inspec 4.7.3 → 4.7.18
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/inspec.gemspec +1 -1
- data/lib/bundles/inspec-supermarket/api.rb +2 -1
- data/lib/bundles/inspec-supermarket/cli.rb +6 -6
- data/lib/bundles/inspec-supermarket/target.rb +1 -0
- data/lib/fetchers/git.rb +3 -1
- data/lib/fetchers/mock.rb +1 -0
- data/lib/fetchers/url.rb +6 -3
- data/lib/inspec/backend.rb +1 -0
- data/lib/inspec/base_cli.rb +4 -1
- data/lib/inspec/cli.rb +5 -4
- data/lib/inspec/config.rb +9 -1
- data/lib/inspec/control_eval_context.rb +1 -0
- data/lib/inspec/dependencies/cache.rb +1 -0
- data/lib/inspec/dependencies/dependency_set.rb +2 -0
- data/lib/inspec/dependencies/lockfile.rb +1 -0
- data/lib/inspec/dependencies/requirement.rb +8 -7
- data/lib/inspec/dependencies/resolver.rb +3 -3
- data/lib/inspec/describe.rb +1 -0
- data/lib/inspec/dsl.rb +1 -1
- data/lib/inspec/dsl_shared.rb +1 -1
- data/lib/inspec/env_printer.rb +4 -4
- data/lib/inspec/fetcher.rb +4 -2
- data/lib/inspec/file_provider.rb +18 -8
- data/lib/inspec/formatters/base.rb +5 -0
- data/lib/inspec/impact.rb +2 -0
- data/lib/inspec/input_registry.rb +14 -13
- data/lib/inspec/metadata.rb +6 -2
- data/lib/inspec/method_source.rb +1 -1
- data/lib/inspec/objects/control.rb +4 -1
- data/lib/inspec/objects/describe.rb +3 -1
- data/lib/inspec/objects/input.rb +6 -5
- data/lib/inspec/objects/list.rb +2 -0
- data/lib/inspec/objects/test.rb +3 -2
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +7 -0
- data/lib/inspec/plugin/v1/plugins.rb +4 -3
- data/lib/inspec/plugin/v1/registry.rb +3 -2
- data/lib/inspec/plugin/v2.rb +1 -0
- data/lib/inspec/plugin/v2/activator.rb +2 -0
- data/lib/inspec/plugin/v2/config_file.rb +4 -1
- data/lib/inspec/plugin/v2/filter.rb +1 -0
- data/lib/inspec/plugin/v2/installer.rb +9 -7
- data/lib/inspec/plugin/v2/loader.rb +2 -0
- data/lib/inspec/plugin/v2/plugin_base.rb +1 -0
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +2 -2
- data/lib/inspec/plugin/v2/registry.rb +3 -1
- data/lib/inspec/profile.rb +13 -6
- data/lib/inspec/profile_context.rb +4 -2
- data/lib/inspec/reporters/cli.rb +14 -10
- data/lib/inspec/reporters/json.rb +1 -0
- data/lib/inspec/reporters/json_automate.rb +3 -0
- data/lib/inspec/reporters/json_min.rb +2 -0
- data/lib/inspec/resource.rb +2 -0
- data/lib/inspec/resources/aide_conf.rb +4 -3
- data/lib/inspec/resources/apache_conf.rb +1 -1
- data/lib/inspec/resources/apt.rb +2 -0
- data/lib/inspec/resources/auditd.rb +19 -18
- data/lib/inspec/resources/bridge.rb +5 -2
- data/lib/inspec/resources/chocolatey_package.rb +2 -0
- data/lib/inspec/resources/command.rb +1 -1
- data/lib/inspec/resources/crontab.rb +9 -8
- data/lib/inspec/resources/csv.rb +1 -1
- data/lib/inspec/resources/dh_params.rb +6 -0
- data/lib/inspec/resources/docker.rb +37 -34
- data/lib/inspec/resources/docker_container.rb +1 -0
- data/lib/inspec/resources/docker_image.rb +1 -0
- data/lib/inspec/resources/docker_plugin.rb +1 -0
- data/lib/inspec/resources/docker_service.rb +1 -0
- data/lib/inspec/resources/elasticsearch.rb +24 -24
- data/lib/inspec/resources/etc_fstab.rb +8 -7
- data/lib/inspec/resources/etc_group.rb +4 -0
- data/lib/inspec/resources/etc_hosts.rb +4 -4
- data/lib/inspec/resources/etc_hosts_allow_deny.rb +5 -3
- data/lib/inspec/resources/file.rb +4 -1
- data/lib/inspec/resources/filesystem.rb +5 -3
- data/lib/inspec/resources/firewalld.rb +7 -4
- data/lib/inspec/resources/groups.rb +6 -4
- data/lib/inspec/resources/grub_conf.rb +3 -0
- data/lib/inspec/resources/host.rb +5 -3
