inspec 4.56.19 → 5.12.2

data/lib/resources/aws/aws_iam_policy.rb

@@ -1,311 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-require "json" unless defined?(JSON)
-require "set" unless defined?(Set)
-require "uri" unless defined?(URI)
-
-class AwsIamPolicy < Inspec.resource(1)
-  name "aws_iam_policy"
-  desc "Verifies settings for individual AWS IAM Policy"
-  example <<~EXAMPLE
-    describe aws_iam_policy('AWSSupportAccess') do
-      it { should be_attached }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-
-  attr_reader :arn, :attachment_count, :default_version_id
-
-  # Note that we also accept downcases and symbol versions of these
-  EXPECTED_CRITERIA = %w{
-    Action
-    Effect
-    Resource
-    Sid
-  }.freeze
-
-  UNIMPLEMENTED_CRITERIA = %w{
-    Conditional
-    NotAction
-    NotPrincipal
-    NotResource
-    Principal
-  }.freeze
-
-  def to_s
-    "Policy #{@policy_name}"
-  end
-
-  def attached?
-    attachment_count > 0
-  end
-
-  def attached_users
-    return @attached_users if defined? @attached_users
-
-    fetch_attached_entities
-    @attached_users
-  end
-
-  def attached_groups
-    return @attached_groups if defined? @attached_groups
-
-    fetch_attached_entities
-    @attached_groups
-  end
-
-  def attached_roles
-    return @attached_roles if defined? @attached_roles
-
-    fetch_attached_entities
-    @attached_roles
-  end
-
-  def attached_to_user?(user_name)
-    attached_users.include?(user_name)
-  end
-
-  def attached_to_group?(group_name)
-    attached_groups.include?(group_name)
-  end
-
-  def attached_to_role?(role_name)
-    attached_roles.include?(role_name)
-  end
-
-  def policy
-    return nil unless exists?
-    return @policy if defined?(@policy)
-
-    catch_aws_errors do
-      backend = BackendFactory.create(inspec_runner)
-      gpv_response = backend.get_policy_version(policy_arn: arn, version_id: default_version_id)
-      @policy = JSON.parse(URI.decode_www_form_component(gpv_response.policy_version.document))
-    end
-    @policy
-  end
-
-  def statement_count
-    return nil unless exists?
-
-    # Typically it is an array of statements
-    if policy["Statement"].is_a? Array
-      policy["Statement"].count
-    else
-      # But if there is one statement, it is permissable to degenerate the array,
-      # and place the statement as a hash directly under the 'Statement' key
-      1
-    end
-  end
-
-  def has_statement?(provided_criteria = {})
-    return nil unless exists?
-
-    raw_criteria = provided_criteria.dup # provided_criteria is used for output formatting - can't delete from it.
-    criteria = has_statement__validate_criteria(raw_criteria)
-    @normalized_statements ||= has_statement__normalize_statements
-    statements = has_statement__focus_on_sid(@normalized_statements, criteria)
-    statements.any? do |statement|
-      true && \
-        has_statement__effect(statement, criteria) && \
-        has_statement__array_criterion(:action, statement, criteria) && \
-        has_statement__array_criterion(:resource, statement, criteria)
-    end
-  end
-
-  private
-
-  def has_statement__validate_criteria(raw_criteria)
-    recognized_criteria = {}
-    EXPECTED_CRITERIA.each do |expected_criterion|
-      [
-        expected_criterion,
-        expected_criterion.downcase,
-        expected_criterion.to_sym,
-        expected_criterion.downcase.to_sym,
-      ].each do |variant|
-        if raw_criteria.key?(variant)
-          # Always store as downcased symbol
-          recognized_criteria[expected_criterion.downcase.to_sym] = raw_criteria.delete(variant)
-        end
-      end
-    end
-
-    # Special message for valid, but unimplemented statement attributes
-    UNIMPLEMENTED_CRITERIA.each do |unimplemented_criterion|
-      [
-        unimplemented_criterion,
-        unimplemented_criterion.downcase,
-        unimplemented_criterion.to_sym,
-        unimplemented_criterion.downcase.to_sym,
-      ].each do |variant|
-        if raw_criteria.key?(variant)
-          raise ArgumentError, "Criterion '#{unimplemented_criterion}' is not supported for performing have_statement queries."
