inspec 4.3.2 → 4.6.3

data/lib/resources/aws/aws_kms_keys.rb

@@ -1,17 +1,21 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-kms"
+
 class AwsKmsKeys < Inspec.resource(1)
-  name 'aws_kms_keys'
-  desc 'Verifies settings for AWS KMS Keys in bulk'
+  name "aws_kms_keys"
+  desc "Verifies settings for AWS KMS Keys in bulk"
   example <<~EXAMPLE
     describe aws_kms_keys do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
   def validate_params(resource_params)
     unless resource_params.empty?
-      raise ArgumentError, 'aws_kms_keys does not accept resource parameters.'
+      raise ArgumentError, "aws_kms_keys does not accept resource parameters."
     end
     resource_params
   end
@@ -24,7 +28,7 @@ class AwsKmsKeys < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'KMS Keys'
+    "KMS Keys"
   end
 
   def fetch_from_api

data/lib/resources/aws/aws_rds_instance.rb

@@ -1,13 +1,16 @@
-# author: Mohamed El-Sharkawi
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-rds"
+
 class AwsRdsInstance < Inspec.resource(1)
-  name 'aws_rds_instance'
-  desc 'Verifies settings for an rds instance'
+  name "aws_rds_instance"
+  desc "Verifies settings for an rds instance"
   example <<~EXAMPLE
     describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :db_instance_identifier
@@ -23,14 +26,14 @@ class AwsRdsInstance < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:db_instance_identifier],
       allowed_scalar_name: :db_instance_identifier,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
-    if validated_params.empty? or !validated_params.key?(:db_instance_identifier)
-      raise ArgumentError, 'You must provide an id for the aws_rds_instance.'
+    if validated_params.empty? || !validated_params.key?(:db_instance_identifier)
+      raise ArgumentError, "You must provide an id for the aws_rds_instance."
     end
 
     if validated_params.key?(:db_instance_identifier) && validated_params[:db_instance_identifier] !~ /^[a-z]{1}[0-9a-z\-]{0,62}$/
-      raise ArgumentError, 'aws_rds_instance Database Instance ID must be in the format: start with a letter followed by up to 62 letters/numbers/hyphens.'
+      raise ArgumentError, "aws_rds_instance Database Instance ID must be in the format: start with a letter followed by up to 62 letters/numbers/hyphens."
     end
 
     validated_params

data/lib/resources/aws/aws_route_table.rb

@@ -1,12 +1,16 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
 class AwsRouteTable < Inspec.resource(1)
-  name 'aws_route_table'
-  desc 'Verifies settings for an AWS Route Table'
+  name "aws_route_table"
+  desc "Verifies settings for an AWS Route Table"
   example <<~EXAMPLE
     describe aws_route_table do
       its('route_table_id') { should cmp 'rtb-05462d2278326a79c' }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
 
@@ -23,13 +27,13 @@ class AwsRouteTable < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:route_table_id],
       allowed_scalar_name: :route_table_id,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.key?(:route_table_id) &&
-       validated_params[:route_table_id] !~ /^rtb\-([0-9a-f]{17})|(^rtb\-[0-9a-f]{8})$/
+        validated_params[:route_table_id] !~ /^rtb\-([0-9a-f]{17})|(^rtb\-[0-9a-f]{8})$/
       raise ArgumentError,
-            'aws_route_table Route Table ID must be in the' \
+            "aws_route_table Route Table ID must be in the" \
             ' format "rtb-" followed by 8 or 17 hexadecimal characters.'
     end
 
@@ -42,7 +46,7 @@ class AwsRouteTable < Inspec.resource(1)
     if @route_table_id.nil?
       args = nil
     else
-      args = { filters: [{ name: 'route-table-id', values: [@route_table_id] }] }
+      args = { filters: [{ name: "route-table-id", values: [@route_table_id] }] }
     end
 
     resp = backend.describe_route_tables(args)

data/lib/resources/aws/aws_route_tables.rb

@@ -1,12 +1,16 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
 class AwsRouteTables < Inspec.resource(1)
-  name 'aws_route_tables'
-  desc 'Verifies settings for AWS Route Tables in bulk'
+  name "aws_route_tables"
+  desc "Verifies settings for AWS Route Tables in bulk"
   example <<~EXAMPLE
     describe aws_route_tables do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
   # Underlying FilterTable implementation.
@@ -21,20 +25,20 @@ class AwsRouteTables < Inspec.resource(1)
   end
 
   def to_s
-    'Route Tables'
+    "Route Tables"
   end
 
   private
 
   def validate_params(raw_criteria)
     unless raw_criteria.is_a? Hash
-      raise 'Unrecognized criteria for fetching Route Tables. ' \
+      raise "Unrecognized criteria for fetching Route Tables. " \
             "Use 'criteria: value' format."
     end
 