- data/lib/inspec/resources/http.rb +6 -4
- data/lib/inspec/resources/iis_app.rb +1 -0
- data/lib/inspec/resources/iis_app_pool.rb +1 -1
- data/lib/inspec/resources/iis_site.rb +4 -3
- data/lib/inspec/resources/interface.rb +10 -7
- data/lib/inspec/resources/json.rb +1 -1
- data/lib/inspec/resources/kernel_module.rb +1 -1
- data/lib/inspec/resources/kernel_parameter.rb +2 -1
- data/lib/inspec/resources/key_rsa.rb +5 -0
- data/lib/inspec/resources/mount.rb +3 -1
- data/lib/inspec/resources/mysql_conf.rb +3 -1
- data/lib/inspec/resources/mysql_session.rb +2 -0
- data/lib/inspec/resources/nginx.rb +1 -0
- data/lib/inspec/resources/nginx_conf.rb +10 -6
- data/lib/inspec/resources/ntp_conf.rb +1 -0
- data/lib/inspec/resources/oneget.rb +1 -1
- data/lib/inspec/resources/oracledb_session.rb +4 -2
- data/lib/inspec/resources/os_env.rb +1 -0
- data/lib/inspec/resources/package.rb +10 -6
- data/lib/inspec/resources/packages.rb +7 -5
- data/lib/inspec/resources/passwd.rb +7 -7
- data/lib/inspec/resources/pip.rb +2 -0
- data/lib/inspec/resources/port.rb +22 -8
- data/lib/inspec/resources/postgres.rb +2 -1
- data/lib/inspec/resources/postgres_conf.rb +2 -0
- data/lib/inspec/resources/postgres_hba_conf.rb +6 -6
- data/lib/inspec/resources/postgres_ident_conf.rb +3 -3
- data/lib/inspec/resources/processes.rb +16 -15
- data/lib/inspec/resources/rabbitmq_config.rb +2 -0
- data/lib/inspec/resources/registry_key.rb +8 -3
- data/lib/inspec/resources/security_identifier.rb +3 -1
- data/lib/inspec/resources/security_policy.rb +2 -1
- data/lib/inspec/resources/service.rb +13 -1
- data/lib/inspec/resources/shadow.rb +1 -0
- data/lib/inspec/resources/ssh_config.rb +2 -0
- data/lib/inspec/resources/ssl.rb +12 -11
- data/lib/inspec/resources/users.rb +29 -19
- data/lib/inspec/resources/virtualization.rb +10 -0
- data/lib/inspec/resources/windows_feature.rb +1 -1
- data/lib/inspec/resources/windows_hotfix.rb +2 -0
- data/lib/inspec/resources/windows_task.rb +4 -0
- data/lib/inspec/resources/wmi.rb +2 -1
- data/lib/inspec/resources/x509_certificate.rb +8 -0
- data/lib/inspec/resources/xinetd_conf.rb +10 -9
- data/lib/inspec/resources/yum.rb +15 -11
- data/lib/inspec/resources/zfs_dataset.rb +4 -2
- data/lib/inspec/resources/zfs_pool.rb +2 -1
- data/lib/inspec/rule.rb +11 -1
- data/lib/inspec/runner.rb +9 -6
- data/lib/inspec/runner_rspec.rb +10 -8
- data/lib/inspec/schema.rb +1 -0
- data/lib/inspec/secrets.rb +1 -0
- data/lib/inspec/secrets/yaml.rb +1 -0
- data/lib/inspec/shell.rb +20 -19
- data/lib/inspec/shell_detector.rb +1 -1
- data/lib/inspec/source_reader.rb +2 -0
- data/lib/inspec/ui.rb +1 -0
- data/lib/inspec/utils/deprecation/config_file.rb +8 -4
- data/lib/inspec/utils/erlang_parser.rb +2 -0
- data/lib/inspec/utils/file_reader.rb +1 -1
- data/lib/inspec/utils/filter.rb +16 -3
- data/lib/inspec/utils/find_files.rb +2 -2
- data/lib/inspec/utils/object_traversal.rb +1 -0
- data/lib/inspec/utils/parser.rb +2 -0
- data/lib/inspec/utils/simpleconfig.rb +4 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +4 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +12 -11
- data/lib/plugins/inspec-artifact/test/functional/inspec_artifact_test.rb +3 -3
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +15 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +4 -2
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +13 -12
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +3 -0
- data/lib/plugins/inspec-compliance/test/unit/api_test.rb +28 -28
