inspec 4.22.1

data/lib/resources/aws/aws_iam_user.rb

@@ -0,0 +1,145 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamUser < Inspec.resource(1)
+  name "aws_iam_user"
+  desc "Verifies settings for AWS IAM user"
+  example <<~EXAMPLE
+    describe aws_iam_user(username: 'test_user') do
+      it { should have_mfa_enabled }
+      it { should_not have_console_password }
+      it { should_not have_inline_user_policies }
+      it { should_not have_attached_user_policies }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :access_keys, :attached_policy_names, :attached_policy_arns, \
+              :has_console_password, :has_mfa_enabled, :inline_policy_names, :username
+  alias has_mfa_enabled? has_mfa_enabled
+  alias has_console_password? has_console_password
+
+  def name
+    Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_user `name` property is deprecated. Please use `username` instead")
+    username
+  end
+
+  def to_s
+    "IAM User #{username}"
+  end
+
+  def has_attached_policies?
+    return nil unless exists?
+
+    !attached_policy_names.empty?
+  end
+
+  def has_inline_policies?
+    return nil unless exists?
+
+    !inline_policy_names.empty?
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{username aws_user_struct name user},
+      allowed_scalar_name: :username,
+      allowed_scalar_type: String
+    )
+    # If someone passed :name, rename it to :username
+    if validated_params.key?(:name)
+      Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_users `name` property is deprecated. Please use `username` instead")
+      validated_params[:username] = validated_params.delete(:name)
+    end
+
+    # If someone passed :user, rename it to :aws_user_struct
+    if validated_params.key?(:user)
+      Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_users `user` property is deprecated. Please use `aws_user_struct` instead")
+      validated_params[:aws_user_struct] = validated_params.delete(:user)
+    end
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide a username to aws_iam_user."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @aws_user_struct ||= nil # silence unitialized warning
+    unless @aws_user_struct
+      begin
+        @aws_user_struct = backend.get_user(user_name: username)
+      rescue Aws::IAM::Errors::NoSuchEntity
+        @exists = false
+        @access_keys = []
+        @inline_policy_names = []
+        @attached_policy_arns = []
+        @attached_policy_names = []
+        return
+      end
+    end
+    # TODO: extract properties from aws_user_struct?
+
+    @exists = true
+
+    begin
+      _login_profile = backend.get_login_profile(user_name: username)
+      @has_console_password = true
+      # Password age also available here
+    rescue Aws::IAM::Errors::NoSuchEntity
+      @has_console_password = false
+    end
+
+    mfa_info = backend.list_mfa_devices(user_name: username)
+    @has_mfa_enabled = !mfa_info.mfa_devices.empty?
+
+    # TODO: consider returning InSpec AwsIamAccessKey objects
+    @access_keys = backend.list_access_keys(user_name: username).access_key_metadata
+    # If the above call fails, we get nil here; but we promise access_keys will be an array.
+    @access_keys ||= []
+
+    @inline_policy_names = backend.list_user_policies(user_name: username).policy_names
+
+    attached_policies = backend.list_attached_user_policies(user_name: username).attached_policies
+    @attached_policy_arns = attached_policies.map { |p| p[:policy_arn] }
+    @attached_policy_names = attached_policies.map { |p| p[:policy_name] }
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      def get_user(criteria)
+        aws_service_client.get_user(criteria)
+      end
+
+      def get_login_profile(criteria)
+        aws_service_client.get_login_profile(criteria)
+      end
+
+      def list_mfa_devices(criteria)
+        aws_service_client.list_mfa_devices(criteria)
+      end
+
+      def list_access_keys(criteria)
+        aws_service_client.list_access_keys(criteria)
+      end
+
+      def list_user_policies(criteria)
+        aws_service_client.list_user_policies(criteria)
+      end
+
+      def list_attached_user_policies(criteria)
+        aws_service_client.list_attached_user_policies(criteria)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_users.rb