     # No criteria yet
     unless raw_criteria.empty?
-      raise ArgumentError, 'aws_route_tables does not currently accept resource parameters.'
+      raise ArgumentError, "aws_route_tables does not currently accept resource parameters."
     end
     raw_criteria
   end

data/lib/resources/aws/aws_s3_bucket.rb

@@ -1,13 +1,16 @@
-# author: Matthew Dromazos
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-s3"
+
 class AwsS3Bucket < Inspec.resource(1)
-  name 'aws_s3_bucket'
-  desc 'Verifies settings for a s3 bucket'
+  name "aws_s3_bucket"
+  desc "Verifies settings for a s3 bucket"
   example <<~EXAMPLE
     describe aws_s3_bucket(bucket_name: 'test_bucket') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :bucket_name, :has_default_encryption_enabled, :has_access_logging_enabled, :region
@@ -30,9 +33,9 @@ class AwsS3Bucket < Inspec.resource(1)
   def public?
     # first line just for formatting
     false || \
-      bucket_acl.any? { |g| g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/ } || \
-      bucket_acl.any? { |g| g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/ } || \
-      bucket_policy.any? { |s| s.effect == 'Allow' && s.principal == '*' }
+      bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AllUsers/ } || \
+      bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AuthenticatedUsers/ } || \
+      bucket_policy.any? { |s| s.effect == "Allow" && s.principal == "*" }
   end
 
   def has_default_encryption_enabled?
@@ -54,10 +57,10 @@ class AwsS3Bucket < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:bucket_name],
       allowed_scalar_name: :bucket_name,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
-    if validated_params.empty? or !validated_params.key?(:bucket_name)
-      raise ArgumentError, 'You must provide a bucket_name to aws_s3_bucket.'
+    if validated_params.empty? || !validated_params.key?(:bucket_name)
+      raise ArgumentError, "You must provide a bucket_name to aws_s3_bucket."
     end
 
     validated_params
@@ -83,7 +86,7 @@ class AwsS3Bucket < Inspec.resource(1)
       begin
         # AWS SDK returns a StringIO, we have to read()
         raw_policy = backend.get_bucket_policy(bucket: bucket_name).policy
-        return JSON.parse(raw_policy.read)['Statement'].map do |statement|
+        return JSON.parse(raw_policy.read)["Statement"].map do |statement|
           lowercase_hash = {}
           statement.each_key { |k| lowercase_hash[k.downcase] = statement[k] }
           @bucket_policy = OpenStruct.new(lowercase_hash)

data/lib/resources/aws/aws_s3_bucket_object.rb

@@ -1,14 +1,17 @@
-# author: Matthew Dromazos
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-s3"
+
 class AwsS3BucketObject < Inspec.resource(1)
-  name 'aws_s3_bucket_object'
-  desc 'Verifies settings for a s3 bucket object'
+  name "aws_s3_bucket_object"
+  desc "Verifies settings for a s3 bucket object"
   example <<~EXAMPLE
     describe aws_s3_bucket_object(bucket_name: 'bucket_name', key: 'file_name') do
       it { should exist }
       it { should_not be_public }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :bucket_name, :key
@@ -30,8 +33,8 @@ class AwsS3BucketObject < Inspec.resource(1)
   def public?
     # first line just for formatting
     false || \
-      object_acl.any? { |g| g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/ } || \
-      object_acl.any? { |g| g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/ }
+      object_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AllUsers/ } || \
+      object_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AuthenticatedUsers/ }
   end
 
   private
@@ -39,10 +42,10 @@ class AwsS3BucketObject < Inspec.resource(1)
   def validate_params(raw_params)
     validated_params = check_resource_param_names(
       raw_params: raw_params,
-      allowed_params: [:bucket_name, :key, :id],
+      allowed_params: [:bucket_name, :key, :id]
     )
-    if validated_params.empty? or !validated_params.key?(:bucket_name) or !validated_params.key?(:key)
-      raise ArgumentError, 'You must provide a bucket_name and key to aws_s3_bucket_object.'
+    if validated_params.empty? || !validated_params.key?(:bucket_name) || !validated_params.key?(:key)
+      raise ArgumentError, "You must provide a bucket_name and key to aws_s3_bucket_object."
     end
     validated_params
   end

