inspec 4.7.3 → 4.7.18
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/inspec.gemspec +1 -1
- data/lib/bundles/inspec-supermarket/api.rb +2 -1
- data/lib/bundles/inspec-supermarket/cli.rb +6 -6
- data/lib/bundles/inspec-supermarket/target.rb +1 -0
- data/lib/fetchers/git.rb +3 -1
- data/lib/fetchers/mock.rb +1 -0
- data/lib/fetchers/url.rb +6 -3
- data/lib/inspec/backend.rb +1 -0
- data/lib/inspec/base_cli.rb +4 -1
- data/lib/inspec/cli.rb +5 -4
- data/lib/inspec/config.rb +9 -1
- data/lib/inspec/control_eval_context.rb +1 -0
- data/lib/inspec/dependencies/cache.rb +1 -0
- data/lib/inspec/dependencies/dependency_set.rb +2 -0
- data/lib/inspec/dependencies/lockfile.rb +1 -0
- data/lib/inspec/dependencies/requirement.rb +8 -7
- data/lib/inspec/dependencies/resolver.rb +3 -3
- data/lib/inspec/describe.rb +1 -0
- data/lib/inspec/dsl.rb +1 -1
- data/lib/inspec/dsl_shared.rb +1 -1
- data/lib/inspec/env_printer.rb +4 -4
- data/lib/inspec/fetcher.rb +4 -2
- data/lib/inspec/file_provider.rb +18 -8
- data/lib/inspec/formatters/base.rb +5 -0
- data/lib/inspec/impact.rb +2 -0
- data/lib/inspec/input_registry.rb +14 -13
- data/lib/inspec/metadata.rb +6 -2
- data/lib/inspec/method_source.rb +1 -1
- data/lib/inspec/objects/control.rb +4 -1
- data/lib/inspec/objects/describe.rb +3 -1
- data/lib/inspec/objects/input.rb +6 -5
- data/lib/inspec/objects/list.rb +2 -0
- data/lib/inspec/objects/test.rb +3 -2
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +7 -0
- data/lib/inspec/plugin/v1/plugins.rb +4 -3
- data/lib/inspec/plugin/v1/registry.rb +3 -2
- data/lib/inspec/plugin/v2.rb +1 -0
- data/lib/inspec/plugin/v2/activator.rb +2 -0
- data/lib/inspec/plugin/v2/config_file.rb +4 -1
- data/lib/inspec/plugin/v2/filter.rb +1 -0
- data/lib/inspec/plugin/v2/installer.rb +9 -7
- data/lib/inspec/plugin/v2/loader.rb +2 -0
- data/lib/inspec/plugin/v2/plugin_base.rb +1 -0
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +2 -2
- data/lib/inspec/plugin/v2/registry.rb +3 -1
- data/lib/inspec/profile.rb +13 -6
- data/lib/inspec/profile_context.rb +4 -2
- data/lib/inspec/reporters/cli.rb +14 -10
- data/lib/inspec/reporters/json.rb +1 -0
- data/lib/inspec/reporters/json_automate.rb +3 -0
- data/lib/inspec/reporters/json_min.rb +2 -0
- data/lib/inspec/resource.rb +2 -0
- data/lib/inspec/resources/aide_conf.rb +4 -3
- data/lib/inspec/resources/apache_conf.rb +1 -1
- data/lib/inspec/resources/apt.rb +2 -0
- data/lib/inspec/resources/auditd.rb +19 -18
- data/lib/inspec/resources/bridge.rb +5 -2
- data/lib/inspec/resources/chocolatey_package.rb +2 -0
- data/lib/inspec/resources/command.rb +1 -1
- data/lib/inspec/resources/crontab.rb +9 -8
- data/lib/inspec/resources/csv.rb +1 -1
- data/lib/inspec/resources/dh_params.rb +6 -0
- data/lib/inspec/resources/docker.rb +37 -34
- data/lib/inspec/resources/docker_container.rb +1 -0
- data/lib/inspec/resources/docker_image.rb +1 -0
- data/lib/inspec/resources/docker_plugin.rb +1 -0
- data/lib/inspec/resources/docker_service.rb +1 -0
- data/lib/inspec/resources/elasticsearch.rb +24 -24
- data/lib/inspec/resources/etc_fstab.rb +8 -7
- data/lib/inspec/resources/etc_group.rb +4 -0
- data/lib/inspec/resources/etc_hosts.rb +4 -4