@@ -0,0 +1,160 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamUsers < Inspec.resource(1)
+  name "aws_iam_users"
+  desc "Verifies settings for AWS IAM users"
+  example <<~EXAMPLE
+    describe aws_iam_users.where(has_mfa_enabled?: false) do
+      it { should_not exist }
+    end
+    describe aws_iam_users.where(has_console_password?: true) do
+      it { should exist }
+    end
+    describe aws_iam_users.where(has_inline_policies?: true) do
+      it { should_not exist }
+    end
+    describe aws_iam_users.where(has_attached_policies?: true) do
+      it { should_not exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  def self.lazy_get_login_profile(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    begin
+      _login_profile = backend.get_login_profile(user_name: row[:user_name])
+      row[:has_console_password] = true
+    rescue Aws::IAM::Errors::NoSuchEntity
+      row[:has_console_password] = false
+    end
+    row[:has_console_password?] = row[:has_console_password]
+  end
+
+  def self.lazy_list_mfa_devices(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    begin
+      aws_mfa_devices = backend.list_mfa_devices(user_name: row[:user_name])
+      row[:has_mfa_enabled] = !aws_mfa_devices.mfa_devices.empty?
+    rescue Aws::IAM::Errors::NoSuchEntity
+      row[:has_mfa_enabled] = false
+    end
+    row[:has_mfa_enabled?] = row[:has_mfa_enabled]
+  end
+
+  def self.lazy_list_user_policies(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    row[:inline_policy_names] = backend.list_user_policies(user_name: row[:user_name]).policy_names
+    row[:has_inline_policies] = !row[:inline_policy_names].empty?
+    row[:has_inline_policies?] = row[:has_inline_policies]
+  end
+
+  def self.lazy_list_attached_policies(row, _criterion, table)
+    backend = BackendFactory.create(table.resource.inspec_runner)
+    attached_policies = backend.list_attached_user_policies(user_name: row[:user_name]).attached_policies
+    row[:has_attached_policies] = !attached_policies.empty?
+    row[:has_attached_policies?] = row[:has_attached_policies]
+    row[:attached_policy_names] = attached_policies.map { |p| p[:policy_name] }
+    row[:attached_policy_arns] = attached_policies.map { |p| p[:policy_arn] }
+  end
+
+  filter = FilterTable.create
+
+  # These are included on the initial fetch
+  filter.register_column(:usernames, field: :user_name)
+    .register_column(:username) { |res| res.entries.map { |row| row[:user_name] } } # We should deprecate this; plural resources get plural properties
+    .register_column(:password_ever_used?, field: :password_ever_used?)
+    .register_column(:password_never_used?, field: :password_never_used?)
+    .register_column(:password_last_used_days_ago, field: :password_last_used_days_ago)
+
+  # Remaining properties / criteria are handled lazily, grouped by fetcher
+  filter.register_column(:has_console_password?, field: :has_console_password?, lazy: method(:lazy_get_login_profile))
+    .register_column(:has_console_password, field: :has_console_password, lazy: method(:lazy_get_login_profile))
+
+  filter.register_column(:has_mfa_enabled?, field: :has_mfa_enabled?, lazy: method(:lazy_list_mfa_devices))
+    .register_column(:has_mfa_enabled, field: :has_mfa_enabled, lazy: method(:lazy_list_mfa_devices))
+
+  filter.register_column(:has_inline_policies?, field: :has_inline_policies?, lazy: method(:lazy_list_user_policies))
+    .register_column(:has_inline_policies, field: :has_inline_policies, lazy: method(:lazy_list_user_policies))
+    .register_column(:inline_policy_names, field: :inline_policy_names, style: :simple, lazy: method(:lazy_list_user_policies))
+
+  filter.register_column(:has_attached_policies?, field: :has_attached_policies?, lazy: method(:lazy_list_attached_policies))
+    .register_column(:has_attached_policies, field: :has_attached_policies, lazy: method(:lazy_list_attached_policies))
+    .register_column(:attached_policy_names, field: :attached_policy_names, style: :simple, lazy: method(:lazy_list_attached_policies))
+    .register_column(:attached_policy_arns, field: :attached_policy_arns, style: :simple, lazy: method(:lazy_list_attached_policies))
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def validate_params(raw_params)
+    # No params yet
+    unless raw_params.empty?
+      raise ArgumentError, "aws_iam_users does not accept resource parameters"
+    end
+
+    raw_params
+  end
+
+  def fetch_from_api_paginated(backend)
+    table = []
+    page_marker = nil
+    loop do
+      api_result = backend.list_users(marker: page_marker)
+      table += api_result.users.map(&:to_h)
+      page_marker = api_result.marker
+      break unless api_result.is_truncated
+    end
+    table
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = fetch_from_api_paginated(backend)
+
+    @table.each do |user|
+      password_last_used = user[:password_last_used]
+      user[:password_ever_used?] = !password_last_used.nil?
+      user[:password_never_used?] = password_last_used.nil?
+      if user[:password_ever_used?]
+        user[:password_last_used_days_ago] = ((Time.now - password_last_used) / (24 * 60 * 60)).to_i
+      end
+    end
+    @table
+  end
+
+  def to_s
+    "IAM Users"
+  end
+
+  #===========================================================================#
+  #                        Backend Implementation
+  #===========================================================================#
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      # TODO: delegate this out
+      def list_users(query = {})
+        aws_service_client.list_users(query)
+      end
+
+      def get_login_profile(query)
+        aws_service_client.get_login_profile(query)
+      end
+
+      def list_mfa_devices(query)
+        aws_service_client.list_mfa_devices(query)
+      end
+
+      def list_user_policies(query)
+        aws_service_client.list_user_policies(query)
+      end
+
+      def list_attached_user_policies(query)
+        aws_service_client.list_attached_user_policies(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_kms_key.rb

