inspec 4.7.3 → 4.7.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/inspec.gemspec +1 -1
- data/lib/bundles/inspec-supermarket/api.rb +2 -1
- data/lib/bundles/inspec-supermarket/cli.rb +6 -6
- data/lib/bundles/inspec-supermarket/target.rb +1 -0
- data/lib/fetchers/git.rb +3 -1
- data/lib/fetchers/mock.rb +1 -0
- data/lib/fetchers/url.rb +6 -3
- data/lib/inspec/backend.rb +1 -0
- data/lib/inspec/base_cli.rb +4 -1
- data/lib/inspec/cli.rb +5 -4
- data/lib/inspec/config.rb +9 -1
- data/lib/inspec/control_eval_context.rb +1 -0
- data/lib/inspec/dependencies/cache.rb +1 -0
- data/lib/inspec/dependencies/dependency_set.rb +2 -0
- data/lib/inspec/dependencies/lockfile.rb +1 -0
- data/lib/inspec/dependencies/requirement.rb +8 -7
- data/lib/inspec/dependencies/resolver.rb +3 -3
- data/lib/inspec/describe.rb +1 -0
- data/lib/inspec/dsl.rb +1 -1
- data/lib/inspec/dsl_shared.rb +1 -1
- data/lib/inspec/env_printer.rb +4 -4
- data/lib/inspec/fetcher.rb +4 -2
- data/lib/inspec/file_provider.rb +18 -8
- data/lib/inspec/formatters/base.rb +5 -0
- data/lib/inspec/impact.rb +2 -0
- data/lib/inspec/input_registry.rb +14 -13
- data/lib/inspec/metadata.rb +6 -2
- data/lib/inspec/method_source.rb +1 -1
- data/lib/inspec/objects/control.rb +4 -1
- data/lib/inspec/objects/describe.rb +3 -1
- data/lib/inspec/objects/input.rb +6 -5
- data/lib/inspec/objects/list.rb +2 -0
- data/lib/inspec/objects/test.rb +3 -2
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +7 -0
- data/lib/inspec/plugin/v1/plugins.rb +4 -3
- data/lib/inspec/plugin/v1/registry.rb +3 -2
- data/lib/inspec/plugin/v2.rb +1 -0
- data/lib/inspec/plugin/v2/activator.rb +2 -0
- data/lib/inspec/plugin/v2/config_file.rb +4 -1
- data/lib/inspec/plugin/v2/filter.rb +1 -0
- data/lib/inspec/plugin/v2/installer.rb +9 -7
- data/lib/inspec/plugin/v2/loader.rb +2 -0
- data/lib/inspec/plugin/v2/plugin_base.rb +1 -0
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +2 -2
- data/lib/inspec/plugin/v2/registry.rb +3 -1
- data/lib/inspec/profile.rb +13 -6
- data/lib/inspec/profile_context.rb +4 -2
- data/lib/inspec/reporters/cli.rb +14 -10
- data/lib/inspec/reporters/json.rb +1 -0
- data/lib/inspec/reporters/json_automate.rb +3 -0
- data/lib/inspec/reporters/json_min.rb +2 -0
- data/lib/inspec/resource.rb +2 -0
- data/lib/inspec/resources/aide_conf.rb +4 -3
- data/lib/inspec/resources/apache_conf.rb +1 -1
- data/lib/inspec/resources/apt.rb +2 -0
- data/lib/inspec/resources/auditd.rb +19 -18
- data/lib/inspec/resources/bridge.rb +5 -2
- data/lib/inspec/resources/chocolatey_package.rb +2 -0
- data/lib/inspec/resources/command.rb +1 -1
- data/lib/inspec/resources/crontab.rb +9 -8
- data/lib/inspec/resources/csv.rb +1 -1
- data/lib/inspec/resources/dh_params.rb +6 -0
- data/lib/inspec/resources/docker.rb +37 -34
- data/lib/inspec/resources/docker_container.rb +1 -0
- data/lib/inspec/resources/docker_image.rb +1 -0
- data/lib/inspec/resources/docker_plugin.rb +1 -0
- data/lib/inspec/resources/docker_service.rb +1 -0
- data/lib/inspec/resources/elasticsearch.rb +24 -24
- data/lib/inspec/resources/etc_fstab.rb +8 -7
- data/lib/inspec/resources/etc_group.rb +4 -0
- data/lib/inspec/resources/etc_hosts.rb +4 -4
- data/lib/inspec/resources/etc_hosts_allow_deny.rb +5 -3
- data/lib/inspec/resources/file.rb +4 -1
- data/lib/inspec/resources/filesystem.rb +5 -3
- data/lib/inspec/resources/firewalld.rb +7 -4
- data/lib/inspec/resources/groups.rb +6 -4
- data/lib/inspec/resources/grub_conf.rb +3 -0
- data/lib/inspec/resources/host.rb +5 -3
