inspec 4.3.2 → 4.6.3

data/lib/resources/aws/aws_iam_group.rb

@@ -1,12 +1,16 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamGroup < Inspec.resource(1)
-  name 'aws_iam_group'
-  desc 'Verifies settings for AWS IAM Group'
+  name "aws_iam_group"
+  desc "Verifies settings for AWS IAM Group"
   example <<~EXAMPLE
     describe aws_iam_group('mygroup') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :group_name, :users
@@ -22,11 +26,11 @@ class AwsIamGroup < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:group_name],
       allowed_scalar_name: :group_name,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.empty?
-      raise ArgumentError, 'You must provide a group_name to aws_iam_group.'
+      raise ArgumentError, "You must provide a group_name to aws_iam_group."
     end
 
     validated_params

data/lib/resources/aws/aws_iam_groups.rb

@@ -1,18 +1,22 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamGroups < Inspec.resource(1)
-  name 'aws_iam_groups'
-  desc 'Verifies settings for AWS IAM groups in bulk'
+  name "aws_iam_groups"
+  desc "Verifies settings for AWS IAM groups in bulk"
   example <<~EXAMPLE
     describe aws_iam_groups do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
 
   def validate_params(resource_params)
     unless resource_params.empty?
-      raise ArgumentError, 'aws_iam_groups does not accept resource parameters.'
+      raise ArgumentError, "aws_iam_groups does not accept resource parameters."
     end
     resource_params
   end
@@ -23,7 +27,7 @@ class AwsIamGroups < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'IAM Groups'
+    "IAM Groups"
   end
 
   def fetch_from_api

data/lib/resources/aws/aws_iam_password_policy.rb

@@ -1,7 +1,10 @@
-# author: Viktor Yakovlyev
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamPasswordPolicy < Inspec.resource(1)
-  name 'aws_iam_password_policy'
-  desc 'Verifies iam password policy'
+  name "aws_iam_password_policy"
+  desc "Verifies iam password policy"
 
   example <<~EXAMPLE
     describe aws_iam_password_policy do
@@ -12,7 +15,7 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
       its('requires_uppercase_characters?') { should be true }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
   def initialize(conn = nil)
@@ -41,7 +44,7 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
     # The AWS error here is unhelpful:
     # "unable to sign request without credentials set"
     Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
-    fail_resource('No AWS credentials available')
+    fail_resource("No AWS credentials available")
   rescue Aws::Errors::ServiceError => e
     fail_resource e.message
   end
@@ -59,7 +62,7 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
   end
 
   def to_s
-    'IAM Password-Policy'
+    "IAM Password-Policy"
   end
 
   def exists?
@@ -73,12 +76,12 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
   end
 
   def max_password_age_in_days
-    raise 'this policy does not expire passwords' unless expire_passwords?
+    raise "this policy does not expire passwords" unless expire_passwords?
     @policy.max_password_age
   end
 
   def number_of_passwords_to_remember
-    raise 'this policy does not prevent password reuse' \
+    raise "this policy does not prevent password reuse" \
       unless prevent_password_reuse?
     @policy.password_reuse_prevention
   end
@@ -92,13 +95,13 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
     :expire_passwords,
   ].each do |matcher_stem|
     # Create our predicates (for example, 'require_symbols?')
-    stem_with_question_mark = (matcher_stem.to_s + '?').to_sym
+    stem_with_question_mark = (matcher_stem.to_s + "?").to_sym
     define_method stem_with_question_mark do
       @policy.send(matcher_stem)
     end
     # RSpec will expose that as (for example) `be_require_symbols`.
     # To undo that, we have to make a matcher alias.
-    stem_with_be = ('be_' + matcher_stem.to_s).to_sym
+    stem_with_be = ("be_" + matcher_stem.to_s).to_sym
     RSpec::Matchers.alias_matcher matcher_stem, stem_with_be
   end
 

data/lib/resources/aws/aws_iam_policies.rb

@@ -1,17 +1,21 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamPolicies < Inspec.resource(1)
-  name 'aws_iam_policies'
-  desc 'Verifies settings for AWS IAM Policies in bulk'
+  name "aws_iam_policies"
+  desc "Verifies settings for AWS IAM Policies in bulk"
   example <<~EXAMPLE
     describe aws_iam_policies do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
   def validate_params(resource_params)
     unless resource_params.empty?
-      raise ArgumentError, 'aws_iam_policies does not accept resource parameters.'
+      raise ArgumentError, "aws_iam_policies does not accept resource parameters."
     end
     resource_params
   end
@@ -24,7 +28,7 @@ class AwsIamPolicies < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'IAM Policies'
+    "IAM Policies"
   end
 
   def fetch_from_api

data/lib/resources/aws/aws_iam_policy.rb

@@ -1,16 +1,20 @@
-require 'json'
-require 'set'
-require 'uri'
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
+require "json"
+require "set"
+require "uri"
 
 class AwsIamPolicy < Inspec.resource(1)
-  name 'aws_iam_policy'
-  desc 'Verifies settings for individual AWS IAM Policy'
+  name "aws_iam_policy"
+  desc "Verifies settings for individual AWS IAM Policy"
   example <<~EXAMPLE
     describe aws_iam_policy('AWSSupportAccess') do
       it { should be_attached }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
 
