inspec 4.22.1

data/lib/resources/aws/aws_iam_policies.rb

@@ -0,0 +1,57 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamPolicies < Inspec.resource(1)
+  name "aws_iam_policies"
+  desc "Verifies settings for AWS IAM Policies in bulk"
+  example <<~EXAMPLE
+    describe aws_iam_policies do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_iam_policies does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:policy_names, field: :policy_name)
+    .register_column(:arns, field: :arn)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "IAM Policies"
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = []
+    pagination_opts = {}
+    loop do
+      api_result = backend.list_policies(pagination_opts)
+      @table += api_result.policies.map(&:to_h)
+      pagination_opts = { marker: api_result.marker }
+      break unless api_result.is_truncated
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      def list_policies(query)
+        aws_service_client.list_policies(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_policy.rb

@@ -0,0 +1,311 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+require "json"
+require "set"
+require "uri"
+
+class AwsIamPolicy < Inspec.resource(1)
+  name "aws_iam_policy"
+  desc "Verifies settings for individual AWS IAM Policy"
+  example <<~EXAMPLE
+    describe aws_iam_policy('AWSSupportAccess') do
+      it { should be_attached }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+
+  attr_reader :arn, :attachment_count, :default_version_id
+
+  # Note that we also accept downcases and symbol versions of these
+  EXPECTED_CRITERIA = %w{
+    Action
+    Effect
+    Resource
+    Sid
+  }.freeze
+
+  UNIMPLEMENTED_CRITERIA = %w{
+    Conditional
+    NotAction
+    NotPrincipal
+    NotResource
+    Principal
+  }.freeze
+
+  def to_s
+    "Policy #{@policy_name}"
+  end
+
+  def attached?
+    attachment_count > 0
+  end
+
+  def attached_users
+    return @attached_users if defined? @attached_users
+
+    fetch_attached_entities
+    @attached_users
+  end
+
+  def attached_groups
+    return @attached_groups if defined? @attached_groups
+
+    fetch_attached_entities
+    @attached_groups
+  end
+
+  def attached_roles
+    return @attached_roles if defined? @attached_roles
+
+    fetch_attached_entities
+    @attached_roles
+  end
+
+  def attached_to_user?(user_name)
+    attached_users.include?(user_name)
+  end
+
+  def attached_to_group?(group_name)
+    attached_groups.include?(group_name)
+  end
+
+  def attached_to_role?(role_name)
+    attached_roles.include?(role_name)
+  end
+
+  def policy
+    return nil unless exists?
+    return @policy if defined?(@policy)
+
+    catch_aws_errors do
+      backend = BackendFactory.create(inspec_runner)
+      gpv_response = backend.get_policy_version(policy_arn: arn, version_id: default_version_id)
+      @policy = JSON.parse(URI.decode_www_form_component(gpv_response.policy_version.document))
+    end
+    @policy
+  end
+
+  def statement_count
+    return nil unless exists?
+
+    # Typically it is an array of statements
+    if policy["Statement"].is_a? Array
+      policy["Statement"].count
+    else
+      # But if there is one statement, it is permissable to degenerate the array,
+      # and place the statement as a hash directly under the 'Statement' key
+      return 1
+    end
+  end
+
+  def has_statement?(provided_criteria = {})
+    return nil unless exists?
+
+    raw_criteria = provided_criteria.dup # provided_criteria is used for output formatting - can't delete from it.
+    criteria = has_statement__validate_criteria(raw_criteria)
+    @normalized_statements ||= has_statement__normalize_statements
+    statements = has_statement__focus_on_sid(@normalized_statements, criteria)
+    statements.any? do |statement|
+      true && \
+        has_statement__effect(statement, criteria) && \
+        has_statement__array_criterion(:action, statement, criteria) && \
+        has_statement__array_criterion(:resource, statement, criteria)
+    end
+  end
+
+  private
+
+  def has_statement__validate_criteria(raw_criteria)
+    recognized_criteria = {}
+    EXPECTED_CRITERIA.each do |expected_criterion|
+      [
+        expected_criterion,
+        expected_criterion.downcase,
+        expected_criterion.to_sym,
+        expected_criterion.downcase.to_sym,
+      ].each do |variant|
+        if raw_criteria.key?(variant)
+          # Always store as downcased symbol
+          recognized_criteria[expected_criterion.downcase.to_sym] = raw_criteria.delete(variant)
+        end
+      end
+    end
+
+    # Special message for valid, but unimplemented statement attributes
+    UNIMPLEMENTED_CRITERIA.each do |unimplemented_criterion|
+      [
+        unimplemented_criterion,
+        unimplemented_criterion.downcase,
+        unimplemented_criterion.to_sym,
+        unimplemented_criterion.downcase.to_sym,
+      ].each do |variant|
+        if raw_criteria.key?(variant)
