inspec 4.56.19 → 5.12.2

data/lib/resources/aws/aws_s3_bucket_object.rb

@@ -1,87 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-s3"
-
-class AwsS3BucketObject < Inspec.resource(1)
-  name "aws_s3_bucket_object"
-  desc "Verifies settings for a s3 bucket object"
-  example <<~EXAMPLE
-    describe aws_s3_bucket_object(bucket_name: 'bucket_name', key: 'file_name') do
-      it { should exist }
-      it { should_not be_public }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :bucket_name, :key
-
-  def to_s
-    # keep the format that aws uses.
-    "s3://#{@bucket_name}/#{@key}"
-  end
-
-  def object_acl
-    return @object_acl if defined? @object_acl
-
-    catch_aws_errors do
-      @object_acl = BackendFactory.create(inspec_runner).get_object_acl(bucket: bucket_name, key: key).grants
-    end
-    @object_acl
-  end
-
-  # RSpec will alias this to be_public
-  def public?
-    # first line just for formatting
-    false || \
-      object_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AllUsers/ } || \
-      object_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AuthenticatedUsers/ }
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{bucket_name key id}
-    )
-    if validated_params.empty? || !validated_params.key?(:bucket_name) || !validated_params.key?(:key)
-      raise ArgumentError, "You must provide a bucket_name and key to aws_s3_bucket_object."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    catch_aws_errors do
-
-      # Just use get_object to detect if the bucket exists
-      backend.get_object(bucket: bucket_name, key: key)
-    rescue Aws::S3::Errors::NoSuchBucket
-      @exists = false
-      return
-    rescue Aws::S3::Errors::NoSuchKey
-      @exists = false
-      return
-
-    end
-    @exists = true
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::S3::Client
-
-      # Used to detect if object exists
-      def get_object(query)
-        aws_service_client.get_object(query)
-      end
-
-      def get_object_acl(query)
-        aws_service_client.get_object_acl(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_s3_buckets.rb

@@ -1,52 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-s3"
-
-class AwsS3Buckets < Inspec.resource(1)
-  name "aws_s3_buckets"
-  desc "Verifies settings for AWS S3 Buckets in bulk"
-  example <<~EXAMPLE
-    describe aws_s3_bucket do
-      its('bucket_names') { should eq ['my_bucket'] }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:bucket_names, field: :name)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "S3 Buckets"
-  end
-
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_s3_buckets does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  private
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = backend.list_buckets.buckets.map(&:to_h)
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend self
-      self.aws_client_class = Aws::S3::Client
-
-      def list_buckets
-        aws_service_client.list_buckets
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_security_group.rb