data/lib/resources/aws/aws_s3_buckets.rb

@@ -1,14 +1,16 @@
-# author: Matthew Dromazos
-# author: Sam Cornwell
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-s3"
+
 class AwsS3Buckets < Inspec.resource(1)
-  name 'aws_s3_buckets'
-  desc 'Verifies settings for AWS S3 Buckets in bulk'
+  name "aws_s3_buckets"
+  desc "Verifies settings for AWS S3 Buckets in bulk"
   example <<~EXAMPLE
     describe aws_s3_bucket do
       its('bucket_names') { should eq ['my_bucket'] }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
 
@@ -19,12 +21,12 @@ class AwsS3Buckets < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'S3 Buckets'
+    "S3 Buckets"
   end
 
   def validate_params(resource_params)
     unless resource_params.empty?
-      raise ArgumentError, 'aws_s3_buckets does not accept resource parameters.'
+      raise ArgumentError, "aws_s3_buckets does not accept resource parameters."
     end
     resource_params
   end

data/lib/resources/aws/aws_security_group.rb

@@ -1,15 +1,19 @@
-require 'set'
-require 'ipaddr'
+require "set"
+require "ipaddr"
+
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
 
 class AwsSecurityGroup < Inspec.resource(1)
-  name 'aws_security_group'
-  desc 'Verifies settings for an individual AWS Security Group.'
+  name "aws_security_group"
+  desc "Verifies settings for an individual AWS Security Group."
   example <<~EXAMPLE
     describe aws_security_group('sg-12345678') do
       it { should exist }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :description, :group_id, :group_name, :vpc_id, :inbound_rules, :outbound_rules, :inbound_rules_count, :outbound_rules_count
@@ -47,7 +51,7 @@ class AwsSecurityGroup < Inspec.resource(1)
     return false unless rules.count == 1 || criteria.key?(:position)
     if criteria.key?(:security_group)
       if criteria.key?(:position)
-        pos = criteria[:position] -1
+        pos = criteria[:position] - 1
       else
         pos = 0
       end
@@ -119,7 +123,7 @@ class AwsSecurityGroup < Inspec.resource(1)
     end
 
     unless idx < rules.count
-      raise ArgumentError, "aws_security_group 'allow' 'position' criteria #{idx+1} is out of range - there are only #{rules.count} rules for security group #{group_id}."
+      raise ArgumentError, "aws_security_group 'allow' 'position' criteria #{idx + 1} is out of range - there are only #{rules.count} rules for security group #{group_id}."
     end
 
     [rules[idx]]
@@ -157,7 +161,7 @@ class AwsSecurityGroup < Inspec.resource(1)
     return true unless criteria.key?(:protocol)
     prot = criteria[:protocol]
     # We provide a "fluency alias" for -1 (any).
-    prot = '-1' if prot == 'any'
+    prot = "-1" if prot == "any"
 
     rule[:ip_protocol] == prot
   end
@@ -210,7 +214,7 @@ class AwsSecurityGroup < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:id, :group_id, :group_name, :vpc_id],
       allowed_scalar_name: :group_id,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     # id is an alias for group_id
@@ -227,7 +231,7 @@ class AwsSecurityGroup < Inspec.resource(1)
     validated_params = recognized_params
 
     if validated_params.empty?
-      raise ArgumentError, 'You must provide parameters to aws_security_group, such as group_name, group_id, or vpc_id.g_group.'
+      raise ArgumentError, "You must provide parameters to aws_security_group, such as group_name, group_id, or vpc_id.g_group."
     end
     validated_params
   end
@@ -261,9 +265,9 @@ class AwsSecurityGroup < Inspec.resource(1)
       next if val.nil?
       filters.push(
         {
-          name: criterion_name.to_s.tr('_', '-'),
+          name: criterion_name.to_s.tr("_", "-"),
           values: [val],
-        },
+        }
       )
     end
     dsg_response = backend.describe_security_groups(filters: filters)

data/lib/resources/aws/aws_security_groups.rb

@@ -1,6 +1,10 @@
+require "resource_support/aws/aws_plural_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-ec2"
+
 class AwsSecurityGroups < Inspec.resource(1)
-  name 'aws_security_groups'
-  desc 'Verifies settings for AWS Security Groups in bulk'
+  name "aws_security_groups"
+  desc "Verifies settings for AWS Security Groups in bulk"
   example <<~EXAMPLE
     # Verify that you have security groups defined
     describe aws_security_groups do
@@ -12,7 +16,7 @@ class AwsSecurityGroups < Inspec.resource(1)
       its('entries.count') { should be > 1 }
     end
   EXAMPLE
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsPluralResourceMixin
 
