inspec 4.56.58 → 5.7.9

data/lib/resources/aws/aws_iam_users.rb

@@ -1,160 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-iam"
-
-class AwsIamUsers < Inspec.resource(1)
-  name "aws_iam_users"
-  desc "Verifies settings for AWS IAM users"
-  example <<~EXAMPLE
-    describe aws_iam_users.where(has_mfa_enabled?: false) do
-      it { should_not exist }
-    end
-    describe aws_iam_users.where(has_console_password?: true) do
-      it { should exist }
-    end
-    describe aws_iam_users.where(has_inline_policies?: true) do
-      it { should_not exist }
-    end
-    describe aws_iam_users.where(has_attached_policies?: true) do
-      it { should_not exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-
-  def self.lazy_get_login_profile(row, _criterion, table)
-    backend = BackendFactory.create(table.resource.inspec_runner)
-    begin
-      _login_profile = backend.get_login_profile(user_name: row[:user_name])
-      row[:has_console_password] = true
-    rescue Aws::IAM::Errors::NoSuchEntity
-      row[:has_console_password] = false
-    end
-    row[:has_console_password?] = row[:has_console_password]
-  end
-
-  def self.lazy_list_mfa_devices(row, _criterion, table)
-    backend = BackendFactory.create(table.resource.inspec_runner)
-    begin
-      aws_mfa_devices = backend.list_mfa_devices(user_name: row[:user_name])
-      row[:has_mfa_enabled] = !aws_mfa_devices.mfa_devices.empty?
-    rescue Aws::IAM::Errors::NoSuchEntity
-      row[:has_mfa_enabled] = false
-    end
-    row[:has_mfa_enabled?] = row[:has_mfa_enabled]
-  end
-
-  def self.lazy_list_user_policies(row, _criterion, table)
-    backend = BackendFactory.create(table.resource.inspec_runner)
-    row[:inline_policy_names] = backend.list_user_policies(user_name: row[:user_name]).policy_names
-    row[:has_inline_policies] = !row[:inline_policy_names].empty?
-    row[:has_inline_policies?] = row[:has_inline_policies]
-  end
-
-  def self.lazy_list_attached_policies(row, _criterion, table)
-    backend = BackendFactory.create(table.resource.inspec_runner)
-    attached_policies = backend.list_attached_user_policies(user_name: row[:user_name]).attached_policies
-    row[:has_attached_policies] = !attached_policies.empty?
-    row[:has_attached_policies?] = row[:has_attached_policies]
-    row[:attached_policy_names] = attached_policies.map { |p| p[:policy_name] }
-    row[:attached_policy_arns] = attached_policies.map { |p| p[:policy_arn] }
-  end
-
-  filter = FilterTable.create
-
-  # These are included on the initial fetch
-  filter.register_column(:usernames, field: :user_name)
-    .register_column(:username) { |res| res.entries.map { |row| row[:user_name] } } # We should deprecate this; plural resources get plural properties
-    .register_column(:password_ever_used?, field: :password_ever_used?)
-    .register_column(:password_never_used?, field: :password_never_used?)
-    .register_column(:password_last_used_days_ago, field: :password_last_used_days_ago)
-
-  # Remaining properties / criteria are handled lazily, grouped by fetcher
-  filter.register_column(:has_console_password?, field: :has_console_password?, lazy: method(:lazy_get_login_profile))
-    .register_column(:has_console_password, field: :has_console_password, lazy: method(:lazy_get_login_profile))
-
-  filter.register_column(:has_mfa_enabled?, field: :has_mfa_enabled?, lazy: method(:lazy_list_mfa_devices))
-    .register_column(:has_mfa_enabled, field: :has_mfa_enabled, lazy: method(:lazy_list_mfa_devices))
-
-  filter.register_column(:has_inline_policies?, field: :has_inline_policies?, lazy: method(:lazy_list_user_policies))
-    .register_column(:has_inline_policies, field: :has_inline_policies, lazy: method(:lazy_list_user_policies))
-    .register_column(:inline_policy_names, field: :inline_policy_names, style: :simple, lazy: method(:lazy_list_user_policies))
-
-  filter.register_column(:has_attached_policies?, field: :has_attached_policies?, lazy: method(:lazy_list_attached_policies))
-    .register_column(:has_attached_policies, field: :has_attached_policies, lazy: method(:lazy_list_attached_policies))
-    .register_column(:attached_policy_names, field: :attached_policy_names, style: :simple, lazy: method(:lazy_list_attached_policies))
-    .register_column(:attached_policy_arns, field: :attached_policy_arns, style: :simple, lazy: method(:lazy_list_attached_policies))
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def validate_params(raw_params)
-    # No params yet
-    unless raw_params.empty?
-      raise ArgumentError, "aws_iam_users does not accept resource parameters"
-    end
-
-    raw_params
-  end
-
-  def fetch_from_api_paginated(backend)
-    table = []
-    page_marker = nil
-    loop do
-      api_result = backend.list_users(marker: page_marker)
-      table += api_result.users.map(&:to_h)
-      page_marker = api_result.marker
-      break unless api_result.is_truncated
-    end
-    table
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = fetch_from_api_paginated(backend)
-
-    @table.each do |user|
-      password_last_used = user[:password_last_used]
-      user[:password_ever_used?] = !password_last_used.nil?
-      user[:password_never_used?] = password_last_used.nil?
-      if user[:password_ever_used?]
-        user[:password_last_used_days_ago] = ((Time.now - password_last_used) / (24 * 60 * 60)).to_i
-      end
-    end
-    @table
-  end
-
-  def to_s
-    "IAM Users"
-  end
-
-  #===========================================================================#
-  #                        Backend Implementation
-  #===========================================================================#
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::IAM::Client
-
-      # TODO: delegate this out
-      def list_users(query = {})
-        aws_service_client.list_users(query)
-      end
-
-      def get_login_profile(query)
-        aws_service_client.get_login_profile(query)
-      end
-
-      def list_mfa_devices(query)
-        aws_service_client.list_mfa_devices(query)
-      end
-
-      def list_user_policies(query)
-        aws_service_client.list_user_policies(query)
-      end
-
-      def list_attached_user_policies(query)
-        aws_service_client.list_attached_user_policies(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_kms_key.rb