@@ -37,7 +41,7 @@ class AwsIamPolicy < Inspec.resource(1)
   end
 
   def attached?
-    !attachment_count.zero?
+    attachment_count > 0
   end
 
   def attached_users
@@ -85,8 +89,8 @@ class AwsIamPolicy < Inspec.resource(1)
   def statement_count
     return nil unless exists?
     # Typically it is an array of statements
-    if policy['Statement'].is_a? Array
-      policy['Statement'].count
+    if policy["Statement"].is_a? Array
+      policy["Statement"].count
     else
       # But if there is one statement, it is permissable to degenerate the array,
       # and place the statement as a hash directly under the 'Statement' key
@@ -160,8 +164,8 @@ class AwsIamPolicy < Inspec.resource(1)
     # directly in policy['Statement'], rather than in an
     # Array within it.  See arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly
     # Thus, coerce to Array.
-    policy['Statement'] = [policy['Statement']] if policy['Statement'].is_a? Hash
-    policy['Statement'].map do |statement|
+    policy["Statement"] = [policy["Statement"]] if policy["Statement"].is_a? Hash
+    policy["Statement"].map do |statement|
       # Coerce some values into arrays
       %w{Action Resource}.each do |field|
         if statement.key?(field)
@@ -226,7 +230,7 @@ class AwsIamPolicy < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:policy_name],
       allowed_scalar_name: :policy_name,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.empty?

data/lib/resources/aws/aws_iam_role.rb

@@ -1,12 +1,16 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamRole < Inspec.resource(1)
-  name 'aws_iam_role'
-  desc 'Verifies settings for an IAM Role'
+  name "aws_iam_role"
+  desc "Verifies settings for an IAM Role"
   example <<~EXAMPLE
     describe aws_iam_role('my-role') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :description, :role_name
@@ -22,10 +26,10 @@ class AwsIamRole < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:role_name],
       allowed_scalar_name: :role_name,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
     if validated_params.empty?
-      raise ArgumentError, 'You must provide a role_name to aws_iam_role.'
+      raise ArgumentError, "You must provide a role_name to aws_iam_role."
     end
     validated_params
   end

data/lib/resources/aws/aws_iam_root_user.rb

@@ -1,12 +1,16 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamRootUser < Inspec.resource(1)
-  name 'aws_iam_root_user'
-  desc 'Verifies settings for AWS root account'
+  name "aws_iam_root_user"
+  desc "Verifies settings for AWS root account"
   example <<~EXAMPLE
     describe aws_iam_root_user do
       it { should have_access_key }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
   def initialize(conn = nil)
@@ -21,7 +25,7 @@ class AwsIamRootUser < Inspec.resource(1)
     # The AWS error here is unhelpful:
     # "unable to sign request without credentials set"
     Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://www.inspec.io/docs/reference/platforms for details."
-    fail_resource('No AWS credentials available')
+    fail_resource("No AWS credentials available")
   rescue Aws::Errors::ServiceError => e
     fail_resource e.message
   end
@@ -39,11 +43,11 @@ class AwsIamRootUser < Inspec.resource(1)
   end
 
   def has_access_key?
-    summary_account['AccountAccessKeysPresent'] == 1
+    summary_account["AccountAccessKeysPresent"] == 1
   end
 
   def has_mfa_enabled?
-    summary_account['AccountMFAEnabled'] == 1
+    summary_account["AccountMFAEnabled"] == 1
   end
 
   # if the root account has a Virtual MFA device then it will have a special
@@ -51,7 +55,7 @@ class AwsIamRootUser < Inspec.resource(1)
   def has_virtual_mfa_enabled?
     mfa_device_pattern = %r{arn:aws:iam::\d{12}:mfa\/root-account-mfa-device}
 
-    virtual_mfa_devices.any? { |d| mfa_device_pattern =~ d['serial_number'] }
+    virtual_mfa_devices.any? { |d| mfa_device_pattern =~ d["serial_number"] }
   end
 
   def has_hardware_mfa_enabled?
@@ -59,7 +63,7 @@ class AwsIamRootUser < Inspec.resource(1)
   end
 
   def to_s
-    'AWS Root-User'
+    "AWS Root-User"
   end
 
   private

data/lib/resources/aws/aws_iam_user.rb

@@ -1,10 +1,10 @@
-# author: Alex Bedley
-# author: Steffanie Freeman
-# author: Simon Varlow
-# author: Chris Redekop
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamUser < Inspec.resource(1)
-  name 'aws_iam_user'
-  desc 'Verifies settings for AWS IAM user'
+  name "aws_iam_user"
+  desc "Verifies settings for AWS IAM user"
   example <<~EXAMPLE
     describe aws_iam_user(username: 'test_user') do
       it { should have_mfa_enabled }
@@ -13,7 +13,7 @@ class AwsIamUser < Inspec.resource(1)
       it { should_not have_attached_user_policies }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :access_keys, :attached_policy_names, :attached_policy_arns, \
@@ -22,7 +22,7 @@ class AwsIamUser < Inspec.resource(1)
   alias has_console_password? has_console_password
 
   def name
-    Inspec.deprecate(:properties_aws_iam_user, 'The aws_iam_user `name` property is deprecated. Please use `username` instead')
+    Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_user `name` property is deprecated. Please use `username` instead")
     username
   end
 