- data/lib/inspec/resources/etc_hosts_allow_deny.rb +5 -3
- data/lib/inspec/resources/file.rb +4 -1
- data/lib/inspec/resources/filesystem.rb +5 -3
- data/lib/inspec/resources/firewalld.rb +7 -4
- data/lib/inspec/resources/groups.rb +6 -4
- data/lib/inspec/resources/grub_conf.rb +3 -0
- data/lib/inspec/resources/host.rb +5 -3
- data/lib/inspec/resources/http.rb +6 -4
- data/lib/inspec/resources/iis_app.rb +1 -0
- data/lib/inspec/resources/iis_app_pool.rb +1 -1
- data/lib/inspec/resources/iis_site.rb +4 -3
- data/lib/inspec/resources/interface.rb +10 -7
- data/lib/inspec/resources/json.rb +1 -1
- data/lib/inspec/resources/kernel_module.rb +1 -1
- data/lib/inspec/resources/kernel_parameter.rb +2 -1
- data/lib/inspec/resources/key_rsa.rb +5 -0
- data/lib/inspec/resources/mount.rb +3 -1
- data/lib/inspec/resources/mysql_conf.rb +3 -1
- data/lib/inspec/resources/mysql_session.rb +2 -0
- data/lib/inspec/resources/nginx.rb +1 -0
- data/lib/inspec/resources/nginx_conf.rb +10 -6
- data/lib/inspec/resources/ntp_conf.rb +1 -0
- data/lib/inspec/resources/oneget.rb +1 -1
- data/lib/inspec/resources/oracledb_session.rb +4 -2
- data/lib/inspec/resources/os_env.rb +1 -0
- data/lib/inspec/resources/package.rb +10 -6
- data/lib/inspec/resources/packages.rb +7 -5
- data/lib/inspec/resources/passwd.rb +7 -7
- data/lib/inspec/resources/pip.rb +2 -0
- data/lib/inspec/resources/port.rb +22 -8
- data/lib/inspec/resources/postgres.rb +2 -1
- data/lib/inspec/resources/postgres_conf.rb +2 -0
- data/lib/inspec/resources/postgres_hba_conf.rb +6 -6
- data/lib/inspec/resources/postgres_ident_conf.rb +3 -3
- data/lib/inspec/resources/processes.rb +16 -15
- data/lib/inspec/resources/rabbitmq_config.rb +2 -0
- data/lib/inspec/resources/registry_key.rb +8 -3
- data/lib/inspec/resources/security_identifier.rb +3 -1
- data/lib/inspec/resources/security_policy.rb +2 -1
- data/lib/inspec/resources/service.rb +13 -1
- data/lib/inspec/resources/shadow.rb +1 -0
- data/lib/inspec/resources/ssh_config.rb +2 -0
- data/lib/inspec/resources/ssl.rb +12 -11
- data/lib/inspec/resources/users.rb +29 -19
- data/lib/inspec/resources/virtualization.rb +10 -0
- data/lib/inspec/resources/windows_feature.rb +1 -1
- data/lib/inspec/resources/windows_hotfix.rb +2 -0
- data/lib/inspec/resources/windows_task.rb +4 -0
- data/lib/inspec/resources/wmi.rb +2 -1
- data/lib/inspec/resources/x509_certificate.rb +8 -0
- data/lib/inspec/resources/xinetd_conf.rb +10 -9
- data/lib/inspec/resources/yum.rb +15 -11
- data/lib/inspec/resources/zfs_dataset.rb +4 -2
- data/lib/inspec/resources/zfs_pool.rb +2 -1
- data/lib/inspec/rule.rb +11 -1
- data/lib/inspec/runner.rb +9 -6
- data/lib/inspec/runner_rspec.rb +10 -8
- data/lib/inspec/schema.rb +1 -0
- data/lib/inspec/secrets.rb +1 -0
- data/lib/inspec/secrets/yaml.rb +1 -0
- data/lib/inspec/shell.rb +20 -19
- data/lib/inspec/shell_detector.rb +1 -1
- data/lib/inspec/source_reader.rb +2 -0
- data/lib/inspec/ui.rb +1 -0
- data/lib/inspec/utils/deprecation/config_file.rb +8 -4
- data/lib/inspec/utils/erlang_parser.rb +2 -0
- data/lib/inspec/utils/file_reader.rb +1 -1
- data/lib/inspec/utils/filter.rb +16 -3
- data/lib/inspec/utils/find_files.rb +2 -2
- data/lib/inspec/utils/object_traversal.rb +1 -0
