s3-secure 0.1.0

data/lib/s3_secure/completer.rb

@@ -0,0 +1,159 @@
+=begin
+Code Explanation:
+
+There are 3 types of things to auto-complete:
+
+  1. command: the command itself
+  2. parameters: command parameters.
+  3. options: command options
+
+Here's an example:
+
+  mycli hello name --from me
+
+  * command: hello
+  * parameters: name
+  * option: --from
+
+When command parameters are done processing, the remaining completion words will be options.  We can tell that the command params are completed based on the method arity.
+
+## Arity
+
+For example, say you had a method for a CLI command with the following form:
+
+  ufo scale service count --cluster development
+
+It's equivalent ruby method:
+
+  scale(service, count) = has an arity of 2
+
+So typing:
+
+  ufo scale service count [TAB] # there are 3 parameters including the "scale" command according to Thor's CLI processing.
+
+So the completion should only show options, something like this:
+
+  --noop --verbose --cluster
+
+## Splat Arguments
+
+When the ruby method has a splat argument, it's arity is negative.  Here are some example methods and their arities.
+
+   ship(service) = 1
+   scale(service, count) = 2
+   ships(*services) = -1
+   foo(example, *rest) = -2
+
+Fortunately, negative and positive arity values are processed the same way. So we take simply take the absolute value of the arity and process it the same.
+
+Here are some test cases, hit TAB after typing the command:
+
+  s3-secure completion
+  s3-secure completion hello
+  s3-secure completion hello name
+  s3-secure completion hello name --
+  s3-secure completion hello name --noop
+
+  s3-secure completion
+  s3-secure completion sub:goodbye
+  s3-secure completion sub:goodbye name
+
+## Subcommands and Thor::Group Registered Commands
+
+Sometimes the commands are not simple thor commands but are subcommands or Thor::Group commands. A good specific example is the ufo tool.
+
+  * regular command: ufo ship
+  * subcommand: ufo docker
+  * Thor::Group command: ufo init
+
+Auto-completion accounts for each of these type of commands.
+=end
+module S3Secure
+  class Completer
+    def initialize(command_class, *params)
+      @params = params
+      @current_command = @params[0]
+      @command_class = command_class # CLI initiall
+    end
+
+    def run
+      if subcommand?(@current_command)
+        subcommand_class = @command_class.subcommand_classes[@current_command]
+        @params.shift # destructive
+        Completer.new(subcommand_class, *@params).run # recursively use subcommand
+        return
+      end
+
+      # full command has been found!
+      unless found?(@current_command)
+        puts all_commands
+        return
+      end
+
+      # will only get to here if command aws found (above)
+      arity = @command_class.instance_method(@current_command).arity.abs
+      if @params.size > arity or thor_group_command?
+        puts options_completion
+      else
+        puts params_completion
+      end
+    end
+
+    def subcommand?(command)
+      @command_class.subcommands.include?(command)
+    end
+
+    # hacky way to detect that command is a registered Thor::Group command
+    def thor_group_command?
+      command_params(raw=true) == [[:rest, :args]]
+    end
+
+    def found?(command)
+      public_methods = @command_class.public_instance_methods(false)
+      command && public_methods.include?(command.to_sym)
+    end
+
+    # all top-level commands
+    def all_commands
+      commands = @command_class.all_commands.reject do |k,v|
+        v.is_a?(Thor::HiddenCommand)
+      end
+      commands.keys
+    end
+
+    def command_params(raw=false)
+      params = @command_class.instance_method(@current_command).parameters
+      # Example:
+      # >> Sub.instance_method(:goodbye).parameters
+      # => [[:req, :name]]
+      # >>
+      raw ? params : params.map!(&:last)
+    end
+
+    def params_completion
+      offset = @params.size - 1
+      offset_params = command_params[offset..-1]
+      command_params[offset..-1].first
+    end
+
+    def options_completion
+      used = ARGV.select { |a| a.include?('--') } # so we can remove used options
+
+      method_options = @command_class.all_commands[@current_command].options.keys
+      class_options = @command_class.class_options.keys
+
+      all_options = method_options + class_options + ['help']
+
+      all_options.map! { |o| "--#{o.to_s.gsub('_','-')}" }
+      filtered_options = all_options - used
+      filtered_options.uniq
+    end
+
+    # Useful for debugging. Using puts messes up completion.
+    def log(msg)
+      File.open("/tmp/complete.log", "a") do |file|
+        file.puts(msg)
+      end
+    end
+  end
+end