@@ -1,100 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-kms"
-
-class AwsKmsKey < Inspec.resource(1)
-  name "aws_kms_key"
-  desc "Verifies settings for an individual AWS KMS Key"
-  example <<~EXAMPLE
-    describe aws_kms_key('arn:aws:kms:us-east-1::key/4321dcba-21io-23de-85he-ab0987654321') do
-      it { should exist }
-    end
-  EXAMPLE
-
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :key_id, :arn, :creation_date, :key_usage, :key_state, :description,
-              :deletion_date, :valid_to, :external, :has_key_expiration, :managed_by_aws,
-              :has_rotation_enabled, :enabled
-  # Use aliases for matchers
-  alias deletion_time deletion_date
-  alias invalidation_time valid_to
-  alias external? external
-  alias enabled? enabled
-  alias managed_by_aws? managed_by_aws
-  alias has_key_expiration? has_key_expiration
-  alias has_rotation_enabled? has_rotation_enabled
-
-  def to_s
-    "KMS Key #{@key_id}"
-  end
-
-  def created_days_ago
-    ((Time.now - creation_date) / (24 * 60 * 60)).to_i unless creation_date.nil?
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:key_id],
-      allowed_scalar_name: :key_id,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.empty?
-      raise ArgumentError, "You must provide the parameter 'key_id' to aws_kms_key."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-
-    query = { key_id: @key_id }
-    catch_aws_errors do
-
-      resp = backend.describe_key(query)
-
-      @exists = true
-      @key = resp.key_metadata.to_h
-      @key_id = @key[:key_id]
-      @arn = @key[:arn]
-      @creation_date = @key[:creation_date]
-      @enabled = @key[:enabled]
-      @description = @key[:description]
-      @key_usage = @key[:key_usage]
-      @key_state = @key[:key_state]
-      @deletion_date = @key[:deletion_date]
-      @valid_to = @key[:valid_to]
-      @external = @key[:origin] == "EXTERNAL"
-      @has_key_expiration = @key[:expiration_model] == "KEY_MATERIAL_EXPIRES"
-      @managed_by_aws = @key[:key_manager] == "AWS"
-
-      resp = backend.get_key_rotation_status(query)
-      @has_rotation_enabled = resp.key_rotation_enabled unless resp.empty?
-    rescue Aws::KMS::Errors::NotFoundException
-      @exists = false
-      return
-
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::KMS::Client
-
-      def describe_key(query)
-        aws_service_client.describe_key(query)
-      end
-
-      def get_key_rotation_status(query)
-        aws_service_client.get_key_rotation_status(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_kms_keys.rb

@@ -1,58 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-kms"
-
-class AwsKmsKeys < Inspec.resource(1)
-  name "aws_kms_keys"
-  desc "Verifies settings for AWS KMS Keys in bulk"
-  example <<~EXAMPLE
-    describe aws_kms_keys do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-  def validate_params(resource_params)
-    unless resource_params.empty?
-      raise ArgumentError, "aws_kms_keys does not accept resource parameters."
-    end
-
-    resource_params
-  end
-
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:key_arns, field: :key_arn)
-    .register_column(:key_ids, field: :key_id)
-  filter.install_filter_methods_on_resource(self, :table)
-
-  def to_s
-    "KMS Keys"
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    @table = []
-    pagination_opts = { limit: 1000 }
-    loop do
-      api_result = backend.list_keys(pagination_opts)
-      @table += api_result.keys.map(&:to_h)
-      break unless api_result.truncated
-
-      pagination_opts = { marker: api_result.next_marker }
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::KMS::Client
-
-      def list_keys(query = {})
-        aws_service_client.list_keys(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_rds_instance.rb