- data/lib/inspec/utils/parser.rb +2 -0
- data/lib/inspec/utils/simpleconfig.rb +4 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +4 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +12 -11
- data/lib/plugins/inspec-artifact/test/functional/inspec_artifact_test.rb +3 -3
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +15 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +4 -2
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +13 -12
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +3 -0
- data/lib/plugins/inspec-compliance/test/unit/api_test.rb +28 -28
- data/lib/plugins/inspec-compliance/test/unit/target_test.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +1 -1
- data/lib/plugins/inspec-habitat/test/unit/profile_test.rb +7 -6
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +2 -2
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +1 -0
- data/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb +12 -10
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +6 -5
- data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +1 -0
- data/lib/plugins/shared/core_plugin_test_helper.rb +1 -0
- data/lib/resource_support/aws/aws_resource_mixin.rb +3 -2
- data/lib/resources/aws/aws_billing_report.rb +1 -1
- data/lib/resources/aws/aws_billing_reports.rb +8 -7
- data/lib/resources/aws/aws_cloudtrail_trail.rb +1 -1
- data/lib/resources/aws/aws_cloudtrail_trails.rb +1 -0
- data/lib/resources/aws/aws_cloudwatch_alarm.rb +4 -3
- data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +2 -1
- data/lib/resources/aws/aws_config_delivery_channel.rb +1 -1
- data/lib/resources/aws/aws_config_recorder.rb +2 -0
- data/lib/resources/aws/aws_ebs_volume.rb +1 -0
- data/lib/resources/aws/aws_ebs_volumes.rb +2 -0
- data/lib/resources/aws/aws_ec2_instance.rb +2 -0
- data/lib/resources/aws/aws_ec2_instances.rb +2 -0
- data/lib/resources/aws/aws_ecs_cluster.rb +2 -2
- data/lib/resources/aws/aws_eks_cluster.rb +3 -3
- data/lib/resources/aws/aws_elb.rb +2 -2
- data/lib/resources/aws/aws_elbs.rb +14 -12
- data/lib/resources/aws/aws_flow_log.rb +2 -2
- data/lib/resources/aws/aws_iam_access_key.rb +3 -1
- data/lib/resources/aws/aws_iam_access_keys.rb +18 -16
- data/lib/resources/aws/aws_iam_groups.rb +1 -0
- data/lib/resources/aws/aws_iam_password_policy.rb +9 -7
- data/lib/resources/aws/aws_iam_policies.rb +2 -1
- data/lib/resources/aws/aws_iam_policy.rb +10 -1
- data/lib/resources/aws/aws_iam_role.rb +1 -0
- data/lib/resources/aws/aws_iam_user.rb +5 -2
- data/lib/resources/aws/aws_iam_users.rb +12 -11
- data/lib/resources/aws/aws_kms_key.rb +2 -2
- data/lib/resources/aws/aws_kms_keys.rb +3 -1
- data/lib/resources/aws/aws_route_table.rb +2 -2
- data/lib/resources/aws/aws_route_tables.rb +2 -1
- data/lib/resources/aws/aws_s3_bucket.rb +5 -3
- data/lib/resources/aws/aws_s3_bucket_object.rb +3 -1
- data/lib/resources/aws/aws_s3_buckets.rb +1 -0
- data/lib/resources/aws/aws_security_group.rb +20 -9
- data/lib/resources/aws/aws_security_groups.rb +1 -0
- data/lib/resources/aws/aws_sns_subscription.rb +1 -1
- data/lib/resources/aws/aws_sns_topics.rb +2 -0
- data/lib/resources/aws/aws_subnet.rb +2 -2
- data/lib/resources/aws/aws_subnets.rb +4 -3
- data/lib/resources/aws/aws_vpc.rb +1 -1