@@ -1,314 +0,0 @@
-require "set" unless defined?(Set)
-require "ipaddr" unless defined?(IPAddr)
-
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsSecurityGroup < Inspec.resource(1)
-  name "aws_security_group"
-  desc "Verifies settings for an individual AWS Security Group."
-  example <<~EXAMPLE
-    describe aws_security_group('sg-12345678') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :description, :group_id, :group_name, :vpc_id, :inbound_rules, :outbound_rules, :inbound_rules_count, :outbound_rules_count
-
-  def to_s
-    "EC2 Security Group #{@group_id}"
-  end
-
-  def allow_in?(criteria = {})
-    allow(inbound_rules, criteria.dup)
-  end
-  RSpec::Matchers.alias_matcher :allow_in, :be_allow_in
-
-  def allow_out?(criteria = {})
-    allow(outbound_rules, criteria.dup)
-  end
-  RSpec::Matchers.alias_matcher :allow_out, :be_allow_out
-
-  def allow_in_only?(criteria = {})
-    allow_only(inbound_rules, criteria.dup)
-  end
-  RSpec::Matchers.alias_matcher :allow_in_only, :be_allow_in_only
-
-  def allow_out_only?(criteria = {})
-    allow_only(outbound_rules, criteria.dup)
-  end
-  RSpec::Matchers.alias_matcher :allow_out_only, :be_allow_out_only
-
-  private
-
-  def allow_only(rules, criteria)
-    rules = allow__focus_on_position(rules, criteria)
-    # allow_{in_out}_only require either a single-rule group, or you
-    # to select a rule using position.
-    return false unless rules.count == 1 || criteria.key?(:position)
-
-    if criteria.key?(:security_group)
-      if criteria.key?(:position)
-        pos = criteria[:position] - 1
-      else
-        pos = 0
-      end
-      return false unless rules[pos].key?(:user_id_group_pairs) && rules[pos][:user_id_group_pairs].count == 1
-    end
-    criteria[:exact] = true
-    allow(rules, criteria)
-  end
-
-  def allow(rules, criteria)
-    criteria = allow__check_criteria(criteria)
-    rules = allow__focus_on_position(rules, criteria)
-
-    rules.any? do |rule|
-      matched = true
-      matched &&= allow__match_port(rule, criteria)
-      matched &&= allow__match_protocol(rule, criteria)
-      matched &&= allow__match_ipv4_range(rule, criteria)
-      matched &&= allow__match_ipv6_range(rule, criteria)
-      matched &&= allow__match_security_group(rule, criteria)
-      matched
-    end
-  end
-
-  def allow__check_criteria(raw_criteria)
-    allowed_criteria = [
-      :from_port,
-      :ipv4_range,
-      :ipv6_range,
-      :security_group,
-      :port,
-      :position,
-      :protocol,
-      :to_port,
-      :exact, # Internal
-    ]
-    recognized_criteria = {}
-    allowed_criteria.each do |expected_criterion|
-      if raw_criteria.key?(expected_criterion)
-        recognized_criteria[expected_criterion] = raw_criteria.delete(expected_criterion)
-      end
-    end
-
-    # Any leftovers are unwelcome
-    unless raw_criteria.empty?
-      raise ArgumentError, "Unrecognized security group rule 'allow' criteria '#{raw_criteria.keys.join(",")}'. Expected criteria: #{allowed_criteria.join(", ")}"
-    end
-
-    recognized_criteria
-  end
-
-  def allow__focus_on_position(rules, criteria)
-    return rules unless criteria.key?(:position)
-
-    idx = criteria.delete(:position)
-
-    # Normalize to a zero-based numeric index
-    case # rubocop: disable Style/EmptyCaseCondition
-    when idx.is_a?(Symbol) && idx == :first
-      idx = 0
-    when idx.is_a?(Symbol) && idx == :last
-      idx = rules.count - 1
-    when idx.is_a?(String)
-      idx = idx.to_i - 1 # We document this as 1-based, so adjust to be zero-based.
-    when idx.is_a?(Numeric)
-      idx -= 1 # We document this as 1-based, so adjust to be zero-based.
-    else
-      raise ArgumentError, "aws_security_group 'allow' 'position' criteria must be an integer or the symbols :first or :last"
-    end
-
-    unless idx < rules.count
-      raise ArgumentError, "aws_security_group 'allow' 'position' criteria #{idx + 1} is out of range - there are only #{rules.count} rules for security group #{group_id}."
-    end
-
-    [rules[idx]]
-  end
-
-  def allow__match_port(rule, criteria) # rubocop: disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize
-    if criteria[:exact] || criteria[:from_port] || criteria[:to_port]
-      # Exact match mode
-      # :port is shorthand for a single-valued port range.
-      criteria[:to_port] = criteria[:from_port] = criteria[:port] if criteria[:port]
-      to = criteria[:to_port]
-      from = criteria[:from_port]
-      # It's a match if neither criteria was specified
-      return true if to.nil? && from.nil?
-
-      # Normalize to integers
-      to = to.to_i unless to.nil?
-      from = from.to_i unless from.nil?
-      # It's a match if either was specified and the other was not
-      return true if rule[:to_port] == to && from.nil?
-      return true if rule[:from_port] == from && to.nil?
-
-      # Finally, both must match.
-      rule[:to_port] == to && rule[:from_port] == from
-    elsif !criteria[:port]
-      # port not specified, match anything
-      true
-    else
-      # Range membership mode
-      rule_from = rule[:from_port] || 0
-      rule_to = rule[:to_port] || 65535
-      (rule_from..rule_to).cover?(criteria[:port].to_i)
-    end
-  end
-
-  def allow__match_protocol(rule, criteria)
-    return true unless criteria.key?(:protocol)
-
-    prot = criteria[:protocol]
-    # We provide a "fluency alias" for -1 (any).
-    prot = "-1" if prot == "any"
-
-    rule[:ip_protocol] == prot
-  end
-
-  def match_ipv4_or_6_range(rule, criteria)
-    if criteria.key?(:ipv4_range)
-      query = criteria[:ipv4_range]
-      query = [query] unless query.is_a?(Array)
-      ranges = rule[:ip_ranges].map { |rng| rng[:cidr_ip] }
-    else # IPv6
-      query = criteria[:ipv6_range]
-      query = [query] unless query.is_a?(Array)
-      ranges = rule[:ipv_6_ranges].map { |rng| rng[:cidr_ipv_6] }
-    end
-
-    if criteria[:exact]
-      Set.new(query) == Set.new(ranges)
-    else
-      # CIDR subset mode
-      # "Each of the provided IP ranges must be a member of one of the rule's listed IP ranges"
-      query.all? do |candidate|
-        candidate = IPAddr.new(candidate)
-        ranges.any? do |range|
-          range = IPAddr.new(range)
-          range.include?(candidate)
-        end
-      end
-    end
-  end
-
-  def allow__match_ipv4_range(rule, criteria)
-    return true unless criteria.key?(:ipv4_range)
-
-    match_ipv4_or_6_range(rule, criteria)
-  end
-
-  def allow__match_ipv6_range(rule, criteria)
-    return true unless criteria.key?(:ipv6_range)
-
-    match_ipv4_or_6_range(rule, criteria)
-  end
-
-  def allow__match_security_group(rule, criteria)
-    return true unless criteria.key?(:security_group)
-
-    query = criteria[:security_group]
-    return false unless rule[:user_id_group_pairs]
-
-    rule[:user_id_group_pairs].any? { |group| query == group[:group_id] }
-  end
-
-  def validate_params(raw_params)
-    recognized_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: %i{id group_id group_name vpc_id},
-      allowed_scalar_name: :group_id,
-      allowed_scalar_type: String
-    )
-
-    # id is an alias for group_id
-    recognized_params[:group_id] = recognized_params.delete(:id) if recognized_params.key?(:id)
-
-    if recognized_params.key?(:group_id) && recognized_params[:group_id] !~ /^sg\-[0-9a-f]{8}/
-      raise ArgumentError, 'aws_security_group security group ID must be in the format "sg-" followed by 8 hexadecimal characters.'
-    end
-
-    if recognized_params.key?(:vpc_id) && recognized_params[:vpc_id] !~ /^vpc\-[0-9a-f]{8}/
-      raise ArgumentError, 'aws_security_group VPC ID must be in the format "vpc-" followed by 8 hexadecimal characters.'
-    end
-
-    validated_params = recognized_params
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide parameters to aws_security_group, such as group_name, group_id, or vpc_id.g_group."
-    end
-
-    validated_params
-  end
-
-  def count_sg_rules(ip_permissions)
-    rule_count = 0
-    ip_permissions.each do |ip_permission|
-      %i{ip_ranges ipv_6_ranges user_id_group_pairs}.each do |key|
-        if ip_permission.key? key
-          rule_count += ip_permission[key].length
-        end
-      end
-    end
-    rule_count
-  end
-
-  def fetch_from_api # rubocop: disable Metrics/AbcSize
-    backend = BackendFactory.create(inspec_runner)
-
-    # Transform into filter format expected by AWS
-    filters = []
-    %i{
-      description
-      group_id
-      group_name
-      vpc_id
-    }.each do |criterion_name|
-      instance_var = "@#{criterion_name}".to_sym
-      next unless instance_variable_defined?(instance_var)
-
-      val = instance_variable_get(instance_var)
-      next if val.nil?
-
-      filters.push(
-        {
-          name: criterion_name.to_s.tr("_", "-"),
-          values: [val],
-        }
-      )
-    end
-    dsg_response = backend.describe_security_groups(filters: filters)
-
-    if dsg_response.security_groups.empty?
-      @exists = false
-      @inbound_rules = []
-      @outbound_rules = []
-      return
-    end
-
-    @exists = true
-    @description = dsg_response.security_groups[0].description
-    @group_id = dsg_response.security_groups[0].group_id
-    @group_name = dsg_response.security_groups[0].group_name
-    @vpc_id     = dsg_response.security_groups[0].vpc_id
-    @inbound_rules = dsg_response.security_groups[0].ip_permissions.map(&:to_h)
-    @inbound_rules_count = count_sg_rules(dsg_response.security_groups[0].ip_permissions.map(&:to_h))
-    @outbound_rules = dsg_response.security_groups[0].ip_permissions_egress.map(&:to_h)
-    @outbound_rules_count = count_sg_rules(dsg_response.security_groups[0].ip_permissions_egress.map(&:to_h))
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend self
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_security_groups(query)
-        aws_service_client.describe_security_groups(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_security_groups.rb