@@ -1,74 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-rds"
-
-class AwsRdsInstance < Inspec.resource(1)
-  name "aws_rds_instance"
-  desc "Verifies settings for an rds instance"
-  example <<~EXAMPLE
-    describe aws_rds_instance(db_instance_identifier: 'test-instance-id') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :db_instance_identifier
-
-  def to_s
-    "RDS Instance #{@db_instance_identifier}"
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:db_instance_identifier],
-      allowed_scalar_name: :db_instance_identifier,
-      allowed_scalar_type: String
-    )
-    if validated_params.empty? || !validated_params.key?(:db_instance_identifier)
-      raise ArgumentError, "You must provide an id for the aws_rds_instance."
-    end
-
-    if validated_params.key?(:db_instance_identifier) && validated_params[:db_instance_identifier] !~ /^[a-z]{1}[0-9a-z\-]{0,62}$/
-      raise ArgumentError, "aws_rds_instance Database Instance ID must be in the format: start with a letter followed by up to 62 letters/numbers/hyphens."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    dsg_response = nil
-    catch_aws_errors do
-
-      dsg_response = backend.describe_db_instances(db_instance_identifier: db_instance_identifier)
-      @exists = true
-    rescue Aws::RDS::Errors::DBInstanceNotFound
-      @exists = false
-      return
-
-    end
-
-    if dsg_response.db_instances.empty?
-      @exists = false
-      return
-    end
-
-    @db_instance_identifier = dsg_response.db_instances[0].db_instance_identifier
-  end
-
-  # Uses the SDK API to really talk to AWS
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::RDS::Client
-
-      def describe_db_instances(query)
-        aws_service_client.describe_db_instances(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_route_table.rb

@@ -1,67 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsRouteTable < Inspec.resource(1)
-  name "aws_route_table"
-  desc "Verifies settings for an AWS Route Table"
-  example <<~EXAMPLE
-    describe aws_route_table do
-      its('route_table_id') { should cmp 'rtb-05462d2278326a79c' }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-
-  def to_s
-    "Route Table #{@route_table_id}"
-  end
-
-  attr_reader :route_table_id, :vpc_id
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:route_table_id],
-      allowed_scalar_name: :route_table_id,
-      allowed_scalar_type: String
-    )
-
-    if validated_params.key?(:route_table_id) &&
-        validated_params[:route_table_id] !~ /^rtb\-([0-9a-f]{17})|(^rtb\-[0-9a-f]{8})$/
-      raise ArgumentError,
-            "aws_route_table Route Table ID must be in the" \
-            ' format "rtb-" followed by 8 or 17 hexadecimal characters.'
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-
-    if @route_table_id.nil?
-      args = nil
-    else
-      args = { filters: [{ name: "route-table-id", values: [@route_table_id] }] }
-    end
-
-    resp = backend.describe_route_tables(args)
-    routetable = resp.to_h[:route_tables]
-    @exists = !routetable.empty?
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_route_tables(query)
-        aws_service_client.describe_route_tables(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_route_tables.rb

@@ -1,64 +0,0 @@
-require "resource_support/aws/aws_plural_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-ec2"
-
-class AwsRouteTables < Inspec.resource(1)
-  name "aws_route_tables"
-  desc "Verifies settings for AWS Route Tables in bulk"
-  example <<~EXAMPLE
-    describe aws_route_tables do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsPluralResourceMixin
-  # Underlying FilterTable implementation.
-  filter = FilterTable.create
-  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
-  filter.register_column(:vpc_ids, field: :vpc_id)
-    .register_column(:route_table_ids, field: :route_table_id)
-  filter.install_filter_methods_on_resource(self, :routes_data)
-
-  def routes_data
-    @table
-  end
-
-  def to_s
-    "Route Tables"
-  end
-
-  private
-
-  def validate_params(raw_criteria)
-    unless raw_criteria.is_a? Hash
-      raise "Unrecognized criteria for fetching Route Tables. " \
-            "Use 'criteria: value' format."
-    end
-
-    # No criteria yet
-    unless raw_criteria.empty?
-      raise ArgumentError, "aws_route_tables does not currently accept resource parameters."
-    end
-
-    raw_criteria
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-    catch_aws_errors do
-      @table = backend.describe_route_tables({}).to_h[:route_tables]
-    end
-  end
-
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend self
-      self.aws_client_class = Aws::EC2::Client
-
-      def describe_route_tables(query = {})
-        aws_service_client.describe_route_tables(query)
-      end
-    end
-  end
-end

