inspec 4.22.1

data/lib/resources/aws/aws_rds_instance.rb

@@ -0,0 +1,74 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-rds"
+
+class AwsRdsInstance < Inspec.resource(1)
+  name "aws_rds_instance"
+  desc "Verifies settings for an rds instance"
+  example <<~EXAMPLE
+    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :db_instance_identifier
+
+  def to_s
+    "RDS Instance #{@db_instance_identifier}"
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:db_instance_identifier],
+      allowed_scalar_name: :db_instance_identifier,
+      allowed_scalar_type: String
+    )
+    if validated_params.empty? || !validated_params.key?(:db_instance_identifier)
+      raise ArgumentError, "You must provide an id for the aws_rds_instance."
+    end
+
+    if validated_params.key?(:db_instance_identifier) && validated_params[:db_instance_identifier] !~ /^[a-z]{1}[0-9a-z\-]{0,62}$/
+      raise ArgumentError, "aws_rds_instance Database Instance ID must be in the format: start with a letter followed by up to 62 letters/numbers/hyphens."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    dsg_response = nil
+    catch_aws_errors do
+      begin
+        dsg_response = backend.describe_db_instances(db_instance_identifier: db_instance_identifier)
+        @exists = true
+      rescue Aws::RDS::Errors::DBInstanceNotFound
+        @exists = false
+        return
+      end
+    end
+
+    if dsg_response.db_instances.empty?
+      @exists = false
+      return
+    end
+
+    @db_instance_identifier = dsg_response.db_instances[0].db_instance_identifier
+  end
+
+  # Uses the SDK API to really talk to AWS
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::RDS::Client
+
+      def describe_db_instances(query)
+        aws_service_client.describe_db_instances(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_route_table.rb

@@ -0,0 +1,67 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsRouteTable < Inspec.resource(1)
+  name "aws_route_table"
+  desc "Verifies settings for an AWS Route Table"
+  example <<~EXAMPLE
+    describe aws_route_table do
+      its('route_table_id') { should cmp 'rtb-05462d2278326a79c' }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+
+  def to_s
+    "Route Table #{@route_table_id}"
+  end
+
+  attr_reader :route_table_id, :vpc_id
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:route_table_id],
+      allowed_scalar_name: :route_table_id,
+      allowed_scalar_type: String
+    )
+
+    if validated_params.key?(:route_table_id) &&
+        validated_params[:route_table_id] !~ /^rtb\-([0-9a-f]{17})|(^rtb\-[0-9a-f]{8})$/
+      raise ArgumentError,
+            "aws_route_table Route Table ID must be in the" \
+            ' format "rtb-" followed by 8 or 17 hexadecimal characters.'
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    if @route_table_id.nil?
+      args = nil
+    else
+      args = { filters: [{ name: "route-table-id", values: [@route_table_id] }] }
+    end
+
+    resp = backend.describe_route_tables(args)
+    routetable = resp.to_h[:route_tables]
+    @exists = !routetable.empty?
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_route_tables(query)
+        aws_service_client.describe_route_tables(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_route_tables.rb

@@ -0,0 +1,64 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
+class AwsRouteTables < Inspec.resource(1)
+  name "aws_route_tables"
+  desc "Verifies settings for AWS Route Tables in bulk"
+  example <<~EXAMPLE
+    describe aws_route_tables do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:vpc_ids, field: :vpc_id)
+    .register_column(:route_table_ids, field: :route_table_id)
+  filter.install_filter_methods_on_resource(self, :routes_data)
+
+  def routes_data
+    @table
+  end
+
+  def to_s
+    "Route Tables"
+  end
+
+  private
+
+  def validate_params(raw_criteria)
+    unless raw_criteria.is_a? Hash
+      raise "Unrecognized criteria for fetching Route Tables. " \
+            "Use 'criteria: value' format."
+    end
+
+    # No criteria yet
+    unless raw_criteria.empty?
+      raise ArgumentError, "aws_route_tables does not currently accept resource parameters."
+    end
+
+    raw_criteria
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    catch_aws_errors do
+      @table = backend.describe_route_tables({}).to_h[:route_tables]
+    end
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend self
+      self.aws_client_class = Aws::EC2::Client
+
+      def describe_route_tables(query = {})
+        aws_service_client.describe_route_tables(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_s3_bucket.rb