@@ -1,71 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsSecurityGroups < Inspec.resource(1)
-  name "aws_security_groups"
-  desc "Verifies settings for AWS Security Groups in bulk"
-  example <<~EXAMPLE
-    # Verify that you have security groups defined
-    describe aws_security_groups do
-      it { should exist }
-    end
-
-    # Verify you have more than the default security group
-    describe aws_security_groups do
-      its('entries.count') { should be > 1 }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:group_ids, field: :group_id)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "EC2 Security Groups"
-  end
-
-  private
-
-  def validate_params(raw_criteria)
-    unless raw_criteria.is_a? Hash
-      raise "Unrecognized criteria for fetching Security Groups. " \
-            "Use 'criteria: value' format."
-    end
-
-    # No criteria yet
-    unless raw_criteria.empty?
-      raise ArgumentError, "aws_ec2_security_groups does not currently accept resource parameters."
-    end
-
-    raw_criteria
-  end
-
-  def fetch_from_api
-    @table = []
-    backend = BackendFactory.create(inspec_runner)
-    backend.describe_security_groups({}).security_groups.each do |sg_info|
-      @table.push({
-                    group_id: sg_info.group_id,
-                    group_name: sg_info.group_name,
-                    vpc_id: sg_info.vpc_id,
-                  })
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend self
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_security_groups(query)
-        aws_service_client.describe_security_groups(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_sns_subscription.rb