+          raise ArgumentError, "Criterion '#{unimplemented_criterion}' is not supported for performing have_statement queries."
+        end
+      end
+    end
+
+    # If anything is left, it's spurious
+    unless raw_criteria.empty?
+      raise ArgumentError, "Unrecognized criteria #{raw_criteria.keys.join(", ")} to have_statement.  Recognized criteria: #{EXPECTED_CRITERIA.join(", ")}"
+    end
+
+    # Effect has only 2 permitted values
+    if recognized_criteria.key?(:effect)
+      unless %w{Allow Deny}.include?(recognized_criteria[:effect])
+        raise ArgumentError, "Criterion 'Effect' for have_statement must be one of 'Allow' or 'Deny' - got '#{recognized_criteria[:effect]}'"
+      end
+    end
+
+    recognized_criteria
+  end
+
+  def has_statement__normalize_statements
+    # Some single-statement policies place their statement
+    # directly in policy['Statement'], rather than in an
+    # Array within it.  See arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly
+    # Thus, coerce to Array.
+    policy["Statement"] = [policy["Statement"]] if policy["Statement"].is_a? Hash
+    policy["Statement"].map do |statement|
+      # Coerce some values into arrays
+      %w{Action Resource}.each do |field|
+        if statement.key?(field)
+          statement[field] = Array(statement[field])
+        end
+      end
+
+      # Symbolize all keys
+      statement.keys.each do |field|
+        statement[field.downcase.to_sym] = statement.delete(field)
+      end
+
+      statement
+    end
+  end
+
+  def has_statement__focus_on_sid(statements, criteria)
+    return statements unless criteria.key?(:sid)
+
+    sid_seek = criteria[:sid]
+    statements.select do |statement|
+      if sid_seek.is_a? Regexp
+        statement[:sid] =~ sid_seek
+      else
+        statement[:sid] == sid_seek
+      end
+    end
+  end
+
+  def has_statement__effect(statement, criteria)
+    !criteria.key?(:effect) || criteria[:effect] == statement[:effect]
+  end
+
+  def has_statement__array_criterion(crit_name, statement, criteria)
+    return true unless criteria.key?(crit_name)
+
+    check = criteria[crit_name]
+    # This is an array due to normalize_statements
+    # If it is nil, the statement does not have an entry for that dimension;
+    # but since we were asked to match on it (on nothing), we
+    # decide to never match
+    values = statement[crit_name]
+    return false if values.nil?
+
+    if check.is_a?(String)
+      # If check is a string, it only has to match one of the values
+      values.any? { |v| v == check }
+    elsif check.is_a?(Regexp)
+      # If check is a regex, it only has to match one of the values
+      values.any? { |v| v =~ check }
+    elsif check.is_a?(Array) && check.all? { |c| c.is_a? String }
+      # If check is an array of strings, perform setwise check
+      Set.new(values) == Set.new(check)
+    elsif check.is_a?(Array) && check.all? { |c| c.is_a? Regexp }
+      # If check is an array of regexes, all values must match all regexes
+      values.all? { |v| check.all? { |r| v =~ r } }
+    else
+      false
+    end
+  end
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:policy_name],
+      allowed_scalar_name: :policy_name,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.empty?
+      raise ArgumentError, "You must provide the parameter 'policy_name' to aws_iam_policy."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    policy = nil
+    pagination_opts = { max_items: 1000 }
+    loop do
+      api_result = backend.list_policies(pagination_opts)
+      policy = api_result.policies.detect do |p|
+        p.policy_name == @policy_name
+      end
+      break if policy # Found it!
+      break unless api_result.is_truncated # Not found and no more results
+
+      pagination_opts[:marker] = api_result.marker
+    end
+
+    @exists = !policy.nil?
+
+    return unless @exists
+
+    @arn = policy[:arn]
+    @default_version_id = policy[:default_version_id]
+    @attachment_count = policy[:attachment_count]
+  end
+
+  def fetch_attached_entities
+    unless @exists
+      @attached_groups = nil
+      @attached_users  = nil
+      @attached_roles  = nil
+      return
+    end
+    backend = AwsIamPolicy::BackendFactory.create(inspec_runner)
+    criteria = { policy_arn: arn }
+    resp = nil
+    catch_aws_errors do
+      resp = backend.list_entities_for_policy(criteria)
+    end
+    @attached_groups = resp.policy_groups.map(&:group_name)
+    @attached_users  = resp.policy_users.map(&:user_name)
+    @attached_roles  = resp.policy_roles.map(&:role_name)
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+
+      def get_policy_version(criteria)
+        aws_service_client.get_policy_version(criteria)
+      end
+
+      def list_policies(criteria)
+        aws_service_client.list_policies(criteria)
+      end
+
+      def list_entities_for_policy(criteria)
+        aws_service_client.list_entities_for_policy(criteria)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_role.rb