@@ -0,0 +1,100 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-kms"
+
+class AwsKmsKey < Inspec.resource(1)
+  name "aws_kms_key"
+  desc "Verifies settings for an individual AWS KMS Key"
+  example <<~EXAMPLE
+    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
+      it { should exist }
+    end
+  EXAMPLE
+
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :key_id, :arn, :creation_date, :key_usage, :key_state, :description,
+              :deletion_date, :valid_to, :external, :has_key_expiration, :managed_by_aws,
+              :has_rotation_enabled, :enabled
+  # Use aliases for matchers
+  alias deletion_time deletion_date
+  alias invalidation_time valid_to
+  alias external? external
+  alias enabled? enabled
+  alias managed_by_aws? managed_by_aws
+  alias has_key_expiration? has_key_expiration
+  alias has_rotation_enabled? has_rotation_enabled
+
+  def to_s
+    "KMS Key #{@key_id}"
+  end
+
+  def created_days_ago
+    ((Time.now - creation_date) / (24 * 60 * 60)).to_i unless creation_date.nil?
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:key_id],
+      allowed_scalar_name: :key_id,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide the parameter 'key_id' to aws_kms_key."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    query = { key_id: @key_id }
+    catch_aws_errors do
+      begin
+        resp = backend.describe_key(query)
+
+        @exists = true
+        @key = resp.key_metadata.to_h
+        @key_id = @key[:key_id]
+        @arn = @key[:arn]
+        @creation_date = @key[:creation_date]
+        @enabled = @key[:enabled]
+        @description = @key[:description]
+        @key_usage = @key[:key_usage]
+        @key_state = @key[:key_state]
+        @deletion_date = @key[:deletion_date]
+        @valid_to = @key[:valid_to]
+        @external = @key[:origin] == "EXTERNAL"
+        @has_key_expiration = @key[:expiration_model] == "KEY_MATERIAL_EXPIRES"
+        @managed_by_aws = @key[:key_manager] == "AWS"
+
+        resp = backend.get_key_rotation_status(query)
+        @has_rotation_enabled = resp.key_rotation_enabled unless resp.empty?
+      rescue Aws::KMS::Errors::NotFoundException
+        @exists = false
+        return
+      end
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::KMS::Client
+
+      def describe_key(query)
+        aws_service_client.describe_key(query)
+      end
+
+      def get_key_rotation_status(query)
+        aws_service_client.get_key_rotation_status(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_kms_keys.rb

@@ -0,0 +1,58 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-kms"
+
+class AwsKmsKeys < Inspec.resource(1)
+  name "aws_kms_keys"
+  desc "Verifies settings for AWS KMS Keys in bulk"
+  example <<~EXAMPLE
+    describe aws_kms_keys do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_kms_keys does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:key_arns, field: :key_arn)
+    .register_column(:key_ids, field: :key_id)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "KMS Keys"
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = { limit: 1000 }
+    loop do
+      api_result = backend.list_keys(pagination_opts)
+      @table += api_result.keys.map(&:to_h)
+      break unless api_result.truncated
+
+      pagination_opts = { marker: api_result.next_marker }
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::KMS::Client
+
+      def list_keys(query = {})
+        aws_service_client.list_keys(query)
+      end
+    end
+  end
+end