- data/lib/plugins/inspec-compliance/test/unit/target_test.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +1 -1
- data/lib/plugins/inspec-habitat/test/unit/profile_test.rb +7 -6
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +2 -2
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +1 -0
- data/lib/plugins/inspec-init/test/functional/inspec_init_plugin_test.rb +12 -10
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +6 -5
- data/lib/plugins/inspec-plugin-manager-cli/test/functional/inspec-plugin_test.rb +1 -0
- data/lib/plugins/shared/core_plugin_test_helper.rb +1 -0
- data/lib/resource_support/aws/aws_resource_mixin.rb +3 -2
- data/lib/resources/aws/aws_billing_report.rb +1 -1
- data/lib/resources/aws/aws_billing_reports.rb +8 -7
- data/lib/resources/aws/aws_cloudtrail_trail.rb +1 -1
- data/lib/resources/aws/aws_cloudtrail_trails.rb +1 -0
- data/lib/resources/aws/aws_cloudwatch_alarm.rb +4 -3
- data/lib/resources/aws/aws_cloudwatch_log_metric_filter.rb +2 -1
- data/lib/resources/aws/aws_config_delivery_channel.rb +1 -1
- data/lib/resources/aws/aws_config_recorder.rb +2 -0
- data/lib/resources/aws/aws_ebs_volume.rb +1 -0
- data/lib/resources/aws/aws_ebs_volumes.rb +2 -0
- data/lib/resources/aws/aws_ec2_instance.rb +2 -0
- data/lib/resources/aws/aws_ec2_instances.rb +2 -0
- data/lib/resources/aws/aws_ecs_cluster.rb +2 -2
- data/lib/resources/aws/aws_eks_cluster.rb +3 -3
- data/lib/resources/aws/aws_elb.rb +2 -2
- data/lib/resources/aws/aws_elbs.rb +14 -12
- data/lib/resources/aws/aws_flow_log.rb +2 -2
- data/lib/resources/aws/aws_iam_access_key.rb +3 -1
- data/lib/resources/aws/aws_iam_access_keys.rb +18 -16
- data/lib/resources/aws/aws_iam_groups.rb +1 -0
- data/lib/resources/aws/aws_iam_password_policy.rb +9 -7
- data/lib/resources/aws/aws_iam_policies.rb +2 -1
- data/lib/resources/aws/aws_iam_policy.rb +10 -1
- data/lib/resources/aws/aws_iam_role.rb +1 -0
- data/lib/resources/aws/aws_iam_user.rb +5 -2
- data/lib/resources/aws/aws_iam_users.rb +12 -11
- data/lib/resources/aws/aws_kms_key.rb +2 -2
- data/lib/resources/aws/aws_kms_keys.rb +3 -1
- data/lib/resources/aws/aws_route_table.rb +2 -2
- data/lib/resources/aws/aws_route_tables.rb +2 -1
- data/lib/resources/aws/aws_s3_bucket.rb +5 -3
- data/lib/resources/aws/aws_s3_bucket_object.rb +3 -1
- data/lib/resources/aws/aws_s3_buckets.rb +1 -0
- data/lib/resources/aws/aws_security_group.rb +20 -9
- data/lib/resources/aws/aws_security_groups.rb +1 -0
- data/lib/resources/aws/aws_sns_subscription.rb +1 -1
- data/lib/resources/aws/aws_sns_topics.rb +2 -0
- data/lib/resources/aws/aws_subnet.rb +2 -2
- data/lib/resources/aws/aws_subnets.rb +4 -3
- data/lib/resources/aws/aws_vpc.rb +1 -1
- data/lib/resources/aws/aws_vpcs.rb +3 -2
- data/lib/resources/azure/azure_generic_resource.rb +4 -4
- data/lib/resources/azure/azure_resource_group.rb +1 -0
- data/lib/resources/azure/azure_virtual_machine_data_disk.rb +13 -12
- data/lib/source_readers/flat.rb +1 -0
- data/lib/source_readers/inspec.rb +1 -0
- metadata +2 -2
|
@@ -17,7 +17,7 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
17
17
|
|
|
18
18
|
include AwsSingularResourceMixin
|
|
19
19
|
attr_reader :access_keys, :attached_policy_names, :attached_policy_arns, \
|
|
20
|
-
|
|
20
|
+
:has_console_password, :has_mfa_enabled, :inline_policy_names, :username
|
|
21
21
|
alias has_mfa_enabled? has_mfa_enabled
|
|
22
22
|
alias has_console_password? has_console_password
|
|
23
23
|
|
|
@@ -32,11 +32,13 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
32
32
|
|
|
33
33
|
def has_attached_policies?