@@ -0,0 +1,60 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamRole < Inspec.resource(1)
+  name "aws_iam_role"
+  desc "Verifies settings for an IAM Role"
+  example <<~EXAMPLE
+    describe aws_iam_role('my-role') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :description, :role_name
+
+  def to_s
+    "IAM Role #{role_name}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:role_name],
+      allowed_scalar_name: :role_name,
+      allowed_scalar_type: String
+    )
+    if validated_params.empty?
+      raise ArgumentError, "You must provide a role_name to aws_iam_role."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    role_info = nil
+    begin
+      role_info = BackendFactory.create(inspec_runner).get_role(role_name: role_name)
+    rescue Aws::IAM::Errors::NoSuchEntity
+      @exists = false
+      return
+    end
+    @exists = true
+    @description = role_info.role.description
+  end
+
+  # Uses the SDK API to really talk to AWS
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::IAM::Client
+      def get_role(query)
+        aws_service_client.get_role(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_iam_root_user.rb

@@ -0,0 +1,82 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+class AwsIamRootUser < Inspec.resource(1)
+  name "aws_iam_root_user"
+  desc "Verifies settings for AWS root account"
+  example <<~EXAMPLE
+    describe aws_iam_root_user do
+      it { should have_access_key }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
+  def initialize(conn = nil)
+    @client = conn ? conn.iam_client : inspec_runner.backend.aws_client(Aws::IAM::Client)
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_resource_mixin.rb
+  def catch_aws_errors
+    yield
+  rescue Aws::Errors::MissingCredentialsError
+    # The AWS error here is unhelpful:
+    # "unable to sign request without credentials set"
+    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
+    fail_resource("No AWS credentials available")
+  rescue Aws::Errors::ServiceError => e
+    fail_resource e.message
+  end
+
+  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
+  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
+  def inspec_runner
+    # When running under inspec-cli, we have an 'inspec' method that
+    # returns the runner. When running under unit tests, we don't
+    # have that, but we still have to call this to pass something
+    # (nil is OK) to the backend.
+    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
+    # TODO: remove after rewrite to include AwsSingularResource
+    inspec if respond_to?(:inspec)
+  end
+
+  def has_access_key?
+    summary_account["AccountAccessKeysPresent"] == 1
+  end
+
+  def has_mfa_enabled?
+    summary_account["AccountMFAEnabled"] == 1
+  end
+
+  # if the root account has a Virtual MFA device then it will have a special
+  # serial number ending in 'root-account-mfa-device'
+  def has_virtual_mfa_enabled?
+    mfa_device_pattern = %r{arn:aws:iam::\d{12}:mfa\/root-account-mfa-device}
+
+    virtual_mfa_devices.any? { |d| mfa_device_pattern =~ d["serial_number"] }
+  end
+
+  def has_hardware_mfa_enabled?
+    has_mfa_enabled? && !has_virtual_mfa_enabled?
+  end
+
+  def to_s
+    "AWS Root-User"
+  end
+
+  private
+
+  def summary_account
+    catch_aws_errors do
+      @summary_account ||= @client.get_account_summary.summary_map
+    end
+  end
+
+  def virtual_mfa_devices
+    catch_aws_errors do
+      @__virtual_devices ||= @client.list_virtual_mfa_devices.virtual_mfa_devices
+    end
+  end
+end