-        end
-      end
-    end
-
-    # If anything is left, it's spurious
-    unless raw_criteria.empty?
-      raise ArgumentError, "Unrecognized criteria #{raw_criteria.keys.join(", ")} to have_statement.  Recognized criteria: #{EXPECTED_CRITERIA.join(", ")}"
-    end
-
-    # Effect has only 2 permitted values
-    if recognized_criteria.key?(:effect)
-      unless %w{Allow Deny}.include?(recognized_criteria[:effect])
-        raise ArgumentError, "Criterion 'Effect' for have_statement must be one of 'Allow' or 'Deny' - got '#{recognized_criteria[:effect]}'"
-      end
-    end
-
-    recognized_criteria
-  end
-
-  def has_statement__normalize_statements
-    # Some single-statement policies place their statement
-    # directly in policy['Statement'], rather than in an
-    # Array within it.  See arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly
-    # Thus, coerce to Array.
-    policy["Statement"] = [policy["Statement"]] if policy["Statement"].is_a? Hash
-    policy["Statement"].map do |statement|
-      # Coerce some values into arrays
-      %w{Action Resource}.each do |field|
-        if statement.key?(field)
-          statement[field] = Array(statement[field])
-        end
-      end
-
-      # Symbolize all keys
-      statement.keys.each do |field|
-        statement[field.downcase.to_sym] = statement.delete(field)
-      end
-
-      statement
-    end
-  end
-
-  def has_statement__focus_on_sid(statements, criteria)
-    return statements unless criteria.key?(:sid)
-
-    sid_seek = criteria[:sid]
-    statements.select do |statement|
-      if sid_seek.is_a? Regexp
-        statement[:sid] =~ sid_seek
-      else
-        statement[:sid] == sid_seek
-      end
-    end
-  end
-
-  def has_statement__effect(statement, criteria)
-    !criteria.key?(:effect) || criteria[:effect] == statement[:effect]
-  end
-
-  def has_statement__array_criterion(crit_name, statement, criteria)
-    return true unless criteria.key?(crit_name)
-
-    check = criteria[crit_name]
-    # This is an array due to normalize_statements
-    # If it is nil, the statement does not have an entry for that dimension;
-    # but since we were asked to match on it (on nothing), we
-    # decide to never match
-    values = statement[crit_name]
-    return false if values.nil?
-
-    if check.is_a?(String)
-      # If check is a string, it only has to match one of the values
-      values.any? { |v| v == check }
-    elsif check.is_a?(Regexp)
-      # If check is a regex, it only has to match one of the values
-      values.any? { |v| v =~ check }
-    elsif check.is_a?(Array) && check.all? { |c| c.is_a? String }
-      # If check is an array of strings, perform setwise check
-      Set.new(values) == Set.new(check)
-    elsif check.is_a?(Array) && check.all? { |c| c.is_a? Regexp }
-      # If check is an array of regexes, all values must match all regexes
-      values.all? { |v| check.all? { |r| v =~ r } }
-    else
-      false
-    end
-  end
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:policy_name],
-      allowed_scalar_name: :policy_name,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide the parameter 'policy_name' to aws_iam_policy."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-
-    policy = nil
-    pagination_opts = { max_items: 1000 }
-    loop do
-      api_result = backend.list_policies(pagination_opts)
-      policy = api_result.policies.detect do |p|
-        p.policy_name == @policy_name
-      end
-      break if policy # Found it!
-      break unless api_result.is_truncated # Not found and no more results
-
-      pagination_opts[:marker] = api_result.marker
-    end
-
-    @exists = !policy.nil?