|
|
34
34
|
return nil unless exists?
|
|
35
|
+
|
|
35
36
|
!attached_policy_names.empty?
|
|
36
37
|
end
|
|
37
38
|
|
|
38
39
|
def has_inline_policies?
|
|
39
40
|
return nil unless exists?
|
|
41
|
+
|
|
40
42
|
!inline_policy_names.empty?
|
|
41
43
|
end
|
|
42
44
|
|
|
@@ -45,7 +47,7 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
45
47
|
def validate_params(raw_params)
|
|
46
48
|
validated_params = check_resource_param_names(
|
|
47
49
|
raw_params: raw_params,
|
|
48
|
-
allowed_params:
|
|
50
|
+
allowed_params: %i{username aws_user_struct name user},
|
|
49
51
|
allowed_scalar_name: :username,
|
|
50
52
|
allowed_scalar_type: String
|
|
51
53
|
)
|
|
@@ -64,6 +66,7 @@ class AwsIamUser < Inspec.resource(1)
|
|
|
64
66
|
if validated_params.empty?
|
|
65
67
|
raise ArgumentError, "You must provide a username to aws_iam_user."
|
|
66
68
|
end
|
|
69
|
+
|
|
67
70
|
validated_params
|
|
68
71
|
end
|
|
69
72
|
|
|
@@ -65,26 +65,26 @@ class AwsIamUsers < Inspec.resource(1)
|
|
|
65
65
|
|
|
66
66
|
# These are included on the initial fetch
|
|
67
67
|
filter.register_column(:usernames, field: :user_name)
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
68
|
+
.register_column(:username) { |res| res.entries.map { |row| row[:user_name] } } # We should deprecate this; plural resources get plural properties
|
|
69
|
+
.register_column(:password_ever_used?, field: :password_ever_used?)
|
|
70
|
+
.register_column(:password_never_used?, field: :password_never_used?)
|
|
71
|
+
.register_column(:password_last_used_days_ago, field: :password_last_used_days_ago)
|
|
72
72
|
|
|
73
73
|
# Remaining properties / criteria are handled lazily, grouped by fetcher
|
|
74
74
|
filter.register_column(:has_console_password?, field: :has_console_password?, lazy: method(:lazy_get_login_profile))
|
|
75
|
-
|
|
75
|
+
.register_column(:has_console_password, field: :has_console_password, lazy: method(:lazy_get_login_profile))
|
|
76
76
|
|
|
77
77
|
filter.register_column(:has_mfa_enabled?, field: :has_mfa_enabled?, lazy: method(:lazy_list_mfa_devices))
|
|
78
|
-
|
|
78
|
+
.register_column(:has_mfa_enabled, field: :has_mfa_enabled, lazy: method(:lazy_list_mfa_devices))
|
|
79
79
|
|
|
80
80
|
filter.register_column(:has_inline_policies?, field: :has_inline_policies?, lazy: method(:lazy_list_user_policies))
|
|
81
|
-
|
|
82
|
-
|
|
81
|
+
.register_column(:has_inline_policies, field: :has_inline_policies, lazy: method(:lazy_list_user_policies))
|
|
82
|
+
.register_column(:inline_policy_names, field: :inline_policy_names, style: :simple, lazy: method(:lazy_list_user_policies))
|
|
83
83
|
|
|
84
84
|
filter.register_column(:has_attached_policies?, field: :has_attached_policies?, lazy: method(:lazy_list_attached_policies))
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
85
|
+
.register_column(:has_attached_policies, field: :has_attached_policies, lazy: method(:lazy_list_attached_policies))
|
|
86
|
+
.register_column(:attached_policy_names, field: :attached_policy_names, style: :simple, lazy: method(:lazy_list_attached_policies))
|
|
87
|
+
.register_column(:attached_policy_arns, field: :attached_policy_arns, style: :simple, lazy: method(:lazy_list_attached_policies))
|
|
88
88
|
filter.install_filter_methods_on_resource(self, :table)
|
|
89
89
|
|
|
90
90
|
def validate_params(raw_params)
|
|
@@ -92,6 +92,7 @@ class AwsIamUsers < Inspec.resource(1)
|
|
|
92
92
|
unless raw_params.empty?
