outliers 0.0.0 → 0.0.1

data/lib/outliers/resources/aws/ec2/instance.rb

@@ -0,0 +1,75 @@
+module Outliers
+  module Resources
+    module Aws
+      module Ec2
+        class Instance < Resource
+          def self.key
+            'instance_id'
+          end
+
+          def self.verifications
+            [
+              { name: 'classic',
+                description: 'Instance is in AWS Classic (No VPC).' },
+              { name: 'source_dest_check',
+                description: 'Instance source dest check set to true.' },
+              { name: 'running',
+                description: 'Instance status is running.' },
+              { name: 'valid_image_id',
+                description: 'ami_ids=ami_id1,ami_id2 - Instances Image ID (AMI) is in given list.',
+                args: 'image_ids: [IMAGE_ID1, IMAGEID2]' },
+              { name: 'vpc',
+                description: 'Instance is in a VPC.' }
+            ]
+          end
+
+          def classic?
+            !vpc?
+          end
+
+          def running?
+            logger.debug "Verifying '#{status}' equals 'running'."
+            status == :running
+          end
+
+          def source_dest_check?
+            unless vpc?
+              logger.debug "Instance must be in a VPC to validate source_dest_check. Returning false."
+              return false
+            end
+            source_dest_check == true
+          end
+
+          def valid_image_id?(args)
+            image_ids = Array(args[:image_ids])
+
+            logger.debug "Verifying Image ID '#{image_id}' is one of '#{image_ids.join(', ')}'."
+            image_ids.include? image_id
+          end
+
+          def vpc?
+            !source.vpc_id.nil?
+          end
+
+          private
+
+          def tags
+            @tags ||= source.tags
+          end
+
+          def image_id
+            @image_id ||= source.image_id
+          end
+
+          def instance_type
+            @instance_type ||= source.instance_type
+          end
+
+          def source_dest_check
+            @source_dest_check ||= source.source_dest_check
+          end
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/ec2/instance_collection.rb

@@ -0,0 +1,15 @@
+module Outliers
+  module Resources
+    module Aws
+      module Ec2
+        class InstanceCollection < Collection
+
+          def load_all
+            connect.instances.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/ec2/security_group.rb

@@ -0,0 +1,28 @@
+module Outliers
+  module Resources
+    module Aws
+      module Ec2
+        class SecurityGroup < Resource
+          def self.verifications
+            [
+              { name: 'no_public_internet_ingress',
+                description: 'Security Group has no rules open to "0.0.0.0/0".' }
+            ]
+          end
+
+          def no_public_internet_ingress?
+            logger.debug "Verifying '#{id}'."
+            source.ip_permissions.select do |i|
+              if !i.egress? && (i.ip_ranges.include? "0.0.0.0/0")
+                logger.debug "Security Group '#{id}' is open to '#{i.ip_ranges.join(', ')}' via '#{i.protocol}'."
+                false
+              else
+                true
+              end
+            end.any?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/ec2/security_group_collection.rb

@@ -0,0 +1,15 @@
+module Outliers
+  module Resources
+    module Aws
+      module Ec2
+        class SecurityGroupCollection < Collection
+
+          def load_all
+            connect.security_groups.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/elb/load_balancer.rb

@@ -0,0 +1,51 @@
+module Outliers
+  module Resources
+    module Aws
+      module Elb
+        class LoadBalancer < Resource
+          def self.verifications
+            [
+              { name: 'ssl_certificates_valid',
+                description: 'Validates all SSL certificates associated with an ELB are valid for given number of days',
+                args: 'days: DAYS' }
+            ]
+          end
+
+          def ssl_certificates_valid?(args)
+            days = args[:days]
+            pass = true
+
+            logger.debug "Load Balancer '#{id}' has no certificates." unless certificates.any?
+
+            date = Time.now + (days.to_i * 86400)
+
+            logger.debug "Validating no certs expire before '#{date.to_s}'."
+
+            certificates.each do |c|
+              certificate = OpenSSL::X509::Certificate.new c.certificate_body
+              subject     = certificate.subject
+              not_after   = certificate.not_after
+
+              logger.debug "Certificate '#{subject}' expires '#{not_after}'."
+              result = not_after > date
+              logger.debug "Certificate #{result ? "valid" : "invalid"}."
+              pass = false unless result
+            end
+            pass
+          end
+
+          private
+
+          def certificates
+            listeners.map {|l| l.server_certificate}.reject {|s| s.nil?}
+          end
+
+          def listeners
+            @listeners ||= source.listeners
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/elb/load_balancer_collection.rb

