s3-secure 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +16 -0
- data/.rspec +3 -0
- data/CHANGELOG.md +7 -0
- data/Gemfile +6 -0
- data/Gemfile.lock +89 -0
- data/Guardfile +19 -0
- data/LICENSE.txt +22 -0
- data/README.md +56 -0
- data/Rakefile +14 -0
- data/exe/s3-secure +14 -0
- data/lib/s3-secure.rb +1 -0
- data/lib/s3_secure.rb +14 -0
- data/lib/s3_secure/abstract_base.rb +17 -0
- data/lib/s3_secure/autoloader.rb +27 -0
- data/lib/s3_secure/aws_services.rb +36 -0
- data/lib/s3_secure/batch.rb +25 -0
- data/lib/s3_secure/cli.rb +37 -0
- data/lib/s3_secure/command.rb +82 -0
- data/lib/s3_secure/completer.rb +159 -0
- data/lib/s3_secure/completer/script.rb +6 -0
- data/lib/s3_secure/completer/script.sh +10 -0
- data/lib/s3_secure/encryption.rb +27 -0
- data/lib/s3_secure/encryption/base.rb +4 -0
- data/lib/s3_secure/encryption/disable.rb +18 -0
- data/lib/s3_secure/encryption/enable.rb +42 -0
- data/lib/s3_secure/encryption/list.rb +28 -0
- data/lib/s3_secure/encryption/show.rb +18 -0
- data/lib/s3_secure/help.rb +9 -0
- data/lib/s3_secure/help/completion.md +20 -0
- data/lib/s3_secure/help/completion_script.md +3 -0
- data/lib/s3_secure/help/hello.md +5 -0
- data/lib/s3_secure/policy.rb +27 -0
- data/lib/s3_secure/policy/base.rb +4 -0
- data/lib/s3_secure/policy/checker.rb +15 -0
- data/lib/s3_secure/policy/document.rb +27 -0
- data/lib/s3_secure/policy/document/base.rb +15 -0
- data/lib/s3_secure/policy/document/force_ssl_only_access.rb +33 -0
- data/lib/s3_secure/policy/document/force_ssl_only_access_remove.rb +33 -0
- data/lib/s3_secure/policy/enforce.rb +36 -0
- data/lib/s3_secure/policy/list.rb +29 -0
- data/lib/s3_secure/policy/show.rb +19 -0
- data/lib/s3_secure/policy/unforce.rb +41 -0
- data/lib/s3_secure/version.rb +3 -0
- data/s3-secure.gemspec +33 -0
- data/spec/lib/cli_spec.rb +12 -0
- data/spec/lib/policy/checker_spec.rb +68 -0
- data/spec/lib/policy/document/force_ssl_remove_spec.rb +107 -0
- data/spec/lib/policy/document_spec.rb +68 -0
- data/spec/spec_helper.rb +29 -0
- metadata +252 -0
@@ -0,0 +1,159 @@
|
|
1
|
+
=begin
|
2
|
+
Code Explanation:
|
3
|
+
|
4
|
+
There are 3 types of things to auto-complete:
|
5
|
+
|
6
|
+
1. command: the command itself
|
7
|
+
2. parameters: command parameters.
|
8
|
+
3. options: command options
|
9
|
+
|
10
|
+
Here's an example:
|
11
|
+
|
12
|
+
mycli hello name --from me
|
13
|
+
|
14
|
+
* command: hello
|
15
|
+
* parameters: name
|
16
|
+
* option: --from
|
17
|
+
|
18
|
+
When command parameters are done processing, the remaining completion words will be options. We can tell that the command params are completed based on the method arity.
|
19
|
+
|
20
|
+
## Arity
|
21
|
+
|
22
|
+
For example, say you had a method for a CLI command with the following form:
|
23
|
+
|
24
|
+
ufo scale service count --cluster development
|
25
|
+
|
26
|
+
It's equivalent ruby method:
|
27
|
+
|
28
|
+
scale(service, count) = has an arity of 2
|
29
|
+
|
30
|
+
So typing:
|
31
|
+
|
32
|
+
ufo scale service count [TAB] # there are 3 parameters including the "scale" command according to Thor's CLI processing.