data/lib/s3_secure/completer/script.rb

@@ -0,0 +1,6 @@
+class S3Secure::Completer::Script
+  def self.generate
+    bash_script = File.expand_path("script.sh", File.dirname(__FILE__))
+    puts "source #{bash_script}"
+  end
+end

data/lib/s3_secure/completer/script.sh

@@ -0,0 +1,10 @@
+_s3-secure() {
+  COMPREPLY=()
+  local word="${COMP_WORDS[COMP_CWORD]}"
+  local words=("${COMP_WORDS[@]}")
+  unset words[0]
+  local completion=$(s3-secure completion ${words[@]})
+  COMPREPLY=( $(compgen -W "$completion" -- "$word") )
+}
+
+complete -F _s3-secure s3-secure

data/lib/s3_secure/encryption.rb

@@ -0,0 +1,27 @@
+module S3Secure
+  class Encryption < Command
+    desc "list", "List bucket encryptions"
+    long_desc Help.text("encryption/list")
+    def list
+      List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket encryption"
+    long_desc Help.text("encryption/show")
+    def show(bucket)
+      Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "enable BUCKET", "enable bucket encryption"
+    long_desc Help.text("encryption/enable")
+    def enable(bucket)
+      Enable.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "disable BUCKET", "disable bucket encryption"
+    long_desc Help.text("encryption/disable")
+    def disable(bucket)
+      Disable.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/encryption/base.rb

@@ -0,0 +1,4 @@
+class S3Secure::Encryption
+  class Base < S3Secure::AbstractBase
+  end
+end

data/lib/s3_secure/encryption/disable.rb

@@ -0,0 +1,18 @@
+class S3Secure::Encryption
+  class Disable < Base
+    def run
+      @s3 = s3_regional_client(@bucket)
+
+      list = S3Secure::Encryption::List.new(@options)
+      list.set_s3(@s3)
+
+      rules = list.get_encryption_rules(@bucket)
+      if rules
+        @s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
+        puts "Bucket #{@bucket} encryption has been removed"
+      else
+        puts "WARN: Bucket #{@bucket} is not configured with encryption at the bucket level".color(:yellow)
+      end
+    end
+  end
+end

data/lib/s3_secure/encryption/enable.rb

@@ -0,0 +1,42 @@
+class S3Secure::Encryption
+  class Enable < Base
+    def run
+      @s3 = s3_regional_client(@bucket)
+
+      list = S3Secure::Encryption::List.new(@options)
+      list.set_s3(@s3)
+
+      rules = list.get_encryption_rules(@bucket)
+      if rules
+        # check rules to see if encryption is already set of some sort
+        puts "Bucket #{@bucket} already has encryption rules:"
+        puts rules.map(&:to_h)
+      else
+        # Set encryption rules
+        # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_encryption-instance_method
+        # API docs: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ServerSideEncryptionByDefault.html
+        #
+        #    put_bucket_encryption returns #<struct Aws::EmptyStructure>
+        #
+        @s3.put_bucket_encryption(
+          bucket: @bucket,
+          server_side_encryption_configuration: {
+            rules: [rule]})
+        puts "Encyption enabled on bucket #{@bucket} with rules:"
+        pp rule
+      end
+    end
+
+    def rule
+      options = if @options[:kms_key] # SSE-KMS
+                  {
+                    sse_algorithm: "aws:kms", # required, accepts AES256, aws:kms
+                    kms_master_key_id: @options[:kms_key], # "SSEKMSKeyId",
+                  }
+                else # SSE-S3
+                  { sse_algorithm: "AES256" }
+                end
+      { apply_server_side_encryption_by_default: options }
+    end
+  end
+end

data/lib/s3_secure/encryption/list.rb

@@ -0,0 +1,28 @@
+class S3Secure::Encryption
+  class List < Base
+    def run
+      buckets.each do |bucket|
+        @s3 = s3_regional_client(bucket)
+        puts "Policy for bucket #{bucket.color(:green)}"
+        encryption_rules = get_encryption_rules(bucket)
+
+        if encryption_rules
+          puts encryption_rules
+        else
+          puts "Bucket does not have bucket encryption enabled"
+        end
+      end
+    end
+
+    def get_encryption_rules(bucket)
+      resp = @s3.get_bucket_encryption(bucket: bucket)
+      resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
+    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
+    end
+
+    # Useful when calling List outside of the list CLI
+    def set_s3(client)
+      @s3 = client
+    end
+  end
+end

