inspec 4.56.19 → 5.12.2

data/lib/resources/aws/aws_flow_log.rb

@@ -1,106 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsFlowLog < Inspec.resource(1)
-  name "aws_flow_log"
-  supports platform: "aws"
-  desc "This resource is used to test the attributes of a Flow Log."
-  example <<~EXAMPLE
-    describe aws_flow_log('fl-9c718cf5') do
-      it { should exist }
-    end
-  EXAMPLE
-
-  include AwsSingularResourceMixin
-
-  def to_s
-    "AWS Flow Log #{id}"
-  end
-
-  def resource_type
-    case @resource_id
-    when /^eni/
-      @resource_type = "eni"
-    when /^subnet/
-      @resource_type = "subnet"
-    when /^vpc/
-      @resource_type = "vpc"
-    end
-  end
-
-  def attached_to_eni?
-    resource_type.eql?("eni") ? true : false
-  end
-
-  def attached_to_subnet?
-    resource_type.eql?("subnet") ? true : false
-  end
-
-  def attached_to_vpc?
-    resource_type.eql?("vpc") ? true : false
-  end
-
-  attr_reader :log_group_name, :resource_id, :flow_log_id
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{flow_log_id subnet_id vpc_id},
-      allowed_scalar_name: :flow_log_id,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError,
-            "aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id"
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-
-    resp = backend.describe_flow_logs(filter_args)
-    flow_log = resp.to_h[:flow_logs].first
-    @exists = !flow_log.nil?
-    unless flow_log.nil?
-      @log_group_name = flow_log[:log_group_name]
-      @resource_id = flow_log[:resource_id]
-      @flow_log_id = flow_log[:flow_log_id]
-    end
-  end
-
-  def filter_args
-    if @flow_log_id
-      { filter: [{ name: "flow-log-id", values: [@flow_log_id] }] }
-    elsif @subnet_id || @vpc_id
-      filter = @subnet_id || @vpc_id
-      { filter: [{ name: "resource-id", values: [filter] }] }
-    end
-  end
-
-  def id
-    return @flow_log_id if @flow_log_id
-    return @subnet_id if @subnet_id
-    return @vpc_id if @vpc_id
-  end
-
-  def backend
-    BackendFactory.create(inspec_runner)
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      AwsFlowLog::BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_flow_logs(query)
-        aws_service_client.describe_flow_logs(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_iam_access_key.rb

@@ -1,112 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamAccessKey < Inspec.resource(1)
-  name "aws_iam_access_key"
-  desc "Verifies settings for an individual IAM access key"
-  example <<~EXAMPLE
-    describe aws_iam_access_key(username: 'username', id: 'access-key id') do
-      it { should exist }
-      it { should_not be_active }
-      its('create_date') { should be > Time.now - 365 * 86400 }
-      its('last_used_date') { should be > Time.now - 90 * 86400 }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :access_key_id, :create_date, :status, :username
-  alias id access_key_id
-
-  def validate_params(raw_params)
-    recognized_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{username id access_key_id},
-      allowed_scalar_name: :access_key_id,
-      allowed_scalar_type: String
-    )
-
-    # id and access_key_id are aliases; standardize on access_key_id
-    recognized_params[:access_key_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
-
-    # Validate format of access_key_id
-    if recognized_params[:access_key_id] &&
-        recognized_params[:access_key_id] !~ (/^AKIA[0-9A-Z]{16}$/)
-      raise ArgumentError, "Incorrect format for Access Key ID - expected AKIA followed " \
-            "by 16 letters or numbers"
-    end
-
-    # One of username and access_key_id is required
-    if recognized_params[:username].nil? && recognized_params[:access_key_id].nil?
-      raise ArgumentError, "You must provide at lease one of access_key_id or username to aws_iam_access_key"
-    end
-
-    recognized_params
-  end
-
-  def active?
-    return nil unless exists?
-
-    status == "Active"
-  end
-
-  def to_s
-    "IAM Access-Key #{access_key_id}"
-  end
-
-  def last_used_date
-    return nil unless exists?
-    return @last_used_date if defined? @last_used_date
-
-    backend = BackendFactory.create(inspec_runner)
-    catch_aws_errors do
-      @last_used_date = backend.get_access_key_last_used({ access_key_id: access_key_id }).access_key_last_used.last_used_date
-    end
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    query = {}
-    query[:user_name] = username if username
-
-    response = backend.list_access_keys(query)
-
-    access_keys = response.access_key_metadata.select do |key|
-      if access_key_id
-        key.access_key_id == access_key_id
-      else
-        true
-      end
-    end
-
-    if access_keys.empty?
-      @exists = false
-      return
-    end
-
-    if access_keys.count > 1
-      raise "More than one access key matched for aws_iam_access_key.  Use more specific parameters, such as access_key_id."
-    end
-
-    @exists = true
-    @access_key_id = access_keys[0].access_key_id
-    @username = access_keys[0].user_name
-    @create_date = access_keys[0].create_date
-    @status = access_keys[0].status
-    # Last used date is lazily loaded, separate API call
-  rescue Aws::IAM::Errors::NoSuchEntity
-    @exists = false
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      def list_access_keys(query)
-        aws_service_client.list_access_keys(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_iam_access_keys.rb