|
33
|
+
|
34
|
+
So the completion should only show options, something like this:
|
35
|
+
|
36
|
+
--noop --verbose --cluster
|
37
|
+
|
38
|
+
## Splat Arguments
|
39
|
+
|
40
|
+
When the ruby method has a splat argument, it's arity is negative. Here are some example methods and their arities.
|
41
|
+
|
42
|
+
ship(service) = 1
|
43
|
+
scale(service, count) = 2
|
44
|
+
ships(*services) = -1
|
45
|
+
foo(example, *rest) = -2
|
46
|
+
|
47
|
+
Fortunately, negative and positive arity values are processed the same way. So we take simply take the absolute value of the arity and process it the same.
|
48
|
+
|
49
|
+
Here are some test cases, hit TAB after typing the command:
|
50
|
+
|
51
|
+
s3-secure completion
|
52
|
+
s3-secure completion hello
|
53
|
+
s3-secure completion hello name
|
54
|
+
s3-secure completion hello name --
|
55
|
+
s3-secure completion hello name --noop
|
56
|
+
|
57
|
+
s3-secure completion
|
58
|
+
s3-secure completion sub:goodbye
|
59
|
+
s3-secure completion sub:goodbye name
|
60
|
+
|
61
|
+
## Subcommands and Thor::Group Registered Commands
|
62
|
+
|
63
|
+
Sometimes the commands are not simple thor commands but are subcommands or Thor::Group commands. A good specific example is the ufo tool.
|
64
|
+
|
65
|
+
* regular command: ufo ship
|
66
|
+
* subcommand: ufo docker
|
67
|
+
* Thor::Group command: ufo init
|
68
|
+
|
69
|
+
Auto-completion accounts for each of these type of commands.
|
70
|
+
=end
|
71
|
+
module S3Secure
|
72
|
+
class Completer
|
73
|
+
def initialize(command_class, *params)
|
74
|
+
@params = params
|
75
|
+
@current_command = @params[0]
|
76
|
+
@command_class = command_class # CLI initiall
|
77
|
+
end
|
78
|
+
|
79
|
+
def run
|
80
|
+
if subcommand?(@current_command)
|
81
|
+
subcommand_class = @command_class.subcommand_classes[@current_command]
|
82
|
+
@params.shift # destructive
|
83
|
+
Completer.new(subcommand_class, *@params).run # recursively use subcommand
|
84
|
+
return
|
85
|
+
end
|
86
|
+
|
87
|
+
# full command has been found!
|
88
|
+
unless found?(@current_command)
|
89
|
+
puts all_commands
|
90
|
+
return
|
91
|
+
end
|
92
|
+
|
93
|
+
# will only get to here if command aws found (above)
|
94
|
+
arity = @command_class.instance_method(@current_command).arity.abs
|
95
|
+
if @params.size > arity or thor_group_command?
|
96
|
+
puts options_completion
|
97
|
+
else
|
98
|
+
puts params_completion
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
def subcommand?(command)
|
103
|
+
@command_class.subcommands.include?(command)
|
104
|
+
end
|
105
|
+
|
106
|
+
# hacky way to detect that command is a registered Thor::Group command
|
107
|
+
def thor_group_command?