data/lib/s3_secure/encryption/show.rb

@@ -0,0 +1,18 @@
+class S3Secure::Encryption
+  class Show < Base
+    def run
+      @s3 = s3_regional_client(@bucket)
+
+      list = S3Secure::Encryption::List.new(@options)
+      list.set_s3(@s3)
+
+      rules = list.get_encryption_rules(@bucket)
+      if rules
+        puts "Bucket #{@bucket} is configured with these encryption rules:"
+        puts rules.map(&:to_h)
+      else
+        puts "Bucket #{@bucket} is not configured with encryption at the bucket level"
+      end
+    end
+  end
+end

data/lib/s3_secure/help.rb

@@ -0,0 +1,9 @@
+module S3Secure::Help
+  class << self
+    def text(namespaced_command)
+      path = namespaced_command.to_s.gsub(':','/')
+      path = File.expand_path("../help/#{path}.md", __FILE__)
+      IO.read(path) if File.exist?(path)
+    end
+  end
+end

data/lib/s3_secure/help/completion.md

@@ -0,0 +1,20 @@
+## Examples
+
+    s3-secure completion
+
+Prints words for TAB auto-completion.
+
+    s3-secure completion
+    s3-secure completion hello
+    s3-secure completion hello name
+
+To enable, TAB auto-completion add the following to your profile:
+
+    eval $(s3-secure completion_script)
+
+Auto-completion example usage:
+
+    s3-secure [TAB]
+    s3-secure hello [TAB]
+    s3-secure hello name [TAB]
+    s3-secure hello name --[TAB]

data/lib/s3_secure/help/completion_script.md

@@ -0,0 +1,3 @@
+To use, add the following to your `~/.bashrc` or `~/.profile`
+
+    eval $(s3-secure completion_script)

data/lib/s3_secure/help/hello.md

@@ -0,0 +1,5 @@
+## Examples
+
+    s3-secure hello
+    s3-secure hello NAME
+    s3-secure hello NAME --from me

data/lib/s3_secure/policy.rb

@@ -0,0 +1,27 @@
+module S3Secure
+  class Policy < Command
+    desc "list", "List bucket policies"
+    long_desc Help.text("policy/list")
+    def list
+      List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket policy"
+    long_desc Help.text("policy/show")
+    def show(bucket)
+      Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "enforce_ssl BUCKET", "Add enforce ssl bucket policy"
+    long_desc Help.text("policy/enforce_ssl")
+    def enforce_ssl(bucket)
+      Enforce.new(options.merge(bucket: bucket, sid: "ForceSSLOnlyAccess")).run
+    end
+
+    desc "unforce_ssl BUCKET", "Remove enforce ssl bucket policy"
+    long_desc Help.text("policy/unforce_ssl")
+    def unforce_ssl(bucket)
+      Unforce.new(options.merge(bucket: bucket, sid: "ForceSSLOnlyAccess")).run
+    end
+  end
+end

data/lib/s3_secure/policy/base.rb

@@ -0,0 +1,4 @@
+class S3Secure::Policy
+  class Base < S3Secure::AbstractBase
+  end
+end

data/lib/s3_secure/policy/checker.rb

@@ -0,0 +1,15 @@
+class S3Secure::Policy
+  class Checker
+    def initialize(bucket_policy)
+      @bucket_policy = bucket_policy # existing document policy
+    end
+
+    def has?(sid)
+      return false if @bucket_policy.blank?
+
+      policy_document = JSON.load(@bucket_policy)
+      statements = policy_document["Statement"]
+      !!statements.detect { |s| s["Sid"] == sid }
+    end
+  end
+end

data/lib/s3_secure/policy/document.rb

@@ -0,0 +1,27 @@
+class S3Secure::Policy
+  class Document
+    extend Memoist
+
+    delegate :has?, to: :checker
+
+    def initialize(bucket, bucket_policy, remove: false)
+      @bucket, @bucket_policy, @remove = bucket, bucket_policy, remove # existing document policy
+    end
+
+    # Returns JSON text
+    # Currently only support adding ForceSSLOnlyAccess document policy.
+    def policy_document(sid, remove: false)
+      enforcer_class = "S3Secure::Policy::Document::#{sid}"
+      enforcer_class += "Remove" if @remove
+      enforcer_class = enforcer_class.constantize # IE: ForceSSLOnlyAccess or ForceSSLOnlyAccessRemove
+      enforcer = enforcer_class.new(@bucket, @bucket_policy)
+      policy = enforcer.policy_document
+      JSON.pretty_generate(policy) if policy
+    end
+
+    def checker
+      Checker.new(@bucket_policy)
+    end
+    memoize :checker
+  end
+end