- data/lib/resources/aws/aws_vpcs.rb +3 -2
- data/lib/resources/azure/azure_generic_resource.rb +4 -4
- data/lib/resources/azure/azure_resource_group.rb +1 -0
- data/lib/resources/azure/azure_virtual_machine_data_disk.rb +13 -12
- data/lib/source_readers/flat.rb +1 -0
- data/lib/source_readers/inspec.rb +1 -0
- metadata +2 -2
@@ -23,12 +23,13 @@ class AwsCloudwatchAlarm < Inspec.resource(1)
|
|
23
23
|
def validate_params(raw_params)
|
24
24
|
recognized_params = check_resource_param_names(
|
25
25
|
raw_params: raw_params,
|
26
|
-
allowed_params:
|
26
|
+
allowed_params: %i{metric_name metric_namespace}
|
27
27
|
)
|
28
28
|
validated_params = {}
|
29
29
|
# Currently you must specify exactly metric_name and metric_namespace
|
30
|
-
|
30
|
+
%i{metric_name metric_namespace}.each do |param|
|
31
31
|
raise ArgumentError, "Missing resource param #{param}" unless recognized_params.key?(param)
|
32
|
+
|
32
33
|
validated_params[param] = recognized_params.delete(param)
|
33
34
|
end
|
34
35
|
|
@@ -45,7 +46,7 @@ class AwsCloudwatchAlarm < Inspec.resource(1)
|
|
45
46
|
elsif aws_alarms.metric_alarms.count > 1
|
46
47
|
alarms = aws_alarms.metric_alarms.map(&:alarm_name)
|
47
48
|
raise "More than one Cloudwatch Alarm was matched. Try using " \
|
48
|
-
"more specific resource parameters. Alarms matched: #{alarms.join(
|
49
|
+
"more specific resource parameters. Alarms matched: #{alarms.join(", ")}"
|
49
50
|
else
|
50
51
|
@alarm_actions = aws_alarms.metric_alarms.first.alarm_actions
|
51
52
|
@alarm_name = aws_alarms.metric_alarms.first.alarm_name
|
@@ -33,11 +33,12 @@ class AwsCloudwatchLogMetricFilter < Inspec.resource(1)
|
|
33
33
|
def validate_params(raw_params)
|
34
34
|
validated_params = check_resource_param_names(
|
35
35
|
raw_params: raw_params,
|
36
|
-
allowed_params:
|
36
|
+
allowed_params: %i{filter_name log_group_name pattern}
|
37
37
|
)
|
38
38
|
if validated_params.empty?
|
39
39
|
raise ArgumentError, "You must provide either filter_name, log_group, or pattern to aws_cloudwatch_log_metric_filter."
|
40
40
|
end
|
41
|
+
|
41
42
|
validated_params
|
42
43
|
end
|
43
44
|
|
@@ -16,7 +16,7 @@ class AwsConfigDeliveryChannel < Inspec.resource(1)
|
|
16
16
|
|
17
17
|
include AwsSingularResourceMixin
|
18
18
|
attr_reader :channel_name, :s3_bucket_name, :s3_key_prefix, :sns_topic_arn,
|
19
|
-
|
19
|
+
:delivery_frequency_in_hours
|
20
20
|
|
21
21
|
def to_s
|
22
22
|
"Config_Delivery_Channel: #{@channel_name}"
|
@@ -32,6 +32,7 @@ class AwsConfigurationRecorder < Inspec.resource(1)
|
|
32
32
|
|
33
33
|
def status
|
34
34
|
return {} unless @exists
|
35
|
+
|
35
36
|
backend = BackendFactory.create(inspec_runner)
|
36
37
|
catch_aws_errors do
|
37
38
|
response = backend.describe_configuration_recorder_status(configuration_recorder_names: [@recorder_name])
|
@@ -41,6 +42,7 @@ class AwsConfigurationRecorder < Inspec.resource(1)
|
|
41
42
|
|
42
43
|
def recording?
|
43
44
|
return unless @exists
|
45
|
+
|
44
46
|
status[:recording]
|
45
47
|
end
|
46
48
|
|
@@ -17,6 +17,7 @@ class AwsEbsVolumes < Inspec.resource(1)
|
|
17
17
|
unless resource_params.empty?
|
18
18
|
raise ArgumentError, "aws_ebs_volumes does not accept resource parameters."