data/lib/resources/aws/aws_s3_bucket.rb

@@ -1,141 +0,0 @@
-require "resource_support/aws/aws_singular_resource_mixin"
-require "resource_support/aws/aws_backend_base"
-require "aws-sdk-s3"
-
-class AwsS3Bucket < Inspec.resource(1)
-  name "aws_s3_bucket"
-  desc "Verifies settings for a s3 bucket"
-  example <<~EXAMPLE
-    describe aws_s3_bucket(bucket_name: 'test_bucket') do
-      it { should exist }
-    end
-  EXAMPLE
-  supports platform: "aws"
-
-  include AwsSingularResourceMixin
-  attr_reader :bucket_name, :has_default_encryption_enabled, :has_access_logging_enabled, :region
-
-  def to_s
-    "S3 Bucket #{@bucket_name}"
-  end
-
-  def bucket_acl
-    catch_aws_errors do
-      @bucket_acl ||= BackendFactory.create(inspec_runner).get_bucket_acl(bucket: bucket_name).grants
-    end
-  end
-
-  def bucket_policy
-    @bucket_policy ||= fetch_bucket_policy
-  end
-
-  # RSpec will alias this to be_public
-  def public?
-    # first line just for formatting
-    false || \
-      bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AllUsers/ } || \
-      bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AuthenticatedUsers/ } || \
-      bucket_policy.any? { |s| s.effect == "Allow" && s.principal == "*" }
-  end
-
-  def has_default_encryption_enabled?
-    return false unless @exists
-
-    @has_default_encryption_enabled ||= fetch_bucket_encryption_configuration
-  end
-
-  def has_access_logging_enabled?
-    return false unless @exists
-
-    catch_aws_errors do
-      @has_access_logging_enabled ||= !BackendFactory.create(inspec_runner).get_bucket_logging(bucket: bucket_name).logging_enabled.nil?
-    end
-  end
-
-  private
-
-  def validate_params(raw_params)
-    validated_params = check_resource_param_names(
-      raw_params: raw_params,
-      allowed_params: [:bucket_name],
-      allowed_scalar_name: :bucket_name,
-      allowed_scalar_type: String
-    )
-    if validated_params.empty? || !validated_params.key?(:bucket_name)
-      raise ArgumentError, "You must provide a bucket_name to aws_s3_bucket."
-    end
-
-    validated_params
-  end
-
-  def fetch_from_api
-    backend = BackendFactory.create(inspec_runner)
-
-    # Since there is no basic "get_bucket" API call, use the
-    # region fetch as the existence check.
-    begin
-      @region = backend.get_bucket_location(bucket: bucket_name).location_constraint
-    rescue Aws::S3::Errors::NoSuchBucket
-      @exists = false
-      return
-    end
-    @exists = true
-  end
-
-  def fetch_bucket_policy
-    backend = BackendFactory.create(inspec_runner)
-    catch_aws_errors do
-
-      # AWS SDK returns a StringIO, we have to read()
-      raw_policy = backend.get_bucket_policy(bucket: bucket_name).policy
-      return JSON.parse(raw_policy.read)["Statement"].map do |statement|
-        lowercase_hash = {}
-        statement.each_key { |k| lowercase_hash[k.downcase] = statement[k] }
-        @bucket_policy = OpenStruct.new(lowercase_hash)
-      end
-    rescue Aws::S3::Errors::NoSuchBucketPolicy
-      @bucket_policy = []
-
-    end
-  end
-
-  def fetch_bucket_encryption_configuration
-    @has_default_encryption_enabled ||= catch_aws_errors do
-      !BackendFactory.create(inspec_runner)
-        .get_bucket_encryption(bucket: bucket_name)
-        .server_side_encryption_configuration
-        .nil?
-    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
-      false
-
-    end
-  end
-
-  # Uses the SDK API to really talk to AWS
-  class Backend
-    class AwsClientApi < AwsBackendBase
-      BackendFactory.set_default_backend(self)
-      self.aws_client_class = Aws::S3::Client
-
-      def get_bucket_acl(query)
-        aws_service_client.get_bucket_acl(query)
-      end
-
-      def get_bucket_location(query)
-        aws_service_client.get_bucket_location(query)
-      end
-
-      def get_bucket_policy(query)
-        aws_service_client.get_bucket_policy(query)
-      end
-
-      def get_bucket_logging(query)
-        aws_service_client.get_bucket_logging(query)
-      end
-
-      def get_bucket_encryption(query)
-        aws_service_client.get_bucket_encryption(query)
-      end
-    end
-  end
-end