@@ -1,82 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-sns"
-
-class AwsSnsSubscription < Inspec.resource(1)
-  name "aws_sns_subscription"
-  desc "Verifies settings for an SNS Subscription"
-  example <<~EXAMPLE
-    describe aws_sns_subscription('arn:aws:sns:us-east-1::test-topic-01:b214aff5-a2c7-438f-a753-8494493f2ff6') do
-      it { should_not have_raw_message_delivery }
-      it { should be_confirmation_authenticated }
-      its('owner') { should cmp '12345678' }
-      its('topic_arn') { should cmp 'arn:aws:sns:us-east-1::test-topic-01' }
-      its('endpoint') { should cmp 'arn:aws:sqs:us-east-1::test-queue-01' }
-      its('protocol') { should cmp 'sqs' }
-    end
-  EXAMPLE
-
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :arn, :owner, :raw_message_delivery, :topic_arn, :endpoint, :protocol,
-              :confirmation_was_authenticated, :aws_response
-
-  alias confirmation_authenticated? confirmation_was_authenticated
-  alias raw_message_delivery? raw_message_delivery
-
-  def has_raw_message_delivery?
-    raw_message_delivery
-  end
-
-  def to_s
-    "SNS Subscription #{@arn}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:subscription_arn],
-      allowed_scalar_name: :subscription_arn,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide a subscription_arn to aws_sns_subscription."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    catch_aws_errors do
-
-      aws_response = backend.get_subscription_attributes(subscription_arn: @subscription_arn).attributes
-      @exists = true
-      @owner = aws_response["Owner"]
-      @raw_message_delivery = aws_response["RawMessageDelivery"].eql?("true")
-      @topic_arn = aws_response["TopicArn"]
-      @endpoint = aws_response["Endpoint"]
-      @protocol = aws_response["Protocol"]
-      @confirmation_was_authenticated = aws_response["ConfirmationWasAuthenticated"].eql?("true")
-    rescue Aws::SNS::Errors::NotFound
-      @exists = false
-      return
-
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend self
-      self.aws_client_class = Aws::SNS::Client
-
-      def get_subscription_attributes(criteria)
-        aws_service_client.get_subscription_attributes(criteria)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_sns_topic.rb

@@ -1,57 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-sns"
-
-class AwsSnsTopic < Inspec.resource(1)
-  name "aws_sns_topic"
-  desc "Verifies settings for an SNS Topic"
-  example <<~EXAMPLE
-    describe aws_sns_topic('arn:aws:sns:us-east-1:123456789012:some-topic') do
-      it { should exist }
-      its('confirmed_subscription_count') { should_not be_zero }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :arn, :confirmed_subscription_count
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:arn],
-      allowed_scalar_name: :arn,
-      allowed_scalar_type: String
-    )
-    # Validate the ARN
-    unless validated_params[:arn] =~ /^arn:aws:sns:[\w\-]+:\d{12}:[\S]+$/
-      raise ArgumentError, "Malformed ARN for SNS topics.  Expected an ARN of the form " \
-                           "'arn:aws:sns:REGION:ACCOUNT-ID:TOPIC-NAME'"
-    end
-    validated_params
-  end
-
-  def fetch_from_api
-    aws_response = BackendFactory.create(inspec_runner).get_topic_attributes(topic_arn: @arn).attributes
-    @exists = true
-
-    # The response has a plain hash with CamelCase plain string keys and string values
-    @confirmed_subscription_count = aws_response["SubscriptionsConfirmed"].to_i
-  rescue Aws::SNS::Errors::NotFound
-    @exists = false
-  end
-
-  # Uses the SDK API to really talk to AWS
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::SNS::Client
-
-      def get_topic_attributes(criteria)
-        aws_service_client.get_topic_attributes(criteria)
-      end
-    end
-  end
-end