|
19
19
|
end
|
20
|
+
|
20
21
|
resource_params
|
21
22
|
end
|
22
23
|
|
@@ -38,6 +39,7 @@ class AwsEbsVolumes < Inspec.resource(1)
|
|
38
39
|
api_result = backend.describe_volumes(pagination_opts)
|
39
40
|
@table += unpack_describe_volumes_response(api_result.volumes)
|
40
41
|
break unless api_result.next_token
|
42
|
+
|
41
43
|
pagination_opts = { next_token: api_result.next_token }
|
42
44
|
end
|
43
45
|
end
|
@@ -55,6 +55,7 @@ class AwsEc2Instance < Inspec.resource(1)
|
|
55
55
|
|
56
56
|
def id
|
57
57
|
return @instance_id if defined?(@instance_id)
|
58
|
+
|
58
59
|
catch_aws_errors do
|
59
60
|
if @opts.is_a?(Hash)
|
60
61
|
first = @ec2_resource.instances(
|
@@ -76,6 +77,7 @@ class AwsEc2Instance < Inspec.resource(1)
|
|
76
77
|
|
77
78
|
def exists?
|
78
79
|
return false if instance.nil?
|
80
|
+
|
79
81
|
instance.exists?
|
80
82
|
end
|
81
83
|
|
@@ -17,6 +17,7 @@ class AwsEc2Instances < Inspec.resource(1)
|
|
17
17
|
unless resource_params.empty?
|
18
18
|
raise ArgumentError, "aws_ec2_instances does not accept resource parameters."
|
19
19
|
end
|
20
|
+
|
20
21
|
resource_params
|
21
22
|
end
|
22
23
|
|
@@ -38,6 +39,7 @@ class AwsEc2Instances < Inspec.resource(1)
|
|
38
39
|
api_result = backend.describe_instances(pagination_opts)
|
39
40
|
@table += unpack_describe_instances_response(api_result.reservations)
|
40
41
|
break unless api_result.next_token
|
42
|
+
|
41
43
|
pagination_opts = { next_token: api_result.next_token }
|
42
44
|
end
|
43
45
|
end
|
@@ -15,8 +15,8 @@ class AwsEcsCluster < Inspec.resource(1)
|
|
15
15
|
|
16
16
|
include AwsSingularResourceMixin
|
17
17
|
attr_reader :cluster_arn, :cluster_name, :status,
|
18
|
-
|
19
|
-
|
18
|
+
:registered_container_instances_count, :running_tasks_count,
|
19
|
+
:pending_tasks_count, :active_services_count, :statistics
|
20
20
|
|
21
21
|
def to_s
|
22
22
|
"AWS ECS cluster #{cluster_name}"
|
@@ -15,9 +15,9 @@ class AwsEksCluster < Inspec.resource(1)
|
|
15
15
|
|
16
16
|
include AwsSingularResourceMixin
|
17
17
|
attr_reader :version, :arn, :cluster_name, :certificate_authority, :name,
|
18
|
-
|
19
|
-
|
20
|
-
|
18
|
+
:status, :endpoint, :subnets_count, :subnet_ids, :security_group_ids,
|
19
|
+
:created_at, :role_arn, :vpc_id, :security_groups_count, :creating,
|
20
|
+
:active, :failed, :deleting
|
21
21
|
# Use aliases for matchers
|
22
22
|
alias active? active
|
23
23
|
alias failed? failed
|
@@ -14,8 +14,8 @@ class AwsElb < Inspec.resource(1)
|
|
14
14
|
|
15
15
|
include AwsSingularResourceMixin
|
16
16
|
attr_reader :availability_zones, :dns_name, :elb_name, :external_ports,
|
17
|
-
|
18
|
-
|
17
|
+
:instance_ids, :internal_ports, :security_group_ids,
|
18
|
+
:subnet_ids, :vpc_id
|
19
19
|
|
20
20
|
def to_s
|
21
21
|
"AWS ELB #{elb_name}"
|
@@ -17,24 +17,25 @@ class AwsElbs < Inspec.resource(1)
|
|
17
17
|
unless resource_params.empty?
|
18
18
|
raise ArgumentError, "aws_elbs does not accept resource parameters."