-
-    return unless @exists
-
-    @arn = policy[:arn]
-    @default_version_id = policy[:default_version_id]
-    @attachment_count = policy[:attachment_count]
-  end
-
-  def fetch_attached_entities
-    unless @exists
-      @attached_groups = nil
-      @attached_users  = nil
-      @attached_roles  = nil
-      return
-    end
-    backend = AwsIamPolicy::BackendFactory.create(inspec_runner)
-    criteria = { policy_arn: arn }
-    resp = nil
-    catch_aws_errors do
-      resp = backend.list_entities_for_policy(criteria)
-    end
-    @attached_groups = resp.policy_groups.map(&:group_name)
-    @attached_users  = resp.policy_users.map(&:user_name)
-    @attached_roles  = resp.policy_roles.map(&:role_name)
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      def get_policy_version(criteria)
-        aws_service_client.get_policy_version(criteria)
-      end
-
-      def list_policies(criteria)
-        aws_service_client.list_policies(criteria)
-      end
-
-      def list_entities_for_policy(criteria)
-        aws_service_client.list_entities_for_policy(criteria)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_iam_role.rb

@@ -1,60 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamRole < Inspec.resource(1)
-  name "aws_iam_role"
-  desc "Verifies settings for an IAM Role"
-  example <<~EXAMPLE
-    describe aws_iam_role('my-role') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :description, :role_name
-
-  def to_s
-    "IAM Role #{role_name}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:role_name],
-      allowed_scalar_name: :role_name,
-      allowed_scalar_type: String
-    )
-    if validated_params.empty?
-      raise ArgumentError, "You must provide a role_name to aws_iam_role."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    role_info = nil
-    begin
-      role_info = BackendFactory.create(inspec_runner).get_role(role_name: role_name)
-    rescue Aws::IAM::Errors::NoSuchEntity
-      @exists = false
-      return
-    end
-    @exists = true
-    @description = role_info.role.description
-  end
-
-  # Uses the SDK API to really talk to AWS
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-      def get_role(query)
-        aws_service_client.get_role(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_iam_root_user.rb

@@ -1,82 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamRootUser < Inspec.resource(1)
-  name "aws_iam_root_user"
-  desc "Verifies settings for AWS root account"
-  example <<~EXAMPLE
-    describe aws_iam_root_user do
-      it { should have_access_key }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  # TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
-  def initialize(conn = nil)
-    @client = conn ? conn.iam_client : inspec_runner.backend.aws_client(Aws::IAM::Client)
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_resource_mixin.rb
-  def catch_aws_errors
-    yield
-  rescue Aws::Errors::MissingCredentialsError
-    # The AWS error here is unhelpful:
-    # "unable to sign request without credentials set"
-    Inspec::Log.error "It appears that you have not set your AWS credentials.  You may set them using environment variables, or using the 'aws://region/aws_credentials_profile' target.  See https://docs.chef.io/inspec/platforms/ for details."
-    fail_resource("No AWS credentials available")
-  rescue Aws::Errors::ServiceError => e
-    fail_resource e.message
-  end
-
-  # TODO: DRY up, see https://github.com/chef/inspec/issues/2633
-  # Copied from resource_support/aws/aws_singular_resource_mixin.rb
-  def inspec_runner
-    # When running under inspec-cli, we have an 'inspec' method that
-    # returns the runner. When running under unit tests, we don't
-    # have that, but we still have to call this to pass something
-    # (nil is OK) to the backend.
-    # TODO: remove with https://github.com/chef/inspec-aws/issues/216
-    # TODO: remove after rewrite to include AwsSingularResource
-    inspec if respond_to?(:inspec)
-  end
-
-  def has_access_key?
-    summary_account["AccountAccessKeysPresent"] == 1
-  end
-
-  def has_mfa_enabled?
-    summary_account["AccountMFAEnabled"] == 1
-  end
-
-  # if the root account has a Virtual MFA device then it will have a special
-  # serial number ending in 'root-account-mfa-device'
-  def has_virtual_mfa_enabled?
-    mfa_device_pattern = %r{arn:aws:iam::\d{12}:mfa\/root-account-mfa-device}
-
-    virtual_mfa_devices.any? { |d| mfa_device_pattern =~ d["serial_number"] }
-  end
-
-  def has_hardware_mfa_enabled?
-    has_mfa_enabled? && !has_virtual_mfa_enabled?