@@ -1,153 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamAccessKeys < Inspec.resource(1)
-  name "aws_iam_access_keys"
-  desc "Verifies settings for AWS IAM Access Keys in bulk"
-  example <<~EXAMPLE
-    describe aws_iam_access_keys do
-      it { should_not exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-
-  def validate_params(raw_params)
-    recognized_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{username id access_key_id created_date},
-      allowed_scalar_name: :access_key_id,
-      allowed_scalar_type: String
-    )
-
-    # id and access_key_id are aliases; standardize on access_key_id
-    recognized_params[:access_key_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
-    if recognized_params[:access_key_id] &&
-        recognized_params[:access_key_id] !~ (/^AKIA[0-9A-Z]{16}$/)
-      raise "Incorrect format for Access Key ID - expected AKIA followed " \
-            "by 16 letters or numbers"
-    end
-
-    recognized_params
-  end
-
-  def fetch_from_api
-    # TODO: this interface should be normalized to match the AWS API
-    criteria = {}
-    criteria[:username] = @username if defined? @username
-    @table = BackendFactory.create(inspec_runner).fetch(criteria)
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:access_key_ids, field: :access_key_id)
-    .register_column(:created_date, field: :create_date)
-    .register_column(:created_days_ago, field: :created_days_ago)
-    .register_column(:created_with_user, field: :created_with_user)
-    .register_column(:created_hours_ago, field: :created_hours_ago)
-    .register_column(:usernames, field: :username)
-    .register_column(:active, field: :active)
-    .register_column(:inactive, field: :inactive)
-    .register_column(:last_used_date, field: :last_used_date)
-    .register_column(:last_used_hours_ago, field: :last_used_hours_ago)
-    .register_column(:last_used_days_ago,  field: :last_used_days_ago)
-    .register_column(:ever_used,           field: :ever_used)
-    .register_column(:never_used,          field: :never_used)
-    .register_column(:user_created_date,   field: :user_created_date)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "IAM Access Keys"
-  end
-
-  # Internal support class.  This is used to fetch
-  # the users and access keys.  We have an abstract
-  # class with a concrete AWS implementation provided here;
-  # a few mock implementations are also provided in the unit tests.
-  class Backend
-    # Implementation of AccessKeyProvider which operates by looping over
-    # all users, then fetching their access keys.
-    # TODO: An alternate, more scalable implementation could be made
-    # using the Credential Report.
-    class AwsUserIterator < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      def fetch(criteria)
-        iam_client = aws_service_client
-
-        user_details = {}
-        if criteria.key?(:username)
-          begin
-            user_details[criteria[:username]] = iam_client.get_user(user_name: criteria[:username]).user
-          rescue Aws::IAM::Errors::NoSuchEntity # rubocop:disable Lint/HandleExceptions
-            # Swallow - a miss on search results should return an empty table
-          end
-        else
-          pagination_opts = {}
-          loop do
-            api_result = iam_client.list_users(pagination_opts)
-            api_result.users.each do |info|
-              user_details[info.user_name] = info
-            end
-            break unless api_result.is_truncated
-
-            pagination_opts[:marker] = api_result.marker
-          end
-        end
-
-        access_key_data = []
-        user_details.each_key do |username|
-
-          user_keys = iam_client.list_access_keys(user_name: username)
-            .access_key_metadata
-          user_keys = user_keys.map do |metadata|
-            {
-              access_key_id: metadata.access_key_id,
-              username: username,
-              status: metadata.status,
-              create_date: metadata.create_date, # DateTime.parse(metadata.create_date),
-            }
-          end
-
-          # Copy in from user data
-          # Synthetics
-          user_keys.each do |key_info|
-            add_synthetic_fields(key_info, user_details[username])
-          end
-          access_key_data.concat(user_keys)
-        rescue Aws::IAM::Errors::NoSuchEntity # rubocop:disable Lint/HandleExceptions
-          # Swallow - a miss on search results should return an empty table
-
-        end
-        access_key_data
-      end
-
-      def add_synthetic_fields(key_info, user_details) # rubocop:disable Metrics/AbcSize
-        key_info[:id] = key_info[:access_key_id]
-        key_info[:active] = key_info[:status] == "Active"
-        key_info[:inactive] = key_info[:status] != "Active"
-        key_info[:created_hours_ago] = ((Time.now - key_info[:create_date]) / (60 * 60)).to_i
-        key_info[:created_days_ago] = (key_info[:created_hours_ago] / 24).to_i
-        key_info[:user_created_date] = user_details[:create_date]
-        key_info[:created_with_user] = (key_info[:create_date] - key_info[:user_created_date]).abs < 1.0 / 24.0
-
-        # Last used is a separate API call
-        iam_client = aws_service_client
-        last_used =
-          iam_client.get_access_key_last_used(access_key_id: key_info[:access_key_id])
-            .access_key_last_used.last_used_date
-        key_info[:ever_used] = !last_used.nil?
-        key_info[:never_used] = last_used.nil?
-        key_info[:last_used_time] = last_used
-        return unless last_used
-
-        key_info[:last_used_hours_ago] = ((Time.now - last_used) / (60 * 60)).to_i
-        key_info[:last_used_days_ago] = (key_info[:last_used_hours_ago] / 24).to_i
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_iam_group.rb