@@ -0,0 +1,142 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-s3"
+
+class AwsS3Bucket < Inspec.resource(1)
+  name "aws_s3_bucket"
+  desc "Verifies settings for a s3 bucket"
+  example <<~EXAMPLE
+    describe aws_s3_bucket(bucket_name: 'test_bucket') do
+      it { should exist }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :bucket_name, :has_default_encryption_enabled, :has_access_logging_enabled, :region
+
+  def to_s
+    "S3 Bucket #{@bucket_name}"
+  end
+
+  def bucket_acl
+    catch_aws_errors do
+      @bucket_acl ||= BackendFactory.create(inspec_runner).get_bucket_acl(bucket: bucket_name).grants
+    end
+  end
+
+  def bucket_policy
+    @bucket_policy ||= fetch_bucket_policy
+  end
+
+  # RSpec will alias this to be_public
+  def public?
+    # first line just for formatting
+    false || \
+      bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AllUsers/ } || \
+      bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AuthenticatedUsers/ } || \
+      bucket_policy.any? { |s| s.effect == "Allow" && s.principal == "*" }
+  end
+
+  def has_default_encryption_enabled?
+    return false unless @exists
+
+    @has_default_encryption_enabled ||= fetch_bucket_encryption_configuration
+  end
+
+  def has_access_logging_enabled?
+    return false unless @exists
+
+    catch_aws_errors do
+      @has_access_logging_enabled ||= !BackendFactory.create(inspec_runner).get_bucket_logging(bucket: bucket_name).logging_enabled.nil?
+    end
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: [:bucket_name],
+      allowed_scalar_name: :bucket_name,
+      allowed_scalar_type: String
+    )
+    if validated_params.empty? || !validated_params.key?(:bucket_name)
+      raise ArgumentError, "You must provide a bucket_name to aws_s3_bucket."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+
+    # Since there is no basic "get_bucket" API call, use the
+    # region fetch as the existence check.
+    begin
+      @region = backend.get_bucket_location(bucket: bucket_name).location_constraint
+    rescue Aws::S3::Errors::NoSuchBucket
+      @exists = false
+      return
+    end
+    @exists = true
+  end
+
+  def fetch_bucket_policy
+    backend = BackendFactory.create(inspec_runner)
+    catch_aws_errors do
+      begin
+        # AWS SDK returns a StringIO, we have to read()
+        raw_policy = backend.get_bucket_policy(bucket: bucket_name).policy
+        return JSON.parse(raw_policy.read)["Statement"].map do |statement|
+          lowercase_hash = {}
+          statement.each_key { |k| lowercase_hash[k.downcase] = statement[k] }
+          @bucket_policy = OpenStruct.new(lowercase_hash)
+        end
+      rescue Aws::S3::Errors::NoSuchBucketPolicy
+        @bucket_policy = []
+      end
+    end
+  end
+
+  def fetch_bucket_encryption_configuration
+    @has_default_encryption_enabled ||= catch_aws_errors do
+      begin
+        !BackendFactory.create(inspec_runner)
+          .get_bucket_encryption(bucket: bucket_name)
+          .server_side_encryption_configuration
+          .nil?
+      rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
+        false
+      end
+    end
+  end
+
+  # Uses the SDK API to really talk to AWS
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::S3::Client
+
+      def get_bucket_acl(query)
+        aws_service_client.get_bucket_acl(query)
+      end
+
+      def get_bucket_location(query)
+        aws_service_client.get_bucket_location(query)
+      end
+
+      def get_bucket_policy(query)
+        aws_service_client.get_bucket_policy(query)
+      end
+
+      def get_bucket_logging(query)
+        aws_service_client.get_bucket_logging(query)
+      end
+
+      def get_bucket_encryption(query)
+        aws_service_client.get_bucket_encryption(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_s3_bucket_object.rb