|
19
19
|
end
|
20
|
+
|
20
21
|
resource_params
|
21
22
|
end
|
22
23
|
|
23
24
|
# Underlying FilterTable implementation.
|
24
25
|
filter = FilterTable.create
|
25
26
|
filter.add_accessor(:entries)
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
27
|
+
.add_accessor(:where)
|
28
|
+
.add(:exists?) { |table| !table.params.empty? }
|
29
|
+
.add(:count) { |table| table.params.count }
|
30
|
+
.add(:availability_zones, field: :availability_zones, style: :simple)
|
31
|
+
.add(:dns_names, field: :dns_name)
|
32
|
+
.add(:external_ports, field: :external_ports, style: :simple)
|
33
|
+
.add(:instance_ids, field: :instance_ids, style: :simple)
|
34
|
+
.add(:internal_ports, field: :internal_ports, style: :simple)
|
35
|
+
.add(:elb_names, field: :elb_name)
|
36
|
+
.add(:security_group_ids, field: :security_group_ids, style: :simple)
|
37
|
+
.add(:subnet_ids, field: :subnet_ids, style: :simple)
|
38
|
+
.add(:vpc_ids, field: :vpc_id, style: :simple)
|
38
39
|
filter.connect(self, :table)
|
39
40
|
|
40
41
|
def to_s
|
@@ -49,6 +50,7 @@ class AwsElbs < Inspec.resource(1)
|
|
49
50
|
api_result = backend.describe_load_balancers(pagination_opts)
|
50
51
|
@table += unpack_describe_elbs_response(api_result.load_balancer_descriptions)
|
51
52
|
break unless api_result.next_marker
|
53
|
+
|
52
54
|
pagination_opts = { marker: api_result.next_marker }
|
53
55
|
end
|
54
56
|
end
|
@@ -48,14 +48,14 @@ class AwsFlowLog < Inspec.resource(1)
|
|
48
48
|
def validate_params(raw_params)
|
49
49
|
validated_params = check_resource_param_names(
|
50
50
|
raw_params: raw_params,
|
51
|
-
allowed_params:
|
51
|
+
allowed_params: %i{flow_log_id subnet_id vpc_id},
|
52
52
|
allowed_scalar_name: :flow_log_id,
|
53
53
|
allowed_scalar_type: String
|
54
54
|
)
|
55
55
|
|
56
56
|
if validated_params.empty?
|
57
57
|
raise ArgumentError,
|
58
|
-
|
58
|
+
"aws_flow_log requires a parameter: flow_log_id, subnet_id, or vpc_id"
|
59
59
|
end
|
60
60
|
|
61
61
|
validated_params
|
@@ -22,7 +22,7 @@ class AwsIamAccessKey < Inspec.resource(1)
|
|
22
22
|
def validate_params(raw_params)
|
23
23
|
recognized_params = check_resource_param_names(
|
24
24
|
raw_params: raw_params,
|
25
|
-
allowed_params:
|
25
|
+
allowed_params: %i{username id access_key_id},
|
26
26
|
allowed_scalar_name: :access_key_id,
|
27
27
|
allowed_scalar_type: String
|
28
28
|
)
|
@@ -47,6 +47,7 @@ class AwsIamAccessKey < Inspec.resource(1)
|
|
47
47
|
|
48
48
|
def active?
|
49
49
|
return nil unless exists?
|
50
|
+
|
50
51
|
status == "Active"
|
51
52
|
end
|
52
53
|
|
@@ -57,6 +58,7 @@ class AwsIamAccessKey < Inspec.resource(1)
|
|
57
58
|
def last_used_date
|
58
59
|
return nil unless exists?
|
59
60
|
return @last_used_date if defined? @last_used_date
|
61
|
+
|
60
62
|
backend = BackendFactory.create(inspec_runner)
|
61
63
|
catch_aws_errors do
|
62
64
|
@last_used_date = backend.get_access_key_last_used({ access_key_id: access_key_id }).access_key_last_used.last_used_date
|
@@ -17,7 +17,7 @@ class AwsIamAccessKeys < Inspec.resource(1)
|
|
17
17
|
def validate_params(raw_params)
|
18
18
|
recognized_params = check_resource_param_names(
|
19
19
|
raw_params: raw_params,
|
20
|
-
allowed_params:
|
20
|
+
allowed_params: %i{username id access_key_id created_date},
|
21
21
|
allowed_scalar_name: :access_key_id,
|
22
22
|
allowed_scalar_type: String
|
23
23
|
)
|
@@ -44,19 +44,19 @@ class AwsIamAccessKeys < Inspec.resource(1)
|
|
44
44
|
filter = FilterTable.create
|
45
45
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
46
46
|