@@ -0,0 +1,15 @@
+module Outliers
+  module Resources
+    module Aws
+      module Elb
+        class LoadBalancerCollection < Collection
+
+          def load_all
+            connect.load_balancers.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/iam/user.rb

@@ -0,0 +1,40 @@
+module Outliers
+  module Resources
+    module Aws
+      module Iam
+        class User < Resource
+          def self.verifications
+            [
+              { name: 'mfa_enabled',
+                description: 'Verify MFA enabled for user.' },
+              { name: 'no_access_keys',
+                description: 'Verify user has no access keys.' },
+              { name: 'no_password_set',
+                description: 'Verify password not set for user.' }
+            ]
+          end
+
+          def no_access_keys?
+            logger.debug "#{id} has #{access_keys.count} access key(s)."
+            !access_keys.any?
+          end
+
+          def no_password_set?
+            !source.login_profile.exists?
+          end
+
+          def mfa_enabled?
+            source.mfa_devices.count > 0
+          end
+
+          private
+
+          def access_keys
+            @access_keys ||= source.access_keys
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/iam/user_collection.rb

@@ -0,0 +1,15 @@
+module Outliers
+  module Resources
+    module Aws
+      module Iam
+        class UserCollection < Collection
+
+          def load_all
+            connect.users.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/rds/db_instance.rb

@@ -0,0 +1,35 @@
+module Outliers
+  module Resources
+    module Aws
+      module Rds
+        class DbInstance < Resource
+          def self.key
+            'db_instance_identifier'
+          end
+
+          def self.verifications
+            [ 
+              { name: 'backup_retention_period',
+                description: 'Validate the backup retention period equals given days for the db_instance.',
+                args: 'days: DAYS' },
+              { name: 'multi_az',
+                description: 'RDS Multi AZ set to yes.' }
+            ]
+          end
+
+          def backup_retention_period?(args)
+            days = args[:days]
+
+            current = source.backup_retention_period
+            logger.debug "Verifying '#{id}' retention period of '#{current}' equals '#{days}' days."
+            current.to_i == days.to_i
+          end
+
+          def multi_az?
+            source.multi_az?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/rds/db_instance_collection.rb

@@ -0,0 +1,15 @@
+module Outliers
+  module Resources
+    module Aws
+      module Rds
+        class DbInstanceCollection < Collection
+
+          def load_all
+            connect.db_instances.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/rds/db_snapshot.rb

@@ -0,0 +1,13 @@
+module Outliers
+  module Resources
+    module Aws
+      module Rds
+        class DbSnapshot < Resource
+          def self.key
+            'db_snapshot_identifier'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/rds/db_snapshot_collection.rb

@@ -0,0 +1,15 @@
+module Outliers
+  module Resources
+    module Aws
+      module Rds
+        class DbSnapshotCollection < Collection
+
+          def load_all
+            connect.db_snapshots.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/s3/bucket.rb