- data/lib/inspec/resources/http.rb +6 -4
- data/lib/inspec/resources/iis_app.rb +1 -0
- data/lib/inspec/resources/iis_app_pool.rb +1 -1
- data/lib/inspec/resources/iis_site.rb +4 -3
- data/lib/inspec/resources/interface.rb +10 -7
- data/lib/inspec/resources/json.rb +1 -1
- data/lib/inspec/resources/kernel_module.rb +1 -1
- data/lib/inspec/resources/kernel_parameter.rb +2 -1
- data/lib/inspec/resources/key_rsa.rb +5 -0
- data/lib/inspec/resources/mount.rb +3 -1
- data/lib/inspec/resources/mysql_conf.rb +3 -1
- data/lib/inspec/resources/mysql_session.rb +2 -0
- data/lib/inspec/resources/nginx.rb +1 -0
- data/lib/inspec/resources/nginx_conf.rb +10 -6
- data/lib/inspec/resources/ntp_conf.rb +1 -0
- data/lib/inspec/resources/oneget.rb +1 -1
- data/lib/inspec/resources/oracledb_session.rb +4 -2
- data/lib/inspec/resources/os_env.rb +1 -0
- data/lib/inspec/resources/package.rb +10 -6
- data/lib/inspec/resources/packages.rb +7 -5
- data/lib/inspec/resources/passwd.rb +7 -7
- data/lib/inspec/resources/pip.rb +2 -0
- data/lib/inspec/resources/port.rb +22 -8
- data/lib/inspec/resources/postgres.rb +2 -1
- data/lib/inspec/resources/postgres_conf.rb +2 -0
- data/lib/inspec/resources/postgres_hba_conf.rb +6 -6
- data/lib/inspec/resources/postgres_ident_conf.rb +3 -3
- data/lib/inspec/resources/processes.rb +16 -15
- data/lib/inspec/resources/rabbitmq_config.rb +2 -0
- data/lib/inspec/resources/registry_key.rb +8 -3
- data/lib/inspec/resources/security_identifier.rb +3 -1
- data/lib/inspec/resources/security_policy.rb +2 -1
- data/lib/inspec/resources/service.rb +13 -1
- data/lib/inspec/resources/shadow.rb +1 -0
- data/lib/inspec/resources/ssh_config.rb +2 -0
- data/lib/inspec/resources/ssl.rb +12 -11
- data/lib/inspec/resources/users.rb +29 -19
- data/lib/inspec/resources/virtualization.rb +10 -0
- data/lib/inspec/resources/windows_feature.rb +1 -1
- data/lib/inspec/resources/windows_hotfix.rb +2 -0
- data/lib/inspec/resources/windows_task.rb +4 -0
- data/lib/inspec/resources/wmi.rb +2 -1
- data/lib/inspec/resources/x509_certificate.rb +8 -0
- data/lib/inspec/resources/xinetd_conf.rb +10 -9
- data/lib/inspec/resources/yum.rb +15 -11
- data/lib/inspec/resources/zfs_dataset.rb +4 -2
- data/lib/inspec/resources/zfs_pool.rb +2 -1
- data/lib/inspec/rule.rb +11 -1
- data/lib/inspec/runner.rb +9 -6
- data/lib/inspec/runner_rspec.rb +10 -8
- data/lib/inspec/schema.rb +1 -0
- data/lib/inspec/secrets.rb +1 -0
- data/lib/inspec/secrets/yaml.rb +1 -0
- data/lib/inspec/shell.rb +20 -19
- data/lib/inspec/shell_detector.rb +1 -1
- data/lib/inspec/source_reader.rb +2 -0
- data/lib/inspec/ui.rb +1 -0
- data/lib/inspec/utils/deprecation/config_file.rb +8 -4
- data/lib/inspec/utils/erlang_parser.rb +2 -0
- data/lib/inspec/utils/file_reader.rb +1 -1
- data/lib/inspec/utils/filter.rb +16 -3
- data/lib/inspec/utils/find_files.rb +2 -2
- data/lib/inspec/utils/object_traversal.rb +1 -0
- data/lib/inspec/utils/parser.rb +2 -0
- data/lib/inspec/utils/simpleconfig.rb +4 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +4 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +12 -11
- data/lib/plugins/inspec-artifact/test/functional/inspec_artifact_test.rb +3 -3
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +15 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +4 -2
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +13 -12
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +3 -0
- data/lib/plugins/inspec-compliance/test/unit/api_test.rb +28 -28