@@ -1,62 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamGroup < Inspec.resource(1)
-  name "aws_iam_group"
-  desc "Verifies settings for AWS IAM Group"
-  example <<~EXAMPLE
-    describe aws_iam_group('mygroup') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :group_name, :users
-
-  def to_s
-    "IAM Group #{group_name}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:group_name],
-      allowed_scalar_name: :group_name,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide a group_name to aws_iam_group."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = AwsIamGroup::BackendFactory.create(inspec_runner)
-
-    begin
-      resp = backend.get_group(group_name: group_name)
-      @exists = true
-      @aws_group_struct = resp[:group]
-      @users = resp[:users].map(&:user_name)
-    rescue Aws::IAM::Errors::NoSuchEntity
-      @exists = false
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      def get_group(query)
-        aws_service_client.get_group(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_iam_groups.rb

@@ -1,56 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamGroups < Inspec.resource(1)
-  name "aws_iam_groups"
-  desc "Verifies settings for AWS IAM groups in bulk"
-  example <<~EXAMPLE
-    describe aws_iam_groups do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_iam_groups does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_column(:group_names, field: :group_name)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "IAM Groups"
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = []
-    pagination_opts = {}
-    loop do
-      api_result = backend.list_groups(pagination_opts)
-      @table += api_result.groups.map(&:to_h)
-      pagination_opts = { marker: api_result.marker }
-      break unless api_result.is_truncated
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      def list_groups(query = {})
-        aws_service_client.list_groups(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_iam_password_policy.rb