|
108
|
+
command_params(raw=true) == [[:rest, :args]]
|
109
|
+
end
|
110
|
+
|
111
|
+
def found?(command)
|
112
|
+
public_methods = @command_class.public_instance_methods(false)
|
113
|
+
command && public_methods.include?(command.to_sym)
|
114
|
+
end
|
115
|
+
|
116
|
+
# all top-level commands
|
117
|
+
def all_commands
|
118
|
+
commands = @command_class.all_commands.reject do |k,v|
|
119
|
+
v.is_a?(Thor::HiddenCommand)
|
120
|
+
end
|
121
|
+
commands.keys
|
122
|
+
end
|
123
|
+
|
124
|
+
def command_params(raw=false)
|
125
|
+
params = @command_class.instance_method(@current_command).parameters
|
126
|
+
# Example:
|
127
|
+
# >> Sub.instance_method(:goodbye).parameters
|
128
|
+
# => [[:req, :name]]
|
129
|
+
# >>
|
130
|
+
raw ? params : params.map!(&:last)
|
131
|
+
end
|
132
|
+
|
133
|
+
def params_completion
|
134
|
+
offset = @params.size - 1
|
135
|
+
offset_params = command_params[offset..-1]
|
136
|
+
command_params[offset..-1].first
|
137
|
+
end
|
138
|
+
|
139
|
+
def options_completion
|
140
|
+
used = ARGV.select { |a| a.include?('--') } # so we can remove used options
|
141
|
+
|
142
|
+
method_options = @command_class.all_commands[@current_command].options.keys
|
143
|
+
class_options = @command_class.class_options.keys
|
144
|
+
|
145
|
+
all_options = method_options + class_options + ['help']
|
146
|
+
|
147
|
+
all_options.map! { |o| "--#{o.to_s.gsub('_','-')}" }
|
148
|
+
filtered_options = all_options - used
|
149
|
+
filtered_options.uniq
|
150
|
+
end
|
151
|
+
|
152
|
+
# Useful for debugging. Using puts messes up completion.
|
153
|
+
def log(msg)
|
154
|
+
File.open("/tmp/complete.log", "a") do |file|
|
155
|
+
file.puts(msg)
|
156
|
+
end
|
157
|
+
end
|
158
|
+
end
|
159
|
+
end
|
@@ -0,0 +1,10 @@
|
|
1
|
+
_s3-secure() {
|
2
|
+
COMPREPLY=()
|
3
|
+
local word="${COMP_WORDS[COMP_CWORD]}"
|
4
|
+
local words=("${COMP_WORDS[@]}")
|
5
|
+
unset words[0]
|
6
|
+
local completion=$(s3-secure completion ${words[@]})
|
7
|
+
COMPREPLY=( $(compgen -W "$completion" -- "$word") )
|
8
|
+
}
|
9
|
+
|
10
|
+
complete -F _s3-secure s3-secure
|
@@ -0,0 +1,27 @@
|
|
1
|
+
module S3Secure
|
2
|
+
class Encryption < Command
|
3
|
+
desc "list", "List bucket encryptions"
|
4
|
+
long_desc Help.text("encryption/list")
|
5
|
+
def list
|
6
|
+
List.new(options).run
|
7
|
+
end
|
8
|
+
|
9
|
+
desc "show BUCKET", "show bucket encryption"
|
10
|
+
long_desc Help.text("encryption/show")
|
11
|
+
def show(bucket)
|
12
|
+
Show.new(options.merge(bucket: bucket)).run
|
13
|
+
end
|
14
|
+
|
15
|
+
desc "enable BUCKET", "enable bucket encryption"
|
16
|
+
long_desc Help.text("encryption/enable")
|
17
|
+
def enable(bucket)
|
18
|
+
Enable.new(options.merge(bucket: bucket)).run
|
19
|
+
end
|
20
|
+
|
21
|
+
desc "disable BUCKET", "disable bucket encryption"
|
22
|
+
long_desc Help.text("encryption/disable")
|
23
|
+
def disable(bucket)
|
24
|
+
Disable.new(options.merge(bucket: bucket)).run
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
class S3Secure::Encryption
|
2
|
+
class Disable < Base
|
3
|
+
def run
|
4
|
+
@s3 = s3_regional_client(@bucket)
|
5
|
+
|
6
|
+
list = S3Secure::Encryption::List.new(@options)
|
7
|
+
list.set_s3(@s3)
|
8
|
+
|
9
|
+
rules = list.get_encryption_rules(@bucket)
|
10
|
+
if rules
|
11
|
+