|
|
93
93
|
raise ArgumentError, "aws_iam_users does not accept resource parameters"
|
|
94
94
|
end
|
|
95
|
+
|
|
95
96
|
raw_params
|
|
96
97
|
end
|
|
97
98
|
|
|
@@ -15,8 +15,8 @@ class AwsKmsKey < Inspec.resource(1)
|
|
|
15
15
|
|
|
16
16
|
include AwsSingularResourceMixin
|
|
17
17
|
attr_reader :key_id, :arn, :creation_date, :key_usage, :key_state, :description,
|
|
18
|
-
|
|
19
|
-
|
|
18
|
+
:deletion_date, :valid_to, :external, :has_key_expiration, :managed_by_aws,
|
|
19
|
+
:has_rotation_enabled, :enabled
|
|
20
20
|
# Use aliases for matchers
|
|
21
21
|
alias deletion_time deletion_date
|
|
22
22
|
alias invalidation_time valid_to
|
|
@@ -17,6 +17,7 @@ class AwsKmsKeys < Inspec.resource(1)
|
|
|
17
17
|
unless resource_params.empty?
|
|
18
18
|
raise ArgumentError, "aws_kms_keys does not accept resource parameters."
|
|
19
19
|
end
|
|
20
|
+
|
|
20
21
|
resource_params
|
|
21
22
|
end
|
|
22
23
|
|
|
@@ -24,7 +25,7 @@ class AwsKmsKeys < Inspec.resource(1)
|
|
|
24
25
|
filter = FilterTable.create
|
|
25
26
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
26
27
|
filter.register_column(:key_arns, field: :key_arn)
|
|
27
|
-
|
|
28
|
+
.register_column(:key_ids, field: :key_id)
|
|
28
29
|
filter.install_filter_methods_on_resource(self, :table)
|
|
29
30
|
|
|
30
31
|
def to_s
|
|
@@ -39,6 +40,7 @@ class AwsKmsKeys < Inspec.resource(1)
|
|
|
39
40
|
api_result = backend.list_keys(pagination_opts)
|
|
40
41
|
@table += api_result.keys.map(&:to_h)
|
|
41
42
|
break unless api_result.truncated
|
|
43
|
+
|
|
42
44
|
pagination_opts = { marker: api_result.next_marker }
|
|
43
45
|
end
|
|
44
46
|
end
|
|
@@ -33,8 +33,8 @@ class AwsRouteTable < Inspec.resource(1)
|
|
|
33
33
|
if validated_params.key?(:route_table_id) &&
|
|
34
34
|
validated_params[:route_table_id] !~ /^rtb\-([0-9a-f]{17})|(^rtb\-[0-9a-f]{8})$/
|
|
35
35
|
raise ArgumentError,
|
|
36
|
-
|
|
37
|
-
|
|
36
|
+
"aws_route_table Route Table ID must be in the" \
|
|
37
|
+
' format "rtb-" followed by 8 or 17 hexadecimal characters.'
|
|
38
38
|
end
|
|
39
39
|
|
|
40
40
|
validated_params
|
|
@@ -17,7 +17,7 @@ class AwsRouteTables < Inspec.resource(1)
|
|
|
17
17
|
filter = FilterTable.create
|
|
18
18
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
19
19
|
filter.register_column(:vpc_ids, field: :vpc_id)
|
|
20
|
-
|
|
20
|
+
.register_column(:route_table_ids, field: :route_table_id)
|
|
21
21
|
filter.install_filter_methods_on_resource(self, :routes_data)
|
|
22
22
|
|
|
23
23
|
def routes_data
|
|
@@ -40,6 +40,7 @@ class AwsRouteTables < Inspec.resource(1)
|
|
|
40
40
|
unless raw_criteria.empty?
|
|
41
41
|
raise ArgumentError, "aws_route_tables does not currently accept resource parameters."
|
|
42
42
|
end
|
|
43
|
+
|
|
43
44
|
raw_criteria
|
|
44
45
|
end
|
|
45
46
|
|
|
@@ -40,11 +40,13 @@ class AwsS3Bucket < Inspec.resource(1)
|
|
|
40
40
|
|
|
41
41
|
def has_default_encryption_enabled?
|
|
42
42
|
return false unless @exists
|
|
43
|
+
|
|
43
44
|
@has_default_encryption_enabled ||= fetch_bucket_encryption_configuration
|
|
44
45
|
end
|
|
45
46
|
|
|
46
47
|
def has_access_logging_enabled?
