevent password reuse" \
+      unless prevent_password_reuse?
+
+    @policy.password_reuse_prevention
+  end
+
+  #-------------------------- Matchers ----------------------------#
+  %i{
+    require_lowercase_characters
+    require_uppercase_characters
+    require_symbols
+    require_numbers
+    expire_passwords
+  }.each do |matcher_stem|
+    # Create our predicates (for example, 'require_symbols?')
+    stem_with_question_mark = (matcher_stem.to_s + "?").to_sym
+    define_method stem_with_question_mark do
+      @policy.send(matcher_stem)
+    end
+    # RSpec will expose that as (for example) `be_require_symbols`.
+    # To undo that, we have to make a matcher alias.
+    stem_with_be = ("be_" + matcher_stem.to_s).to_sym
+    RSpec::Matchers.alias_matcher matcher_stem, stem_with_be
+  end
+
+  # This one has an awkward name mapping
+  def allow_users_to_change_passwords?
+    @policy.allow_users_to_change_password
+  end
+  RSpec::Matchers.alias_matcher :allow_users_to_change_passwords, :be_allow_users_to_change_passwords
+
+  # This one has custom logic and renaming
+  def prevent_password_reuse?
+    !@policy.password_reuse_prevention.nil?
+  end
+  RSpec::Matchers.alias_matcher :prevent_password_reuse, :be_prevent_password_reuse
+end