filter.register_column(:access_key_ids, field: :access_key_id)
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
47
|
+
.register_column(:created_date, field: :create_date)
|
48
|
+
.register_column(:created_days_ago, field: :created_days_ago)
|
49
|
+
.register_column(:created_with_user, field: :created_with_user)
|
50
|
+
.register_column(:created_hours_ago, field: :created_hours_ago)
|
51
|
+
.register_column(:usernames, field: :username)
|
52
|
+
.register_column(:active, field: :active)
|
53
|
+
.register_column(:inactive, field: :inactive)
|
54
|
+
.register_column(:last_used_date, field: :last_used_date)
|
55
|
+
.register_column(:last_used_hours_ago, field: :last_used_hours_ago)
|
56
|
+
.register_column(:last_used_days_ago, field: :last_used_days_ago)
|
57
|
+
.register_column(:ever_used, field: :ever_used)
|
58
|
+
.register_column(:never_used, field: :never_used)
|
59
|
+
.register_column(:user_created_date, field: :user_created_date)
|
60
60
|
filter.install_filter_methods_on_resource(self, :table)
|
61
61
|
|
62
62
|
def to_s
|
@@ -94,6 +94,7 @@ class AwsIamAccessKeys < Inspec.resource(1)
|
|
94
94
|
user_details[info.user_name] = info
|
95
95
|
end
|
96
96
|
break unless api_result.is_truncated
|
97
|
+
|
97
98
|
pagination_opts[:marker] = api_result.marker
|
98
99
|
end
|
99
100
|
end
|
@@ -102,7 +103,7 @@ class AwsIamAccessKeys < Inspec.resource(1)
|
|
102
103
|
user_details.each_key do |username|
|
103
104
|
begin
|
104
105
|
user_keys = iam_client.list_access_keys(user_name: username)
|
105
|
-
|
106
|
+
.access_key_metadata
|
106
107
|
user_keys = user_keys.map do |metadata|
|
107
108
|
{
|
108
109
|
access_key_id: metadata.access_key_id,
|
@@ -138,11 +139,12 @@ class AwsIamAccessKeys < Inspec.resource(1)
|
|
138
139
|
iam_client = aws_service_client
|
139
140
|
last_used =
|
140
141
|
iam_client.get_access_key_last_used(access_key_id: key_info[:access_key_id])
|
141
|
-
|
142
|
+
.access_key_last_used.last_used_date
|
142
143
|
key_info[:ever_used] = !last_used.nil?
|
143
144
|
key_info[:never_used] = last_used.nil?
|
144
145
|
key_info[:last_used_time] = last_used
|
145
146
|
return unless last_used
|
147
|
+
|
146
148
|
key_info[:last_used_hours_ago] = ((Time.now - last_used) / (60 * 60)).to_i
|
147
149
|
key_info[:last_used_days_ago] = (key_info[:last_used_hours_ago] / 24).to_i
|
148
150
|
end
|
@@ -77,23 +77,25 @@ class AwsIamPasswordPolicy < Inspec.resource(1)
|
|
77
77
|
|
78
78
|
def max_password_age_in_days
|
79
79
|
raise "this policy does not expire passwords" unless expire_passwords?
|
80
|
+
|
80
81
|
@policy.max_password_age
|
81
82
|
end
|
82
83
|
|
83
84
|
def number_of_passwords_to_remember
|
84
85
|
raise "this policy does not prevent password reuse" \
|
85
86
|
unless prevent_password_reuse?
|
87
|
+
|
86
88
|
@policy.password_reuse_prevention
|
87
89
|
end
|
88
90
|
|
89
91
|
#-------------------------- Matchers ----------------------------#
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
92
|
+
%i{
|
93
|
+
require_lowercase_characters
|
94
|
+
require_uppercase_characters
|
95
|
+
require_symbols
|
96
|
+
require_numbers
|
97
|
+
expire_passwords
|
98
|
+
}.each do |matcher_stem|
|
97
99
|
# Create our predicates (for example, 'require_symbols?')
|
98
100
|
stem_with_question_mark = (matcher_stem.to_s + "?").to_sym
|
99
101
|
define_method stem_with_question_mark do
|
@@ -17,6 +17,7 @@ class AwsIamPolicies < Inspec.resource(1)
|
|
17
17
|
unless resource_params.empty?
|
18
18
|
raise ArgumentError, "aws_iam_policies does not accept resource parameters."