- data/lib/plugins/inspec-compliance/test/unit/target_test.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +1 -1
- data/lib/plugins/inspec-habitat/test/unit/profile_test.rb +7 -6
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +2 -2
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +1 -0
- data/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb +12 -10
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +6 -5
- data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +1 -0
- data/lib/plugins/shared/core_plugin_test_helper.rb +1 -0
- data/lib/resource_support/aws/aws_resource_mixin.rb +3 -2
- data/lib/resources/aws/aws_billing_report.rb +1 -1
- data/lib/resources/aws/aws_billing_reports.rb +8 -7
- data/lib/resources/aws/aws_cloudtrail_trail.rb +1 -1
- data/lib/resources/aws/aws_cloudtrail_trails.rb +1 -0
- data/lib/resources/aws/aws_cloudwatch_alarm.rb +4 -3
- data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +2 -1
- data/lib/resources/aws/aws_config_delivery_channel.rb +1 -1
- data/lib/resources/aws/aws_config_recorder.rb +2 -0
- data/lib/resources/aws/aws_ebs_volume.rb +1 -0
- data/lib/resources/aws/aws_ebs_volumes.rb +2 -0
- data/lib/resources/aws/aws_ec2_instance.rb +2 -0
- data/lib/resources/aws/aws_ec2_instances.rb +2 -0
- data/lib/resources/aws/aws_ecs_cluster.rb +2 -2
- data/lib/resources/aws/aws_eks_cluster.rb +3 -3
- data/lib/resources/aws/aws_elb.rb +2 -2
- data/lib/resources/aws/aws_elbs.rb +14 -12
- data/lib/resources/aws/aws_flow_log.rb +2 -2
- data/lib/resources/aws/aws_iam_access_key.rb +3 -1
- data/lib/resources/aws/aws_iam_access_keys.rb +18 -16
- data/lib/resources/aws/aws_iam_groups.rb +1 -0
- data/lib/resources/aws/aws_iam_password_policy.rb +9 -7
- data/lib/resources/aws/aws_iam_policies.rb +2 -1
- data/lib/resources/aws/aws_iam_policy.rb +10 -1
- data/lib/resources/aws/aws_iam_role.rb +1 -0
- data/lib/resources/aws/aws_iam_user.rb +5 -2
- data/lib/resources/aws/aws_iam_users.rb +12 -11
- data/lib/resources/aws/aws_kms_key.rb +2 -2
- data/lib/resources/aws/aws_kms_keys.rb +3 -1
- data/lib/resources/aws/aws_route_table.rb +2 -2
- data/lib/resources/aws/aws_route_tables.rb +2 -1
- data/lib/resources/aws/aws_s3_bucket.rb +5 -3
- data/lib/resources/aws/aws_s3_bucket_object.rb +3 -1
- data/lib/resources/aws/aws_s3_buckets.rb +1 -0
- data/lib/resources/aws/aws_security_group.rb +20 -9
- data/lib/resources/aws/aws_security_groups.rb +1 -0
- data/lib/resources/aws/aws_sns_subscription.rb +1 -1
- data/lib/resources/aws/aws_sns_topics.rb +2 -0
- data/lib/resources/aws/aws_subnet.rb +2 -2
- data/lib/resources/aws/aws_subnets.rb +4 -3
- data/lib/resources/aws/aws_vpc.rb +1 -1
- data/lib/resources/aws/aws_vpcs.rb +3 -2
- data/lib/resources/azure/azure_generic_resource.rb +4 -4
- data/lib/resources/azure/azure_resource_group.rb +1 -0
- data/lib/resources/azure/azure_virtual_machine_data_disk.rb +13 -12
- data/lib/source_readers/flat.rb +1 -0
- data/lib/source_readers/inspec.rb +1 -0
- metadata +2 -2
|
@@ -17,7 +17,7 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
17
17
|
|
|
18
18
|
include AwsSingularResourceMixin
|
|
19
19
|
attr_reader :access_keys, :attached_policy_names, :attached_policy_arns, \
|
|
20
|
-
|
|
20
|
+
:has_console_password, :has_mfa_enabled, :inline_policy_names, :username
|
|
21
21
|
alias has_mfa_enabled? has_mfa_enabled
|
|
22
22
|
alias has_console_password? has_console_password
|
|
23
23
|
|
|
@@ -32,11 +32,13 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
32
32
|
|
|
33
33
|
def has_attached_policies?