|
|
47
48
|
return false unless @exists
|
|
49
|
+
|
|
48
50
|
catch_aws_errors do
|
|
49
51
|
@has_access_logging_enabled ||= !BackendFactory.create(inspec_runner).get_bucket_logging(bucket: bucket_name).logging_enabled.nil?
|
|
50
52
|
end
|
|
@@ -101,9 +103,9 @@ class AwsS3Bucket < Inspec.resource(1)
|
|
|
101
103
|
@has_default_encryption_enabled ||= catch_aws_errors do
|
|
102
104
|
begin
|
|
103
105
|
!BackendFactory.create(inspec_runner)
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
106
|
+
.get_bucket_encryption(bucket: bucket_name)
|
|
107
|
+
.server_side_encryption_configuration
|
|
108
|
+
.nil?
|
|
107
109
|
rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
|
|
108
110
|
false
|
|
109
111
|
end
|
|
@@ -23,6 +23,7 @@ class AwsS3BucketObject < Inspec.resource(1)
|
|
|
23
23
|
|
|
24
24
|
def object_acl
|
|
25
25
|
return @object_acl if defined? @object_acl
|
|
26
|
+
|
|
26
27
|
catch_aws_errors do
|
|
27
28
|
@object_acl = BackendFactory.create(inspec_runner).get_object_acl(bucket: bucket_name, key: key).grants
|
|
28
29
|
end
|
|
@@ -42,11 +43,12 @@ class AwsS3BucketObject < Inspec.resource(1)
|
|
|
42
43
|
def validate_params(raw_params)
|
|
43
44
|
validated_params = check_resource_param_names(
|
|
44
45
|
raw_params: raw_params,
|
|
45
|
-
allowed_params:
|
|
46
|
+
allowed_params: %i{bucket_name key id}
|
|
46
47
|
)
|
|
47
48
|
if validated_params.empty? || !validated_params.key?(:bucket_name) || !validated_params.key?(:key)
|
|
48
49
|
raise ArgumentError, "You must provide a bucket_name and key to aws_s3_bucket_object."
|
|
49
50
|
end
|
|
51
|
+
|
|
50
52
|
validated_params
|
|
51
53
|
end
|
|
52
54
|
|
|
@@ -49,6 +49,7 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
49
49
|
# allow_{in_out}_only require either a single-rule group, or you
|
|
50
50
|
# to select a rule using position.
|
|
51
51
|
return false unless rules.count == 1 || criteria.key?(:position)
|
|
52
|
+
|
|
52
53
|
if criteria.key?(:security_group)
|
|
53
54
|
if criteria.key?(:position)
|
|
54
55
|
pos = criteria[:position] - 1
|
|
@@ -97,7 +98,7 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
97
98
|
|
|
98
99
|
# Any leftovers are unwelcome
|
|
99
100
|
unless raw_criteria.empty?
|
|
100
|
-
raise ArgumentError, "Unrecognized security group rule 'allow' criteria '#{raw_criteria.keys.join(
|
|
101
|
+
raise ArgumentError, "Unrecognized security group rule 'allow' criteria '#{raw_criteria.keys.join(",")}'. Expected criteria: #{allowed_criteria.join(", ")}"
|
|
101
102
|
end
|
|
102
103
|
|
|
103
104
|
recognized_criteria
|
|
@@ -138,12 +139,14 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
138
139
|
from = criteria[:from_port]
|
|
139
140
|
# It's a match if neither criteria was specified
|
|
140
141
|
return true if to.nil? && from.nil?
|
|
142
|
+
|
|
141
143
|
# Normalize to integers
|
|
142
144
|
to = to.to_i unless to.nil?
|
|
143
145
|
from = from.to_i unless from.nil?
|
|
144
146
|
# It's a match if either was specified and the other was not
|
|
145
147
|
return true if rule[:to_port] == to && from.nil?
|
|
146
148
|
return true if rule[:from_port] == from && to.nil?