@@ -0,0 +1,87 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-s3"
+
+class AwsS3BucketObject < Inspec.resource(1)
+  name "aws_s3_bucket_object"
+  desc "Verifies settings for a s3 bucket object"
+  example <<~EXAMPLE
+    describe aws_s3_bucket_object(bucket_name: 'bucket_name', key: 'file_name') do
+      it { should exist }
+      it { should_not be_public }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsSingularResourceMixin
+  attr_reader :bucket_name, :key
+
+  def to_s
+    # keep the format that aws uses.
+    "s3://#{@bucket_name}/#{@key}"
+  end
+
+  def object_acl
+    return @object_acl if defined? @object_acl
+
+    catch_aws_errors do
+      @object_acl = BackendFactory.create(inspec_runner).get_object_acl(bucket: bucket_name, key: key).grants
+    end
+    @object_acl
+  end
+
+  # RSpec will alias this to be_public
+  def public?
+    # first line just for formatting
+    false || \
+      object_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AllUsers/ } || \
+      object_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AuthenticatedUsers/ }
+  end
+
+  private
+
+  def validate_params(raw_params)
+    validated_params = check_resource_param_names(
+      raw_params: raw_params,
+      allowed_params: %i{bucket_name key id}
+    )
+    if validated_params.empty? || !validated_params.key?(:bucket_name) || !validated_params.key?(:key)
+      raise ArgumentError, "You must provide a bucket_name and key to aws_s3_bucket_object."
+    end
+
+    validated_params
+  end
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    catch_aws_errors do
+      begin
+        # Just use get_object to detect if the bucket exists
+        backend.get_object(bucket: bucket_name, key: key)
+      rescue Aws::S3::Errors::NoSuchBucket
+        @exists = false
+        return
+      rescue Aws::S3::Errors::NoSuchKey
+        @exists = false
+        return
+      end
+    end
+    @exists = true
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend(self)
+      self.aws_client_class = Aws::S3::Client
+
+      # Used to detect if object exists
+      def get_object(query)
+        aws_service_client.get_object(query)
+      end
+
+      def get_object_acl(query)
+        aws_service_client.get_object_acl(query)
+      end
+    end
+  end
+end

data/lib/resources/aws/aws_s3_buckets.rb

@@ -0,0 +1,52 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-s3"
+
+class AwsS3Buckets < Inspec.resource(1)
+  name "aws_s3_buckets"
+  desc "Verifies settings for AWS S3 Buckets in bulk"
+  example <<~EXAMPLE
+    describe aws_s3_bucket do
+      its('bucket_names') { should eq ['my_bucket'] }
+    end
+  EXAMPLE
+  supports platform: "aws"
+
+  include AwsPluralResourceMixin
+
+  # Underlying FilterTable implementation.
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:bucket_names, field: :name)
+  filter.install_filter_methods_on_resource(self, :table)
+
+  def to_s
+    "S3 Buckets"
+  end
+
+  def validate_params(resource_params)
+    unless resource_params.empty?
+      raise ArgumentError, "aws_s3_buckets does not accept resource parameters."
+    end
+
+    resource_params
+  end
+
+  private
+
+  def fetch_from_api
+    backend = BackendFactory.create(inspec_runner)
+    @table = backend.list_buckets.buckets.map(&:to_h)
+  end
+
+  class Backend
+    class AwsClientApi < AwsBackendBase
+      BackendFactory.set_default_backend self
+      self.aws_client_class = Aws::S3::Client
+
+      def list_buckets
+        aws_service_client.list_buckets
+      end
+    end
+  end
+end