|
|
34
34
|
return nil unless exists?
|
|
35
|
+
|
|
35
36
|
!attached_policy_names.empty?
|
|
36
37
|
end
|
|
37
38
|
|
|
38
39
|
def has_inline_policies?
|
|
39
40
|
return nil unless exists?
|
|
41
|
+
|
|
40
42
|
!inline_policy_names.empty?
|
|
41
43
|
end
|
|
42
44
|
|
|
@@ -45,7 +47,7 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
45
47
|
def validate_params(raw_params)
|
|
46
48
|
validated_params = check_resource_param_names(
|
|
47
49
|
raw_params: raw_params,
|
|
48
|
-
allowed_params:
|
|
50
|
+
allowed_params: %i{username aws_user_struct name user},
|
|
49
51
|
allowed_scalar_name: :username,
|
|
50
52
|
allowed_scalar_type: String
|
|
51
53
|
)
|
|
@@ -64,6 +66,7 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
64
66
|
if validated_params.empty?
|
|
65
67
|
raise ArgumentError, "You must provide a username to aws_iam_user."
|
|
66
68
|
end
|
|
69
|
+
|
|
67
70
|
validated_params
|
|
68
71
|
end
|
|
69
72
|
|
|
@@ -65,26 +65,26 @@ class AwsIamUsers < Inspec.resource(1)
|
|
|
65
65
|
|
|
66
66
|
# These are included on the initial fetch
|
|
67
67
|
filter.register_column(:usernames, field: :user_name)
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
68
|
+
.register_column(:username) { |res| res.entries.map { |row| row[:user_name] } } # We should deprecate this; plural resources get plural properties
|
|
69
|
+
.register_column(:password_ever_used?, field: :password_ever_used?)
|
|
70
|
+
.register_column(:password_never_used?, field: :password_never_used?)
|
|
71
|
+
.register_column(:password_last_used_days_ago, field: :password_last_used_days_ago)
|
|
72
72
|
|
|
73
73
|
# Remaining properties / criteria are handled lazily, grouped by fetcher
|
|
74
74
|
filter.register_column(:has_console_password?, field: :has_console_password?, lazy: method(:lazy_get_login_profile))
|
|
75
|
-
|
|
75
|
+
.register_column(:has_console_password, field: :has_console_password, lazy: method(:lazy_get_login_profile))
|
|
76
76
|
|
|
77
77
|
filter.register_column(:has_mfa_enabled?, field: :has_mfa_enabled?, lazy: method(:lazy_list_mfa_devices))
|
|
78
|
-
|
|
78
|
+
.register_column(:has_mfa_enabled, field: :has_mfa_enabled, lazy: method(:lazy_list_mfa_devices))
|
|
79
79
|
|
|
80
80
|
filter.register_column(:has_inline_policies?, field: :has_inline_policies?, lazy: method(:lazy_list_user_policies))
|
|
81
|
-
|
|
82
|
-
|
|
81
|
+
.register_column(:has_inline_policies, field: :has_inline_policies, lazy: method(:lazy_list_user_policies))
|
|
82
|
+
.register_column(:inline_policy_names, field: :inline_policy_names, style: :simple, lazy: method(:lazy_list_user_policies))
|
|
83
83
|
|
|
84
84
|
filter.register_column(:has_attached_policies?, field: :has_attached_policies?, lazy: method(:lazy_list_attached_policies))
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
85
|
+
.register_column(:has_attached_policies, field: :has_attached_policies, lazy: method(:lazy_list_attached_policies))
|
|
86
|
+
.register_column(:attached_policy_names, field: :attached_policy_names, style: :simple, lazy: method(:lazy_list_attached_policies))
|
|
87
|
+
.register_column(:attached_policy_arns, field: :attached_policy_arns, style: :simple, lazy: method(:lazy_list_attached_policies))
|
|
88
88
|
filter.install_filter_methods_on_resource(self, :table)
|
|
89
89
|
|
|
90
90
|
def validate_params(raw_params)
|
|
@@ -92,6 +92,7 @@ class AwsIamUsers < Inspec.resource(1)
|
|
|
92
92
|
unless raw_params.empty?