@@ -47,22 +47,22 @@ class AwsIamUser < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:username, :aws_user_struct, :name, :user],
       allowed_scalar_name: :username,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
     # If someone passed :name, rename it to :username
     if validated_params.key?(:name)
-      Inspec.deprecate(:properties_aws_iam_user, 'The aws_iam_users `name` property is deprecated. Please use `username` instead')
+      Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_users `name` property is deprecated. Please use `username` instead")
       validated_params[:username] = validated_params.delete(:name)
     end
 
     # If someone passed :user, rename it to :aws_user_struct
     if validated_params.key?(:user)
-      Inspec.deprecate(:properties_aws_iam_user, 'The aws_iam_users `user` property is deprecated. Please use `aws_user_struct` instead')
+      Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_users `user` property is deprecated. Please use `aws_user_struct` instead")
       validated_params[:aws_user_struct] = validated_params.delete(:user)
     end
 
     if validated_params.empty?
-      raise ArgumentError, 'You must provide a username to aws_iam_user.'
+      raise ArgumentError, "You must provide a username to aws_iam_user."
     end
     validated_params
   end

data/lib/resources/aws/aws_iam_users.rb

@@ -1,10 +1,10 @@
-# author: Alex Bedley
-# author: Steffanie Freeman
-# author: Simon Varlow
-# author: Chris Redekop
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-iam"
+
 class AwsIamUsers < Inspec.resource(1)
-  name 'aws_iam_users'
-  desc 'Verifies settings for AWS IAM users'
+  name "aws_iam_users"
+  desc "Verifies settings for AWS IAM users"
   example <<~EXAMPLE
     describe aws_iam_users.where(has_mfa_enabled?: false) do
       it { should_not exist }
@@ -19,7 +19,7 @@ class AwsIamUsers < Inspec.resource(1)
       it { should_not exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
 
@@ -90,7 +90,7 @@ class AwsIamUsers < Inspec.resource(1)
   def validate_params(raw_params)
     # No params yet
     unless raw_params.empty?
-      raise ArgumentError, 'aws_iam_users does not accept resource parameters'
+      raise ArgumentError, "aws_iam_users does not accept resource parameters"
     end
     raw_params
   end
@@ -116,14 +116,14 @@ class AwsIamUsers < Inspec.resource(1)
       user[:password_ever_used?] = !password_last_used.nil?
       user[:password_never_used?] = password_last_used.nil?
       if user[:password_ever_used?]
-        user[:password_last_used_days_ago] = ((Time.now - password_last_used) / (24*60*60)).to_i
+        user[:password_last_used_days_ago] = ((Time.now - password_last_used) / (24 * 60 * 60)).to_i
       end
     end
     @table
   end
 
   def to_s
-    'IAM Users'
+    "IAM Users"
   end
 
   #===========================================================================#

data/lib/resources/aws/aws_kms_key.rb

@@ -1,13 +1,17 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-kms"
+
 class AwsKmsKey < Inspec.resource(1)
-  name 'aws_kms_key'
-  desc 'Verifies settings for an individual AWS KMS Key'
+  name "aws_kms_key"
+  desc "Verifies settings for an individual AWS KMS Key"
   example <<~EXAMPLE
     describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
       it { should exist }
     end
   EXAMPLE
 
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :key_id, :arn, :creation_date, :key_usage, :key_state, :description,
@@ -27,7 +31,7 @@ class AwsKmsKey < Inspec.resource(1)
   end
 
   def created_days_ago
-    ((Time.now - creation_date)/(24*60*60)).to_i unless creation_date.nil?
+    ((Time.now - creation_date) / (24 * 60 * 60)).to_i unless creation_date.nil?
   end
 
   private
@@ -37,7 +41,7 @@ class AwsKmsKey < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:key_id],
       allowed_scalar_name: :key_id,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.empty?
@@ -66,9 +70,9 @@ class AwsKmsKey < Inspec.resource(1)
         @key_state = @key[:key_state]
         @deletion_date = @key[:deletion_date]
         @valid_to = @key[:valid_to]
-        @external = @key[:origin] == 'EXTERNAL'
-        @has_key_expiration = @key[:expiration_model] == 'KEY_MATERIAL_EXPIRES'
-        @managed_by_aws = @key[:key_manager] == 'AWS'
+        @external = @key[:origin] == "EXTERNAL"
+        @has_key_expiration = @key[:expiration_model] == "KEY_MATERIAL_EXPIRES"
+        @managed_by_aws = @key[:key_manager] == "AWS"
 
         resp = backend.get_key_rotation_status(query)
         @has_rotation_enabled = resp.key_rotation_enabled unless resp.empty?