|
|
149
|
+
|
|
147
150
|
# Finally, both must match.
|
|
148
151
|
rule[:to_port] == to && rule[:from_port] == from
|
|
149
152
|
elsif !criteria[:port]
|
|
@@ -159,6 +162,7 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
159
162
|
|
|
160
163
|
def allow__match_protocol(rule, criteria)
|
|
161
164
|
return true unless criteria.key?(:protocol)
|
|
165
|
+
|
|
162
166
|
prot = criteria[:protocol]
|
|
163
167
|
# We provide a "fluency alias" for -1 (any).
|
|
164
168
|
prot = "-1" if prot == "any"
|
|
@@ -194,25 +198,29 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
194
198
|
|
|
195
199
|
def allow__match_ipv4_range(rule, criteria)
|
|
196
200
|
return true unless criteria.key?(:ipv4_range)
|
|
201
|
+
|
|
197
202
|
match_ipv4_or_6_range(rule, criteria)
|
|
198
203
|
end
|
|
199
204
|
|
|
200
205
|
def allow__match_ipv6_range(rule, criteria)
|
|
201
206
|
return true unless criteria.key?(:ipv6_range)
|
|
207
|
+
|
|
202
208
|
match_ipv4_or_6_range(rule, criteria)
|
|
203
209
|
end
|
|
204
210
|
|
|
205
211
|
def allow__match_security_group(rule, criteria)
|
|
206
212
|
return true unless criteria.key?(:security_group)
|
|
213
|
+
|
|
207
214
|
query = criteria[:security_group]
|
|
208
215
|
return false unless rule[:user_id_group_pairs]
|
|
216
|
+
|
|
209
217
|
rule[:user_id_group_pairs].any? { |group| query == group[:group_id] }
|
|
210
218
|
end
|
|
211
219
|
|
|
212
220
|
def validate_params(raw_params)
|
|
213
221
|
recognized_params = check_resource_param_names(
|
|
214
222
|
raw_params: raw_params,
|
|
215
|
-
allowed_params:
|
|
223
|
+
allowed_params: %i{id group_id group_name vpc_id},
|
|
216
224
|
allowed_scalar_name: :group_id,
|
|
217
225
|
allowed_scalar_type: String
|
|
218
226
|
)
|
|
@@ -233,13 +241,14 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
233
241
|
if validated_params.empty?
|
|
234
242
|
raise ArgumentError, "You must provide parameters to aws_security_group, such as group_name, group_id, or vpc_id.g_group."
|
|
235
243
|
end
|
|
244
|
+
|
|
236
245
|
validated_params
|
|
237
246
|
end
|
|
238
247
|
|
|
239
248
|
def count_sg_rules(ip_permissions)
|
|
240
249
|
rule_count = 0
|
|
241
250
|
ip_permissions.each do |ip_permission|
|
|
242
|
-
|
|
251
|
+
%i{ip_ranges ipv_6_ranges user_id_group_pairs}.each do |key|
|
|
243
252
|
if ip_permission.key? key
|
|
244
253
|
rule_count += ip_permission[key].length
|
|
245
254
|
end
|
|
@@ -253,16 +262,18 @@ class AwsSecurityGroup < Inspec.resource(1)
|
|
|
253
262
|
|
|
254
263
|
# Transform into filter format expected by AWS
|
|
255
264
|
filters = []
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
265
|
+
%i{
|
|
266
|
+
description
|
|
267
|
+
group_id
|
|
268
|
+
group_name
|
|
269
|
+
vpc_id
|
|
270
|
+
}.each do |criterion_name|
|
|
262
271
|
instance_var = "@#{criterion_name}".to_sym
|
|
263
272
|
next unless instance_variable_defined?(instance_var)
|
|
273
|
+
|
|
264
274
|
val = instance_variable_get(instance_var)
|
|
265
275
|
next if val.nil?
|
|
276
|
+
|
|
266
277
|
filters.push(
|
|
267
278
|
{
|
|
268
279
|
name: criterion_name.to_s.tr("_", "-"),
|
|
@@ -20,7 +20,7 @@ class AwsSnsSubscription < Inspec.resource(1)
|
|
|
20
20
|
|
|
21
21
|
include AwsSingularResourceMixin
|
|
22
22
|
attr_reader :arn, :owner, :raw_message_delivery, :topic_arn, :endpoint, :protocol,
|
|
23
|
-
|
|
23
|
+
:confirmation_was_authenticated, :aws_response
|
|
24
24
|
|
|
25
25
|
alias confirmation_authenticated? confirmation_was_authenticated
|
|
26
26
|
alias raw_message_delivery? raw_message_delivery
|
|
@@ -18,6 +18,7 @@ class AwsSnsTopics < Inspec.resource(1)
|
|
|
18
18
|
unless resource_params.empty?
|
|
19
19
|
raise ArgumentError, "aws_sns_topics does not accept resource parameters."
|
|
20
20
|
end
|
|
21
|
+
|
|
21
22
|
resource_params
|
|
22
23
|
end
|
|
23
24
|
|
|
@@ -30,6 +31,7 @@ class AwsSnsTopics < Inspec.resource(1)
|
|
|
30
31
|
api_result = backend.list_topics(pagination_opts)
|
|
31
32
|
@table += api_result.topics.map(&:to_h)
|
|
32
33
|
break if api_result.next_token.nil?