|
|
93
93
|
raise ArgumentError, "aws_iam_users does not accept resource parameters"
|
|
94
94
|
end
|
|
95
|
+
|
|
95
96
|
raw_params
|
|
96
97
|
end
|
|
97
98
|
|
|
@@ -15,8 +15,8 @@ class AwsKmsKey < Inspec.resource(1)
|
|
|
15
15
|
|
|
16
16
|
include AwsSingularResourceMixin
|
|
17
17
|
attr_reader :key_id, :arn, :creation_date, :key_usage, :key_state, :description,
|
|
18
|
-
|
|
19
|
-
|
|
18
|
+
:deletion_date, :valid_to, :external, :has_key_expiration, :managed_by_aws,
|
|
19
|
+
:has_rotation_enabled, :enabled
|
|
20
20
|
# Use aliases for matchers
|
|
21
21
|
alias deletion_time deletion_date
|
|
22
22
|
alias invalidation_time valid_to
|
|
@@ -17,6 +17,7 @@ class AwsKmsKeys < Inspec.resource(1)
|
|
|
17
17
|
unless resource_params.empty?
|
|
18
18
|
raise ArgumentError, "aws_kms_keys does not accept resource parameters."
|
|
19
19
|
end
|
|
20
|
+
|
|
20
21
|
resource_params
|
|
21
22
|
end
|
|
22
23
|
|
|
@@ -24,7 +25,7 @@ class AwsKmsKeys < Inspec.resource(1)
|
|
|
24
25
|
filter = FilterTable.create
|
|
25
26
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
26
27
|
filter.register_column(:key_arns, field: :key_arn)
|
|
27
|
-
|
|
28
|
+
.register_column(:key_ids, field: :key_id)
|
|
28
29
|
filter.install_filter_methods_on_resource(self, :table)
|
|
29
30
|
|
|
30
31
|
def to_s
|
|
@@ -39,6 +40,7 @@ class AwsKmsKeys < Inspec.resource(1)
|
|
|
39
40
|
api_result = backend.list_keys(pagination_opts)
|
|
40
41
|
@table += api_result.keys.map(&:to_h)
|
|
41
42
|
break unless api_result.truncated
|
|
43
|
+
|
|
42
44
|
pagination_opts = { marker: api_result.next_marker }
|
|
43
45
|
end
|
|
44
46
|
end
|
|
@@ -33,8 +33,8 @@ class AwsRouteTable < Inspec.resource(1)
|
|
|
33
33
|
if validated_params.key?(:route_table_id) &&
|
|
34
34
|
validated_params[:route_table_id] !~ /^rtb\-([0-9a-f]{17})|(^rtb\-[0-9a-f]{8})$/
|
|
35
35
|
raise ArgumentError,
|
|
36
|
-
|
|
37
|
-
|
|
36
|
+
"aws_route_table Route Table ID must be in the" \
|
|
37
|
+
' format "rtb-" followed by 8 or 17 hexadecimal characters.'
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
validated_params
|
|
@@ -17,7 +17,7 @@ class AwsRouteTables < Inspec.resource(1)
|
|
|
17
17
|
filter = FilterTable.create
|
|
18
18
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
19
19
|
filter.register_column(:vpc_ids, field: :vpc_id)
|
|
20
|
-
|
|
20
|
+
.register_column(:route_table_ids, field: :route_table_id)
|
|
21
21
|
filter.install_filter_methods_on_resource(self, :routes_data)
|
|
22
22
|
|
|
23
23
|
def routes_data
|
|
@@ -40,6 +40,7 @@ class AwsRouteTables < Inspec.resource(1)
|
|
|
40
40
|
unless raw_criteria.empty?
|
|
41
41
|
raise ArgumentError, "aws_route_tables does not currently accept resource parameters."
|
|
42
42
|
end
|
|
43
|
+
|
|
43
44
|
raw_criteria
|
|
44
45
|
end
|
|
45
46
|
|
|
@@ -40,11 +40,13 @@ class AwsS3Bucket < Inspec.resource(1)
|
|
|
40
40
|
|
|
41
41
|
def has_default_encryption_enabled?
|
|
42
42
|
return false unless @exists
|
|
43
|
+
|
|
43
44
|
@has_default_encryption_enabled ||= fetch_bucket_encryption_configuration
|
|
44
45
|
end
|
|
45
46
|
|
|
46
47
|
def has_access_logging_enabled?