@@ -0,0 +1,73 @@
+module Outliers
+  module Resources
+    module Aws
+      module S3
+        class Bucket < Resource
+
+          def self.verifications
+            [
+              { name: 'empty',
+                description: 'Bucket has no objects.' },
+              { name: 'no_public_objects',
+                description: 'Bucket has no public accessible objects.' },
+              { name: 'configured_as_website',
+                description: 'Bucket is configured as a website.' },
+              { name: 'not_configured_as_website',
+                description: 'Bucket is not configured as a website.' }
+            ]
+          end
+
+          def empty?
+            logger.debug "Bucket #{id} has #{count} objects."
+
+            count == 0
+          end
+
+          def no_public_objects?
+            passed = true
+            
+            logger.info "Validating #{objects.count} objects in '#{id}' are private."
+
+            objects.each do |o|
+              logger.debug "Verifying '#{o.key}' is private."
+              o.acl.grants.select do |g|
+                grantee = Nokogiri::XML(g.grantee.to_s).children.children.children.to_s
+                if grantee == "http://acs.amazonaws.com/groups/global/AllUsers" || grantee == "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+                  logger.debug "Object '#{o.key}' in '#{id}' has public grant '#{grantee}'."
+                  passed = false
+                end
+              end
+            end
+
+            logger.debug "Verification of '#{id}' #{passed ? 'passed' : 'failed'}."
+
+            passed
+          end
+
+          def not_configured_as_website?
+            !configured_as_website?
+          end
+
+          def configured_as_website?
+            !website_configuration.nil?
+          end
+
+          private
+
+          def website_configuration
+            source.website_configuration
+          end
+
+          def count
+            objects.count
+          end
+
+          def objects
+            @objects ||= source.objects
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/s3/bucket_collection.rb

@@ -0,0 +1,18 @@
+module Outliers
+  module Resources
+    module Aws
+      module S3
+        class BucketCollection < Collection
+
+          def load_all
+            unless provider.credentials['region'] == 'us-east-1'
+              raise Exceptions::UnsupportedRegion.new "Bucket verifications must target region us-east-1."
+            end
+            connect.buckets.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/sqs/queue.rb

@@ -0,0 +1,13 @@
+module Outliers
+  module Resources
+    module Aws
+      module Sqs
+        class Queue < Resource
+          def self.key
+            'url'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws/sqs/queue_collection.rb

@@ -0,0 +1,15 @@
+module Outliers
+  module Resources
+    module Aws
+      module Sqs
+        class QueueCollection < Collection
+
+          def load_all
+            connect.queues.map {|r| resource_class.new r}
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/aws.rb

@@ -0,0 +1,18 @@
+require 'outliers/resources/aws/cloud_formation/stack'
+require 'outliers/resources/aws/cloud_formation/stack_collection'
+require 'outliers/resources/aws/ec2/security_group'
+require 'outliers/resources/aws/ec2/security_group_collection'
+require 'outliers/resources/aws/ec2/instance'
+require 'outliers/resources/aws/ec2/instance_collection'
+require 'outliers/resources/aws/elb/load_balancer'
+require 'outliers/resources/aws/elb/load_balancer_collection'
+require 'outliers/resources/aws/iam/user'
+require 'outliers/resources/aws/iam/user_collection'
+require 'outliers/resources/aws/rds/db_instance'
+require 'outliers/resources/aws/rds/db_instance_collection'
+require 'outliers/resources/aws/rds/db_snapshot'
+require 'outliers/resources/aws/rds/db_snapshot_collection'
+require 'outliers/resources/aws/s3/bucket'
+require 'outliers/resources/aws/s3/bucket_collection'
+require 'outliers/resources/aws/sqs/queue'
+require 'outliers/resources/aws/sqs/queue_collection'

data/lib/outliers/resources/github/repo.rb

@@ -0,0 +1,24 @@
+module Outliers
+  module Resources
+    module Github
+      class Repo < Resource
+        def self.verifications
+          [
+            { name: 'private',
+              description: 'Repo is private.' },
+            { name: 'public',
+              description: 'Repo is public.' }
+          ]
+        end
+
+        def private?
+          source.private
+        end
+
+        def public?
+          !source.private
+        end
+      end
+    end
+  end
+end

data/lib/outliers/resources/github/repo_collection.rb

@@ -0,0 +1,13 @@
+module Outliers
+  module Resources
+    module Github
+      class RepoCollection < Collection
+
+        def load_all
+          connect.repos.list(:type => 'all').map {|r| resource_class.new r}
+        end
+
+      end
+    end
+  end
+end