-  end
-
-  def to_s
-    "AWS Root-User"
-  end
-
-  private
-
-  def summary_account
-    catch_aws_errors do
-      @summary_account ||= @client.get_account_summary.summary_map
-    end
-  end
-
-  def virtual_mfa_devices
-    catch_aws_errors do
-      @__virtual_devices ||= @client.list_virtual_mfa_devices.virtual_mfa_devices
-    end
-  end
-end

data/lib/resources/aws/aws_iam_user.rb

@@ -1,145 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamUser < Inspec.resource(1)
-  name "aws_iam_user"
-  desc "Verifies settings for AWS IAM user"
-  example <<~EXAMPLE
-    describe aws_iam_user(username: 'test_user') do
-      it { should have_mfa_enabled }
-      it { should_not have_console_password }
-      it { should_not have_inline_user_policies }
-      it { should_not have_attached_user_policies }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :access_keys, :attached_policy_names, :attached_policy_arns, \
-              :has_console_password, :has_mfa_enabled, :inline_policy_names, :username
-  alias has_mfa_enabled? has_mfa_enabled
-  alias has_console_password? has_console_password
-
-  def name
-    Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_user `name` property is deprecated. Please use `username` instead")
-    username
-  end
-
-  def to_s
-    "IAM User #{username}"
-  end
-
-  def has_attached_policies?
-    return nil unless exists?
-
-    !attached_policy_names.empty?
-  end
-
-  def has_inline_policies?
-    return nil unless exists?
-
-    !inline_policy_names.empty?
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{username aws_user_struct name user},
-      allowed_scalar_name: :username,
-      allowed_scalar_type: String
-    )
-    # If someone passed :name, rename it to :username
-    if validated_params.key?(:name)
-      Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_users `name` property is deprecated. Please use `username` instead")
-      validated_params[:username] = validated_params.delete(:name)
-    end
-
-    # If someone passed :user, rename it to :aws_user_struct
-    if validated_params.key?(:user)
-      Inspec.deprecate(:properties_aws_iam_user, "The aws_iam_users `user` property is deprecated. Please use `aws_user_struct` instead")
-      validated_params[:aws_user_struct] = validated_params.delete(:user)
-    end
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide a username to aws_iam_user."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @aws_user_struct ||= nil # silence unitialized warning
-    unless @aws_user_struct
-      begin
-        @aws_user_struct = backend.get_user(user_name: username)
-      rescue Aws::IAM::Errors::NoSuchEntity
-        @exists = false
-        @access_keys = []
-        @inline_policy_names = []
-        @attached_policy_arns = []
-        @attached_policy_names = []
-        return
-      end
-    end
-    # TODO: extract properties from aws_user_struct?
-
-    @exists = true
-
-    begin
-      _login_profile = backend.get_login_profile(user_name: username)
-      @has_console_password = true
-      # Password age also available here
-    rescue Aws::IAM::Errors::NoSuchEntity
-      @has_console_password = false
-    end
-
-    mfa_info = backend.list_mfa_devices(user_name: username)
-    @has_mfa_enabled = !mfa_info.mfa_devices.empty?
-
-    # TODO: consider returning InSpec AwsIamAccessKey objects
-    @access_keys = backend.list_access_keys(user_name: username).access_key_metadata
-    # If the above call fails, we get nil here; but we promise access_keys will be an array.
-    @access_keys ||= []
-
-    @inline_policy_names = backend.list_user_policies(user_name: username).policy_names
-
-    attached_policies = backend.list_attached_user_policies(user_name: username).attached_policies
-    @attached_policy_arns = attached_policies.map { |p| p[:policy_arn] }
-    @attached_policy_names = attached_policies.map { |p| p[:policy_name] }
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      def get_user(criteria)
-        aws_service_client.get_user(criteria)
-      end
-
-      def get_login_profile(criteria)
-        aws_service_client.get_login_profile(criteria)
-      end
-
-      def list_mfa_devices(criteria)
-        aws_service_client.list_mfa_devices(criteria)
-      end
-
-      def list_access_keys(criteria)
-        aws_service_client.list_access_keys(criteria)
-      end
-
-      def list_user_policies(criteria)
-        aws_service_client.list_user_policies(criteria)
-      end
-
-      def list_attached_user_policies(criteria)
-        aws_service_client.list_attached_user_policies(criteria)
-      end
-    end
-  end
-end