|
|
47
48
|
return false unless @exists
|
|
49
|
+
|
|
48
50
|
catch_aws_errors do
|
|
49
51
|
@has_access_logging_enabled ||= !BackendFactory.create(inspec_runner).get_bucket_logging(bucket: bucket_name).logging_enabled.nil?
|
|
50
52
|
end
|
|
@@ -101,9 +103,9 @@ class AwsS3Bucket < Inspec.resource(1)
|
|
|
101
103
|
@has_default_encryption_enabled ||= catch_aws_errors do
|
|
102
104
|
begin
|
|
103
105
|
!BackendFactory.create(inspec_runner)
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
106
|
+
.get_bucket_encryption(bucket: bucket_name)
|
|
107
|
+
.server_side_encryption_configuration
|
|
108
|
+
.nil?
|
|
107
109
|
rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
|
|
108
110
|
false
|
|
109
111
|
end
|
|
@@ -23,6 +23,7 @@ class AwsS3BucketObject < Inspec.resource(1)
|
|
|
23
23
|
|
|
24
24
|
def object_acl
|
|
25
25
|
return @object_acl if defined? @object_acl
|
|
26
|
+
|
|
26
27
|
catch_aws_errors do
|
|
27
28
|
@object_acl = BackendFactory.create(inspec_runner).get_object_acl(bucket: bucket_name, key: key).grants
|
|
28
29
|
end
|
|
@@ -42,11 +43,12 @@ class AwsS3BucketObject < Inspec.resource(1)
|
|
|
42
43
|
def validate_params(raw_params)
|
|
43
44
|
validated_params = check_resource_param_names(
|
|
44
45
|
raw_params: raw_params,
|
|
45
|
-
allowed_params:
|
|
46
|
+
allowed_params: %i{bucket_name key id}
|
|
46
47
|
)
|
|
47
48
|
if validated_params.empty? || !validated_params.key?(:bucket_name) || !validated_params.key?(:key)
|
|
48
49
|
raise ArgumentError, "You must provide a bucket_name and key to aws_s3_bucket_object."
|
|
49
50
|
end
|
|
51
|
+
|
|
50
52
|
validated_params
|
|
51
53
|
end
|
|
52
54
|
|
|
@@ -49,6 +49,7 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
49
49
|
# allow_{in_out}_only require either a single-rule group, or you
|
|
50
50
|
# to select a rule using position.
|
|
51
51
|
return false unless rules.count == 1 || criteria.key?(:position)
|
|
52
|
+
|
|
52
53
|
if criteria.key?(:security_group)
|
|
53
54
|
if criteria.key?(:position)
|
|
54
55
|
pos = criteria[:position] - 1
|
|
@@ -97,7 +98,7 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
97
98
|
|
|
98
99
|
# Any leftovers are unwelcome
|
|
99
100
|
unless raw_criteria.empty?
|
|
100
|
-
raise ArgumentError, "Unrecognized security group rule 'allow' criteria '#{raw_criteria.keys.join(
|
|
101
|
+
raise ArgumentError, "Unrecognized security group rule 'allow' criteria '#{raw_criteria.keys.join(",")}'. Expected criteria: #{allowed_criteria.join(", ")}"
|
|
101
102
|
end
|
|
102
103
|
|
|
103
104
|
recognized_criteria
|
|
@@ -138,12 +139,14 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
138
139
|
from = criteria[:from_port]
|
|
139
140
|
# It's a match if neither criteria was specified
|
|
140
141
|
return true if to.nil? && from.nil?
|
|
142
|
+
|
|
141
143
|
# Normalize to integers
|
|
142
144
|
to = to.to_i unless to.nil?
|
|
143
145
|
from = from.to_i unless from.nil?
|
|
144
146
|
# It's a match if either was specified and the other was not
|
|
145
147
|
return true if rule[:to_port] == to && from.nil?
|
|
146
148
|
return true if rule[:from_port] == from && to.nil?
|
|
149
|
+
|
|
147
150
|
# Finally, both must match.
|
|
148
151
|
rule[:to_port] == to && rule[:from_port] == from
|
|
149
152
|
elsif !criteria[:port]
|
|
@@ -159,6 +162,7 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
159
162
|
|
|
160
163
|
def allow__match_protocol(rule, criteria)
|
|
161
164
|
return true unless criteria.key?(:protocol)
|
|
165
|
+
|
|
162
166
|
prot = criteria[:protocol]