|
|
34
|
+
|
|
33
35
|
pagination_opts = { next_token: api_result.next_token }
|
|
34
36
|
end
|
|
35
37
|
end
|
|
@@ -15,8 +15,8 @@ class AwsSubnet < Inspec.resource(1)
|
|
|
15
15
|
|
|
16
16
|
include AwsSingularResourceMixin
|
|
17
17
|
attr_reader :assigning_ipv_6_address_on_creation, :availability_zone, :available_ip_address_count,
|
|
18
|
-
|
|
19
|
-
|
|
18
|
+
:available, :cidr_block, :default_for_az, :ipv_6_cidr_block_association_set,
|
|
19
|
+
:mapping_public_ip_on_launch, :subnet_id, :vpc_id
|
|
20
20
|
alias available? available
|
|
21
21
|
alias default_for_az? default_for_az
|
|
22
22
|
alias mapping_public_ip_on_launch? mapping_public_ip_on_launch
|
|
@@ -21,6 +21,7 @@ class AwsSubnets < Inspec.resource(1)
|
|
|
21
21
|
unless resource_params.empty?
|
|
22
22
|
raise ArgumentError, "aws_vpc_subnets does not accept resource parameters."
|
|
23
23
|
end
|
|
24
|
+
|
|
24
25
|
resource_params
|
|
25
26
|
end
|
|
26
27
|
|
|
@@ -33,9 +34,9 @@ class AwsSubnets < Inspec.resource(1)
|
|
|
33
34
|
filter = FilterTable.create
|
|
34
35
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
35
36
|
filter.register_column(:vpc_ids, field: :vpc_id)
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
37
|
+
.register_column(:subnet_ids, field: :subnet_id)
|
|
38
|
+
.register_column(:cidr_blocks, field: :cidr_block)
|
|
39
|
+
.register_column(:states, field: :state)
|
|
39
40
|
filter.install_filter_methods_on_resource(self, :table)
|
|
40
41
|
|
|
41
42
|
def to_s
|
|
@@ -18,10 +18,10 @@ class AwsVpcs < Inspec.resource(1)
|
|
|
18
18
|
filter = FilterTable.create
|
|
19
19
|
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
|
20
20
|
filter.register_column(:cidr_blocks, field: :cidr_block)
|
|
21
|
-
|
|
21
|
+
.register_column(:vpc_ids, field: :vpc_id)
|
|
22
22
|
# We need a dummy here, so FilterTable will define and populate the dhcp_options_id field
|
|
23
23
|
filter.register_column(:dummy, field: :dhcp_options_id)
|
|
24
|
-
|
|
24
|
+
.register_column(:dhcp_options_ids) { |obj| obj.entries.map(&:dhcp_options_id).uniq }
|
|
25
25
|
filter.install_filter_methods_on_resource(self, :table)
|
|
26
26
|
|
|
27
27
|
def validate_params(raw_params)
|
|
@@ -29,6 +29,7 @@ class AwsVpcs < Inspec.resource(1)
|
|
|
29
29
|
unless raw_params.empty?
|
|
30
30
|
raise ArgumentError, "aws_vpcs does not accept resource parameters"
|
|
31
31
|
end
|
|
32
|
+
|
|
32
33
|
raw_params
|
|
33
34
|
end
|
|
34
35
|
|
|
@@ -32,10 +32,10 @@ module Inspec::Resources
|
|
|
32
32
|
# Define the filter table so that it can be interrogated
|
|
33
33
|
@filter = FilterTable.create
|
|
34
34
|
@filter.register_filter_method(:contains)
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
35
|
+
.register_column(:type, field: "type")
|
|
36
|
+
.register_column(:name, field: "name")
|
|
37
|
+
.register_column(:location, field: "location")
|
|
38
|
+
.register_column(:properties, field: "properties")
|
|
39
39
|
|
|
40
40
|
@filter.install_filter_methods_on_resource(self, :probes)
|
|
41
41
|
|
|
@@ -131,6 +131,7 @@ module Inspec::Resources
|
|
|
131
131
|
# @private
|
|
132
132
|
def create_has_methods
|
|
133
133
|
return if failed_resource?
|
|
134
|
+
|
|
134
135
|
# Create the has methods for each of the mappings
|
|
135
136
|
# This is a quick test to show that the resource group has at least one of these things
|
|
136
137
|
mapping.each do |name, type|
|