data/lib/outliers/resources/github.rb

@@ -0,0 +1,2 @@
+require 'outliers/resources/github/repo'
+require 'outliers/resources/github/repo_collection'

data/lib/outliers/resources.rb

@@ -0,0 +1,12 @@
+require 'outliers/resources/aws'
+require 'outliers/resources/github'
+ 
+module Outliers
+  module Resources
+    module_function
+
+    def collections
+      all_the_modules.select {|m| (m.is_a? Class) && (m.to_s =~ /Collection$/)}
+    end
+  end
+end

data/lib/outliers/result.rb

@@ -0,0 +1,24 @@
+module Outliers
+  class Result
+
+    attr_reader :description, :passed
+
+    def initialize(args)
+      @description = args[:description]
+      @passed      = args[:passed]
+    end
+
+    def to_s
+      passed? ? 'passed' : 'failed'
+    end
+
+    def passed?
+      @passed == true
+    end
+
+    def failed?
+      !passed?
+    end
+
+  end
+end

data/lib/outliers/run.rb

@@ -0,0 +1,40 @@
+module Outliers
+  class Run
+    attr_accessor :credentials, :results
+
+    def initialize
+      @results = []
+    end
+
+    def process_evaluations_in_config_folder
+      evaluations_path = File.join Outliers.config_path
+      entries = Dir.entries(evaluations_path) - ['.', '..']
+      entries.each do |e|
+        file = File.join(evaluations_path, e)
+        unless File.directory? file
+          logger.info "Processing '#{file}'."
+          self.instance_eval File.read(file)
+        end
+      end
+    end
+
+    def evaluate(name='unspecified')
+      yield Evaluation.new :name => name, :run => self
+    end
+
+    def passed
+      @results.select {|r| r.passed?}
+    end
+
+    def failed
+      @results.reject {|r| r.passed?}
+    end
+
+    private
+
+    def logger
+      @logger ||= Outliers.logger
+    end
+
+  end
+end

data/lib/outliers/verifications/shared.rb

@@ -0,0 +1,31 @@
+module Outliers
+  module Verifications
+    module Shared
+
+      def none_exist?
+        logger.debug 'Verifying no resources exist.'
+        logger.debug "Found #{all.empty? ? 'no resources' : all_by_key.join(',')}."
+        all.empty?
+      end
+
+      def equals?(args)
+        list = Array(args[:keys])
+        logger.debug "Verifying '#{list.join(',')}' equals #{all.empty? ? 'no resources' : all_by_key.join(',')}."
+        list == all_by_key
+      end
+
+      module_function
+
+      def verifications
+         [
+           { name: 'none_exist',
+             description: 'Verify no resources exist.' },
+           { name: 'equals',
+             description: 'Verify resources match the given list of keys.',
+             args: 'keys: [KEY1,KEY2]' }
+         ]
+      end
+
+    end
+  end
+end

data/lib/outliers/verifications.rb

@@ -0,0 +1 @@
+require 'outliers/verifications/shared'

data/lib/outliers/version.rb

@@ -1,3 +1,3 @@
 module Outliers
-  VERSION = "0.0.0"
+  VERSION = "0.0.1"
 end

data/lib/outliers.rb

@@ -1,5 +1,28 @@
+require "outliers/mixins.rb"
+require "outliers/verifications"
+
+require "outliers/collection"
+require "outliers/credentials"
+require "outliers/exceptions"
+require "outliers/evaluation"
+require "outliers/provider"
+require "outliers/providers"
+require "outliers/resource"
+require "outliers/resources"
+require "outliers/result"
+require "outliers/run"
+
 require "outliers/version"
 
 module Outliers
-  # Your code goes here...
+  module_function
+
+  def logger(logger=nil)
+    @logger ||= logger ? logger : Logger.new(STDOUT)
+  end
+
+  def config_path(path=nil)
+    @config_path ||= path ? path : './'
+  end
+
 end