|
|
163
167
|
# We provide a "fluency alias" for -1 (any).
|
|
164
168
|
prot = "-1" if prot == "any"
|
|
@@ -194,25 +198,29 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
194
198
|
|
|
195
199
|
def allow__match_ipv4_range(rule, criteria)
|
|
196
200
|
return true unless criteria.key?(:ipv4_range)
|
|
201
|
+
|
|
197
202
|
match_ipv4_or_6_range(rule, criteria)
|
|
198
203
|
end
|
|
199
204
|
|
|
200
205
|
def allow__match_ipv6_range(rule, criteria)
|
|
201
206
|
return true unless criteria.key?(:ipv6_range)
|
|
207
|
+
|
|
202
208
|
match_ipv4_or_6_range(rule, criteria)
|
|
203
209
|
end
|
|
204
210
|
|
|
205
211
|
def allow__match_security_group(rule, criteria)
|
|
206
212
|
return true unless criteria.key?(:security_group)
|
|
213
|
+
|
|
207
214
|
query = criteria[:security_group]
|
|
208
215
|
return false unless rule[:user_id_group_pairs]
|
|
216
|
+
|
|
209
217
|
rule[:user_id_group_pairs].any? { |group| query == group[:group_id] }
|
|
210
218
|
end
|
|
211
219
|
|
|
212
220
|
def validate_params(raw_params)
|
|
213
221
|
recognized_params = check_resource_param_names(
|
|
214
222
|
raw_params: raw_params,
|
|
215
|
-
allowed_params:
|
|
223
|
+
allowed_params: %i{id group_id group_name vpc_id},
|
|
216
224
|
allowed_scalar_name: :group_id,
|
|
217
225
|
allowed_scalar_type: String
|
|
218
226
|
)
|
|
@@ -233,13 +241,14 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
233
241
|
if validated_params.empty?
|
|
234
242
|
raise ArgumentError, "You must provide parameters to aws_security_group, such as group_name, group_id, or vpc_id.g_group."
|
|
235
243
|
end
|
|
244
|
+
|
|
236
245
|
validated_params
|
|
237
246
|
end
|
|
238
247
|
|
|
239
248
|
def count_sg_rules(ip_permissions)
|
|
240
249
|
rule_count = 0
|
|
241
250
|
ip_permissions.each do |ip_permission|
|
|
242
|
-
|
|
251
|
+
%i{ip_ranges ipv_6_ranges user_id_group_pairs}.each do |key|
|
|
243
252
|
if ip_permission.key? key
|
|
244
253
|
rule_count += ip_permission[key].length
|
|
245
254
|
end
|
|
@@ -253,16 +262,18 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
253
262
|
|
|
254
263
|
# Transform into filter format expected by AWS
|
|
255
264
|
filters = []
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
265
|
+
%i{
|
|
266
|
+
description
|
|
267
|
+
group_id
|
|
268
|
+
group_name
|
|
269
|
+
vpc_id
|
|
270
|
+
}.each do |criterion_name|
|
|
262
271
|
instance_var = "@#{criterion_name}".to_sym
|
|
263
272
|
next unless instance_variable_defined?(instance_var)
|
|
273
|
+
|
|
264
274
|
val = instance_variable_get(instance_var)
|
|
265
275
|
next if val.nil?
|
|
276
|
+
|
|
266
277
|
filters.push(
|
|
267
278
|
{
|
|
268
279
|
name: criterion_name.to_s.tr("_", "-"),
|
|
@@ -20,7 +20,7 @@ class AwsSnsSubscription < Inspec.resource(1)
|
|
|
20
20
|
|
|
21
21
|
include AwsSingularResourceMixin
|
|
22
22
|
attr_reader :arn, :owner, :raw_message_delivery, :topic_arn, :endpoint, :protocol,
|
|
23
|
-
|
|
23
|
+
:confirmation_was_authenticated, :aws_response
|
|
24
24
|
|
|
25
25
|
alias confirmation_authenticated? confirmation_was_authenticated
|
|
26
26
|
alias raw_message_delivery? raw_message_delivery
|
|
@@ -18,6 +18,7 @@ class AwsSnsTopics < Inspec.resource(1)
|
|
|
18
18
|
unless resource_params.empty?
|
|
19
19
|
raise ArgumentError, "aws_sns_topics does not accept resource parameters."
|
|
20
20
|
end
|
|
21
|
+
|
|
21
22
|
resource_params
|
|
22
23
|
end
|
|
23
24
|
|
|
@@ -30,6 +31,7 @@ class AwsSnsTopics < Inspec.resource(1)
|
|
|
30
31
|
api_result = backend.list_topics(pagination_opts)
|
|
31
32
|
@table += api_result.topics.map(&:to_h)
|
|
32
33
|
break if api_result.next_token.nil?