@s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
|
12
|
+
puts "Bucket #{@bucket} encryption has been removed"
|
13
|
+
else
|
14
|
+
puts "WARN: Bucket #{@bucket} is not configured with encryption at the bucket level".color(:yellow)
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
class S3Secure::Encryption
|
2
|
+
class Enable < Base
|
3
|
+
def run
|
4
|
+
@s3 = s3_regional_client(@bucket)
|
5
|
+
|
6
|
+
list = S3Secure::Encryption::List.new(@options)
|
7
|
+
list.set_s3(@s3)
|
8
|
+
|
9
|
+
rules = list.get_encryption_rules(@bucket)
|
10
|
+
if rules
|
11
|
+
# check rules to see if encryption is already set of some sort
|
12
|
+
puts "Bucket #{@bucket} already has encryption rules:"
|
13
|
+
puts rules.map(&:to_h)
|
14
|
+
else
|
15
|
+
# Set encryption rules
|
16
|
+
# Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_encryption-instance_method
|
17
|
+
# API docs: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ServerSideEncryptionByDefault.html
|
18
|
+
#
|
19
|
+
# put_bucket_encryption returns #<struct Aws::EmptyStructure>
|
20
|
+
#
|
21
|
+
@s3.put_bucket_encryption(
|
22
|
+
bucket: @bucket,
|
23
|
+
server_side_encryption_configuration: {
|
24
|
+
rules: [rule]})
|
25
|
+
puts "Encyption enabled on bucket #{@bucket} with rules:"
|
26
|
+
pp rule
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def rule
|
31
|
+
options = if @options[:kms_key] # SSE-KMS
|
32
|
+
{
|
33
|
+
sse_algorithm: "aws:kms", # required, accepts AES256, aws:kms
|
34
|
+
kms_master_key_id: @options[:kms_key], # "SSEKMSKeyId",
|
35
|
+
}
|
36
|
+
else # SSE-S3
|
37
|
+
{ sse_algorithm: "AES256" }
|
38
|
+
end
|
39
|
+
{ apply_server_side_encryption_by_default: options }
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
class S3Secure::Encryption
|
2
|
+
class List < Base
|
3
|
+
def run
|
4
|
+
buckets.each do |bucket|
|
5
|
+
@s3 = s3_regional_client(bucket)
|
6
|
+
puts "Policy for bucket #{bucket.color(:green)}"
|
7
|
+
encryption_rules = get_encryption_rules(bucket)
|
8
|
+
|
9
|
+
if encryption_rules
|
10
|
+
puts encryption_rules
|
11
|
+
else
|
12
|
+
puts "Bucket does not have bucket encryption enabled"
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
16
|
+
|
17
|
+
def get_encryption_rules(bucket)
|
18
|
+
resp = @s3.get_bucket_encryption(bucket: bucket)
|
19
|
+
resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
|
20
|
+
rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
|
21
|
+
end
|
22
|
+
|
23
|
+
# Useful when calling List outside of the list CLI
|
24
|
+
def set_s3(client)
|
25
|
+
@s3 = client
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -0,0 +1,18 @@
|
|
1
|
+
class S3Secure::Encryption
|
2
|
+
class Show < Base
|
3
|
+
def run
|
4
|
+
@s3 = s3_regional_client(@bucket)
|
5
|
+
|
6
|
+
list = S3Secure::Encryption::List.new(@options)
|
7
|
+
list.set_s3(@s3)
|
8
|
+
|
9
|
+
rules = list.get_encryption_rules(@bucket)
|
10
|
+
if rules
|
11
|
+
puts "Bucket #{@bucket} is configured with these encryption rules:"
|
12
|
+
puts rules.map(&:to_h)
|
13
|
+
else
|
14
|
+
puts "Bucket #{@bucket} is not configured with encryption at the bucket level"
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
@@ -0,0 +1,20 @@
|
|
1
|
+
## Examples
|
2
|
+
|
3
|
+
s3-secure completion
|
4
|
+
|
5
|
+
Prints words for TAB auto-completion.