@@ -23,20 +27,20 @@ class AwsSecurityGroups < Inspec.resource(1)
   filter.install_filter_methods_on_resource(self, :table)
 
   def to_s
-    'EC2 Security Groups'
+    "EC2 Security Groups"
   end
 
   private
 
   def validate_params(raw_criteria)
     unless raw_criteria.is_a? Hash
-      raise 'Unrecognized criteria for fetching Security Groups. ' \
+      raise "Unrecognized criteria for fetching Security Groups. " \
             "Use 'criteria: value' format."
     end
 
     # No criteria yet
     unless raw_criteria.empty?
-      raise ArgumentError, 'aws_ec2_security_groups does not currently accept resource parameters.'
+      raise ArgumentError, "aws_ec2_security_groups does not currently accept resource parameters."
     end
     raw_criteria
   end
@@ -47,8 +51,8 @@ class AwsSecurityGroups < Inspec.resource(1)
     backend.describe_security_groups({}).security_groups.each do |sg_info|
       @table.push({
                     group_id: sg_info.group_id,
-        group_name: sg_info.group_name,
-        vpc_id: sg_info.vpc_id,
+                    group_name: sg_info.group_name,
+                    vpc_id: sg_info.vpc_id,
                   })
     end
   end

data/lib/resources/aws/aws_sns_subscription.rb

@@ -1,6 +1,10 @@
+require "resource_support/aws/aws_singular_resource_mixin"
+require "resource_support/aws/aws_backend_base"
+require "aws-sdk-sns"
+
 class AwsSnsSubscription < Inspec.resource(1)
-  name 'aws_sns_subscription'
-  desc 'Verifies settings for an SNS Subscription'
+  name "aws_sns_subscription"
+  desc "Verifies settings for an SNS Subscription"
   example <<~EXAMPLE
     describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
       it { should_not have_raw_message_delivery }
@@ -12,7 +16,7 @@ class AwsSnsSubscription < Inspec.resource(1)
     end
   EXAMPLE
 
-  supports platform: 'aws'
+  supports platform: "aws"
 
   include AwsSingularResourceMixin
   attr_reader :arn, :owner, :raw_message_delivery, :topic_arn, :endpoint, :protocol,
@@ -36,11 +40,11 @@ class AwsSnsSubscription < Inspec.resource(1)
       raw_params: raw_params,
       allowed_params: [:subscription_arn],
       allowed_scalar_name: :subscription_arn,
-      allowed_scalar_type: String,
+      allowed_scalar_type: String
     )
 
     if validated_params.empty?
-      raise ArgumentError, 'You must provide a subscription_arn to aws_sns_subscription.'
+      raise ArgumentError, "You must provide a subscription_arn to aws_sns_subscription."
     end
 
     validated_params
@@ -52,12 +56,12 @@ class AwsSnsSubscription < Inspec.resource(1)
       begin
         aws_response = backend.get_subscription_attributes(subscription_arn: @subscription_arn).attributes
         @exists = true
-        @owner = aws_response['Owner']
-        @raw_message_delivery = aws_response['RawMessageDelivery'].eql?('true')
-        @topic_arn = aws_response['TopicArn']
-        @endpoint = aws_response['Endpoint']
-        @protocol = aws_response['Protocol']
-        @confirmation_was_authenticated = aws_response['ConfirmationWasAuthenticated'].eql?('true')
+        @owner = aws_response["Owner"]
+        @raw_message_delivery = aws_response["RawMessageDelivery"].eql?("true")
+        @topic_arn = aws_response["TopicArn"]
+        @endpoint = aws_response["Endpoint"]
+        @protocol = aws_response["Protocol"]
+        @confirmation_was_authenticated = aws_response["ConfirmationWasAuthenticated"].eql?("true")
       rescue Aws::SNS::Errors::NotFound
         @exists = false
         return