|
|
34
|
+
|
|
33
35
|
pagination_opts = { next_token: api_result.next_token }
|
|
34
36
|
end
|
|
35
37
|
end
|
|
@@ -15,8 +15,8 @@ class AwsSubnet < Inspec.resource(1)
|
|
|
15
15
|
|
|
16
16
|
include AwsSingularResourceMixin
|
|
17
17
|
attr_reader :assigning_ipv_6_address_on_creation, :availability_zone, :available_ip_address_count,
|
|
18
|
-
|
|
19
|
-
|
|
18
|
+
:available, :cidr_block, :default_for_az, :ipv_6_cidr_block_association_set,
|
|
19
|
+
:mapping_public_ip_on_launch, :subnet_id, :vpc_id
|
|
20
20
|
alias available? available
|
|
21
21
|
alias default_for_az? default_for_az
|
|
22
22
|
alias mapping_public_ip_on_launch? mapping_public_ip_on_launch
|
|
@@ -21,6 +21,7 @@ class AwsSubnets < Inspec.resource(1)
|
|
|
21
21
|
unless resource_params.empty?
|
|
22
22
|
raise ArgumentError, "aws_vpc_subnets does not accept resource parameters."
|
|
23
23
|
end
|
|
24
|
+
|
|
24
25
|
resource_params
|
|
25
26
|
end
|
|
26
27
|
|
|
@@ -33,9 +34,9 @@ class AwsSubnets < Inspec.resource(1)
|
|
|
33
34
|
filter = FilterTable.create
|
|
34
35
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
35
36
|
filter.register_column(:vpc_ids, field: :vpc_id)
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
37
|
+
.register_column(:subnet_ids, field: :subnet_id)
|
|
38
|
+
.register_column(:cidr_blocks, field: :cidr_block)
|
|
39
|
+
.register_column(:states, field: :state)
|
|
39
40
|
filter.install_filter_methods_on_resource(self, :table)
|
|
40
41
|
|
|
41
42
|
def to_s
|
|
@@ -18,10 +18,10 @@ class AwsVpcs < Inspec.resource(1)
|
|
|
18
18
|
filter = FilterTable.create
|
|
19
19
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
20
20
|
filter.register_column(:cidr_blocks, field: :cidr_block)
|
|
21
|
-
|
|
21
|
+
.register_column(:vpc_ids, field: :vpc_id)
|
|
22
22
|
# We need a dummy here, so FilterTable will define and populate the dhcp_options_id field
|
|
23
23
|
filter.register_column(:dummy, field: :dhcp_options_id)
|
|
24
|
-
|
|
24
|
+
.register_column(:dhcp_options_ids) { |obj| obj.entries.map(&:dhcp_options_id).uniq }
|
|
25
25
|
filter.install_filter_methods_on_resource(self, :table)
|
|
26
26
|
|
|
27
27
|
def validate_params(raw_params)
|
|
@@ -29,6 +29,7 @@ class AwsVpcs < Inspec.resource(1)
|
|
|
29
29
|
unless raw_params.empty?
|
|
30
30
|
raise ArgumentError, "aws_vpcs does not accept resource parameters"
|
|
31
31
|
end
|
|
32
|
+
|
|
32
33
|
raw_params
|
|
33
34
|
end
|
|
34
35
|
|
|
@@ -32,10 +32,10 @@ module Inspec::Resources
|
|
|
32
32
|
# Define the filter table so that it can be interrogated
|
|
33
33
|
@filter = FilterTable.create
|
|
34
34
|
@filter.register_filter_method(:contains)
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
35
|
+
.register_column(:type, field: "type")
|
|
36
|
+
.register_column(:name, field: "name")
|
|
37
|
+
.register_column(:location, field: "location")
|
|
38
|
+
.register_column(:properties, field: "properties")
|
|
39
39
|
|
|
40
40
|
@filter.install_filter_methods_on_resource(self, :probes)
|
|
41
41
|
|
|
@@ -131,6 +131,7 @@ module Inspec::Resources
|
|
|
131
131
|
# @private
|
|
132
132
|
def create_has_methods
|
|
133
133
|
return if failed_resource?
|
|
134
|
+
|
|
134
135
|
# Create the has methods for each of the mappings
|
|
135
136
|
# This is a quick test to show that the resource group has at least one of these things
|
|
136
137
|
mapping.each do |name, type|
|