|
6
|
+
|
7
|
+
s3-secure completion
|
8
|
+
s3-secure completion hello
|
9
|
+
s3-secure completion hello name
|
10
|
+
|
11
|
+
To enable, TAB auto-completion add the following to your profile:
|
12
|
+
|
13
|
+
eval $(s3-secure completion_script)
|
14
|
+
|
15
|
+
Auto-completion example usage:
|
16
|
+
|
17
|
+
s3-secure [TAB]
|
18
|
+
s3-secure hello [TAB]
|
19
|
+
s3-secure hello name [TAB]
|
20
|
+
s3-secure hello name --[TAB]
|
@@ -0,0 +1,27 @@
|
|
1
|
+
module S3Secure
|
2
|
+
class Policy < Command
|
3
|
+
desc "list", "List bucket policies"
|
4
|
+
long_desc Help.text("policy/list")
|
5
|
+
def list
|
6
|
+
List.new(options).run
|
7
|
+
end
|
8
|
+
|
9
|
+
desc "show BUCKET", "show bucket policy"
|
10
|
+
long_desc Help.text("policy/show")
|
11
|
+
def show(bucket)
|
12
|
+
Show.new(options.merge(bucket: bucket)).run
|
13
|
+
end
|
14
|
+
|
15
|
+
desc "enforce_ssl BUCKET", "Add enforce ssl bucket policy"
|
16
|
+
long_desc Help.text("policy/enforce_ssl")
|
17
|
+
def enforce_ssl(bucket)
|
18
|
+
Enforce.new(options.merge(bucket: bucket, sid: "ForceSSLOnlyAccess")).run
|
19
|
+
end
|
20
|
+
|
21
|
+
desc "unforce_ssl BUCKET", "Remove enforce ssl bucket policy"
|
22
|
+
long_desc Help.text("policy/unforce_ssl")
|
23
|
+
def unforce_ssl(bucket)
|
24
|
+
Unforce.new(options.merge(bucket: bucket, sid: "ForceSSLOnlyAccess")).run
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
class S3Secure::Policy
|
2
|
+
class Checker
|
3
|
+
def initialize(bucket_policy)
|
4
|
+
@bucket_policy = bucket_policy # existing document policy
|
5
|
+
end
|
6
|
+
|
7
|
+
def has?(sid)
|
8
|
+
return false if @bucket_policy.blank?
|
9
|
+
|
10
|
+
policy_document = JSON.load(@bucket_policy)
|
11
|
+
statements = policy_document["Statement"]
|
12
|
+
!!statements.detect { |s| s["Sid"] == sid }
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
class S3Secure::Policy
|
2
|
+
class Document
|
3
|
+
extend Memoist
|
4
|
+
|
5
|
+
delegate :has?, to: :checker
|
6
|
+
|
7
|
+
def initialize(bucket, bucket_policy, remove: false)
|
8
|
+
@bucket, @bucket_policy, @remove = bucket, bucket_policy, remove # existing document policy
|
9
|
+
end
|
10
|
+
|
11
|
+
# Returns JSON text
|
12
|
+
# Currently only support adding ForceSSLOnlyAccess document policy.
|
13
|
+
def policy_document(sid, remove: false)
|
14
|
+
enforcer_class = "S3Secure::Policy::Document::#{sid}"
|
15
|
+
enforcer_class += "Remove" if @remove
|
16
|
+
enforcer_class = enforcer_class.constantize # IE: ForceSSLOnlyAccess or ForceSSLOnlyAccessRemove
|
17
|
+
enforcer = enforcer_class.new(@bucket, @bucket_policy)
|
18
|
+
policy = enforcer.policy_document
|
19
|
+
JSON.pretty_generate(policy) if policy
|
20
|
+
end
|
21
|
+
|
22
|
+
def checker
|
23
|
+
Checker.new(@bucket_policy)
|
24
|
+
end
|
25
|
+
memoize :checker
|
26
|
+
end
|
27
|
+
end
|