|
19
19
|
end
|
20
|
+
|
20
21
|
resource_params
|
21
22
|
end
|
22
23
|
|
@@ -24,7 +25,7 @@ class AwsIamPolicies < Inspec.resource(1)
|
|
24
25
|
filter = FilterTable.create
|
25
26
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
26
27
|
filter.register_column(:policy_names, field: :policy_name)
|
27
|
-
|
28
|
+
.register_column(:arns, field: :arn)
|
28
29
|
filter.install_filter_methods_on_resource(self, :table)
|
29
30
|
|
30
31
|
def to_s
|
@@ -46,18 +46,21 @@ class AwsIamPolicy < Inspec.resource(1)
|
|
46
46
|
|
47
47
|
def attached_users
|
48
48
|
return @attached_users if defined? @attached_users
|
49
|
+
|
49
50
|
fetch_attached_entities
|
50
51
|
@attached_users
|
51
52
|
end
|
52
53
|
|
53
54
|
def attached_groups
|
54
55
|
return @attached_groups if defined? @attached_groups
|
56
|
+
|
55
57
|
fetch_attached_entities
|
56
58
|
@attached_groups
|
57
59
|
end
|
58
60
|
|
59
61
|
def attached_roles
|
60
62
|
return @attached_roles if defined? @attached_roles
|
63
|
+
|
61
64
|
fetch_attached_entities
|
62
65
|
@attached_roles
|
63
66
|
end
|
@@ -88,6 +91,7 @@ class AwsIamPolicy < Inspec.resource(1)
|
|
88
91
|
|
89
92
|
def statement_count
|
90
93
|
return nil unless exists?
|
94
|
+
|
91
95
|
# Typically it is an array of statements
|
92
96
|
if policy["Statement"].is_a? Array
|
93
97
|
policy["Statement"].count
|
@@ -100,6 +104,7 @@ class AwsIamPolicy < Inspec.resource(1)
|
|
100
104
|
|
101
105
|
def has_statement?(provided_criteria = {})
|
102
106
|
return nil unless exists?
|
107
|
+
|
103
108
|
raw_criteria = provided_criteria.dup # provided_criteria is used for output formatting - can't delete from it.
|
104
109
|
criteria = has_statement__validate_criteria(raw_criteria)
|
105
110
|
@normalized_statements ||= has_statement__normalize_statements
|
@@ -146,7 +151,7 @@ class AwsIamPolicy < Inspec.resource(1)
|
|
146
151
|
|
147
152
|
# If anything is left, it's spurious
|
148
153
|
unless raw_criteria.empty?
|
149
|
-
raise ArgumentError, "Unrecognized criteria #{raw_criteria.keys.join(
|
154
|
+
raise ArgumentError, "Unrecognized criteria #{raw_criteria.keys.join(", ")} to have_statement. Recognized criteria: #{EXPECTED_CRITERIA.join(", ")}"
|
150
155
|
end
|
151
156
|
|
152
157
|
# Effect has only 2 permitted values
|
@@ -184,6 +189,7 @@ class AwsIamPolicy < Inspec.resource(1)
|
|
184
189
|
|
185
190
|
def has_statement__focus_on_sid(statements, criteria)
|
186
191
|
return statements unless criteria.key?(:sid)
|
192
|
+
|
187
193
|
sid_seek = criteria[:sid]
|
188
194
|
statements.select do |statement|
|
189
195
|
if sid_seek.is_a? Regexp
|
@@ -200,6 +206,7 @@ class AwsIamPolicy < Inspec.resource(1)
|
|
200
206
|
|
201
207
|
def has_statement__array_criterion(crit_name, statement, criteria)
|
202
208
|
return true unless criteria.key?(crit_name)
|
209
|
+
|
203
210
|
check = criteria[crit_name]
|
204
211
|
# This is an array due to normalize_statements
|
205
212
|
# If it is nil, the statement does not have an entry for that dimension;
|
@@ -252,12 +259,14 @@ class AwsIamPolicy < Inspec.resource(1)
|
|
252
259
|
end
|
253
260
|
break if policy # Found it!
|
254
261
|
break unless api_result.is_truncated # Not found and no more results
|
262
|
+
|
255
263
|
pagination_opts[:marker] = api_result.marker
|
256
264
|
end
|
257
265
|
|
258
266
|
@exists = !policy.nil?
|
259
267
|
|
260
268
|
return unless @exists
|
269
|
+
|
261
270
|
@arn = policy[:arn]
|
262
271
|
@default_version_id = policy[:default_version_id]
|
263
272
|
@attachment_count = policy[:attachment_count]
|