@@ -1,121 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamPasswordPolicy < Inspec.resource(1)
-  name "aws_iam_password_policy"
-  desc "Verifies iam password policy"
-
-  example <<~EXAMPLE
-    describe aws_iam_password_policy do
-      its('requires_lowercase_characters?') { should be true }
-    end
-
-    describe aws_iam_password_policy do
-      its('requires_uppercase_characters?') { should be true }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
-  def initialize(conn = nil)
-    catch_aws_errors do
-
-      if conn
-        # We're in a mocked unit test.
-        @policy = conn.iam_resource.account_password_policy
-      else
-        # Don't use the resource approach.  It's a CRUD operation
-        # - if the policy does not exist, you get back a blank object to  populate and save.
-        # Using the Client will throw an exception if no policy exists.
-        @policy = inspec_runner.backend.aws_client(Aws::IAM::Client).get_account_password_policy.password_policy
-      end
-    rescue Aws::IAM::Errors::NoSuchEntity
-      @policy = nil
-
-    end
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_resource_mixin.rb
-  def catch_aws_errors
-    yield
-  rescue Aws::Errors::MissingCredentialsError
-    # The AWS error here is unhelpful:
-    # "unable to sign request without credentials set"
-    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://docs.chef.io/inspec/platforms/ for details."
-    fail_resource("No AWS credentials available")
-  rescue Aws::Errors::ServiceError => e
-    fail_resource e.message
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
-  def inspec_runner
-    # When running under inspec-cli, we have an 'inspec' method that
-    # returns the runner. When running under unit tests, we don't
-    # have that, but we still have to call this to pass something
-    # (nil is OK) to the backend.
-    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
-    # TODO: remove after rewrite to include AwsSingularResource
-    inspec if respond_to?(:inspec)
-  end
-
-  def to_s
-    "IAM Password-Policy"
-  end
-
-  def exists?
-    !@policy.nil?
-  end
-
-  #-------------------------- Properties ----------------------------#
-
-  def minimum_password_length
-    @policy.minimum_password_length
-  end
-
-  def max_password_age_in_days
-    raise "this policy does not expire passwords" unless expire_passwords?
-
-    @policy.max_password_age
-  end
-
-  def number_of_passwords_to_remember
-    raise "this policy does not prevent password reuse" \
-      unless prevent_password_reuse?
-
-    @policy.password_reuse_prevention
-  end
-
-  #-------------------------- Matchers ----------------------------#
-  %i{
-    require_lowercase_characters
-    require_uppercase_characters
-    require_symbols
-    require_numbers
-    expire_passwords
-  }.each do |matcher_stem|
-    # Create our predicates (for example, 'require_symbols?')
-    stem_with_question_mark = (matcher_stem.to_s + "?").to_sym
-    define_method stem_with_question_mark do
-      @policy.send(matcher_stem)
-    end
-    # RSpec will expose that as (for example) `be_require_symbols`.
-    # To undo that, we have to make a matcher alias.
-    stem_with_be = ("be_" + matcher_stem.to_s).to_sym
-    RSpec::Matchers.alias_matcher matcher_stem, stem_with_be
-  end
-
-  # This one has an awkward name mapping
-  def allow_users_to_change_passwords?
-    @policy.allow_users_to_change_password
-  end
-  RSpec::Matchers.alias_matcher :allow_users_to_change_passwords, :be_allow_users_to_change_passwords
-
-  # This one has custom logic and renaming
-  def prevent_password_reuse?
-    !@policy.password_reuse_prevention.nil?
-  end
-  RSpec::Matchers.alias_matcher :prevent_password_reuse, :be_prevent_password_reuse
-end

data/lib/resources/aws/aws_iam_policies.rb

@@ -1,57 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamPolicies < Inspec.resource(1)
-  name "aws_iam_policies"
-  desc "Verifies settings for AWS IAM Policies in bulk"
-  example <<~EXAMPLE
-    describe aws_iam_policies do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_iam_policies does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:policy_names, field: :policy_name)
-    .register_column(:arns, field: :arn)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "IAM Policies"
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = []
-    pagination_opts = {}
-    loop do
-      api_result = backend.list_policies(pagination_opts)
-      @table += api_result.policies.map(&:to_h)
-      pagination_opts = { marker: api_result.marker }
-      break unless api_result.is_truncated
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      def list_policies(query)
-        aws_service_client.list_policies(query)
-      end
-    end
-  end
-end