RubyGems - s3-secure - Versions diffs - 0.2.0 → 0.5.0 - Mend

s3-secure 0.2.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (63) hide show

checksums.yaml +4 -4
data/.gitignore +1 -0
data/CHANGELOG.md +16 -0
data/LICENSE.txt +201 -22
data/README.md +134 -16
data/lib/s3_secure.rb +3 -2
data/lib/s3_secure/access_logs.rb +30 -0
data/lib/s3_secure/access_logs/base.rb +4 -0
data/lib/s3_secure/access_logs/disable.rb +37 -0
data/lib/s3_secure/access_logs/enable.rb +41 -0
data/lib/s3_secure/access_logs/list.rb +25 -0
data/lib/s3_secure/access_logs/show.rb +89 -0
data/lib/s3_secure/aws_services.rb +1 -30
data/lib/s3_secure/aws_services/s3.rb +54 -0
data/lib/s3_secure/cli.rb +26 -0
data/lib/s3_secure/command.rb +7 -0
data/lib/s3_secure/encryption.rb +2 -0
data/lib/s3_secure/encryption/disable.rb +4 -8
data/lib/s3_secure/encryption/enable.rb +4 -8
data/lib/s3_secure/encryption/list.rb +12 -16
data/lib/s3_secure/encryption/show.rb +11 -6
data/lib/s3_secure/help/batch.md +14 -0
data/lib/s3_secure/help/encryption/disable.md +5 -0
data/lib/s3_secure/help/encryption/enable.md +6 -0
data/lib/s3_secure/help/encryption/list.md +5 -0
data/lib/s3_secure/help/lifecycle/add.md +13 -0
data/lib/s3_secure/help/lifecycle/list.md +22 -0
data/lib/s3_secure/help/lifecycle/remove.md +5 -0
data/lib/s3_secure/help/lifecycle/show.md +13 -0
data/lib/s3_secure/help/policy/enforce_ssl.md +34 -0
data/lib/s3_secure/help/policy/list.md +5 -0
data/lib/s3_secure/help/policy/unforce_ssl.md +61 -0
data/lib/s3_secure/help/summary.md +22 -0
data/lib/s3_secure/lifecycle.rb +31 -0
data/lib/s3_secure/lifecycle/add.rb +33 -0
data/lib/s3_secure/lifecycle/base.rb +5 -0
data/lib/s3_secure/lifecycle/builder.rb +47 -0
data/lib/s3_secure/lifecycle/list.rb +24 -0
data/lib/s3_secure/lifecycle/remove.rb +28 -0
data/lib/s3_secure/lifecycle/show.rb +40 -0
data/lib/s3_secure/policy.rb +2 -0
data/lib/s3_secure/policy/document.rb +1 -1
data/lib/s3_secure/policy/enforce.rb +3 -6
data/lib/s3_secure/policy/list.rb +13 -17
data/lib/s3_secure/policy/show.rb +8 -6
data/lib/s3_secure/policy/unforce.rb +5 -8
data/lib/s3_secure/remediate_all.rb +11 -0
data/lib/s3_secure/summary.rb +13 -0
data/lib/s3_secure/summary/item.rb +16 -0
data/lib/s3_secure/summary/items.rb +65 -0
data/lib/s3_secure/table.rb +18 -0
data/lib/s3_secure/version.rb +1 -1
data/lib/s3_secure/versioning.rb +29 -0
data/lib/s3_secure/versioning/base.rb +4 -0
data/lib/s3_secure/versioning/disable.rb +19 -0
data/lib/s3_secure/versioning/enable.rb +19 -0
data/lib/s3_secure/versioning/list.rb +24 -0
data/lib/s3_secure/versioning/show.rb +27 -0
data/s3-secure.gemspec +5 -2
data/spec/lib/lifecycle/builder_spec.rb +85 -0
metadata +71 -6
data/Gemfile.lock +0 -89
data/lib/s3_secure/help/hello.md +0 -5

data/lib/s3_secure/access_logs.rb ADDED

@@ -0,0 +1,30 @@
+module S3Secure
+  class AccessLogs < Command
+    desc "list", "List bucket access_logs setting"
+    long_desc Help.text("access_logs/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :access_logs, type: :boolean, desc: "Filter for access_logs: all, true, false"
+    def list
+      List.new(options).run
+    end
+    desc "show BUCKET", "show bucket access_logs"
+    long_desc Help.text("access_logs/show")
+    def show(bucket)
+      Show.new(options.merge(bucket: bucket)).run
+    end
+    desc "enable BUCKET", "enable bucket access_logs"
+    long_desc Help.text("access_logs/enable")
+    option :target_bucket, desc: "Target s3 bucket"
+    def enable(bucket)
+      Enable.new(options.merge(bucket: bucket)).run
+    end
+    desc "disable BUCKET", "disable bucket access_logs"
+    long_desc Help.text("access_logs/disable")
+    def disable(bucket)
+      Disable.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/access_logs/base.rb ADDED

@@ -0,0 +1,4 @@
+class S3Secure::AccessLogs
+  class Base < S3Secure::AbstractBase
+  end
+end

data/lib/s3_secure/access_logs/disable.rb ADDED

@@ -0,0 +1,37 @@
+class S3Secure::AccessLogs
+  class Disable < Base
+    def run
+      @show = Show.new(bucket: @bucket)
+      remove_access_logging
+      remove_bucket_acl
+    end
+    def remove_access_logging
+      unless @show.logging_enabled?
+        puts "Bucket #{@bucket} is not configured with access logging. So nothing to remove."
+        return
+      end
+      s3.put_bucket_logging(
+        bucket: @bucket, # source
+        bucket_logging_status: {}, # empty hash to remove
+      )
+      puts "Bucket #{@bucket} access logging removed"
+    end
+    def remove_bucket_acl
+      unless @show.acl_enabled?
+        puts "Bucket #{@bucket} is not configured the log delivery ACL. So nothing to remove."
+        return
+      end
+      access_control_policy = @show.access_control_policy_without_log_delivery_permissions
+      s3.put_bucket_acl(
+        bucket: @bucket,
+        access_control_policy: access_control_policy,
+      )
+      puts "Bucket #{@bucket} ACL Log Delivery removed"
+    end
+  end
+end

data/lib/s3_secure/access_logs/enable.rb ADDED

@@ -0,0 +1,41 @@
+class S3Secure::AccessLogs
+  class Enable < Base
+    def run
+      @show = Show.new(bucket: @bucket)
+      add_bucket_acl
+      enable_access_logging
+    end
+    # Bucket ACL applies on the target bucket only
+    def add_bucket_acl
+      if @show.acl_enabled?
+        puts "Bucket acl already has log delivery ACL"
+        return
+      end
+      s3.put_bucket_acl(
+        bucket: @bucket,
+        access_control_policy: @show.access_control_policy_with_log_delivery_permissions,
+      )
+      puts "Added to bucket acl that grants log delivery"
+    end
+    def enable_access_logging
+      if @show.logging_enabled?
+        puts "Bucket access logging already enabled"
+        return
+      end
+      s3.put_bucket_logging(
+        bucket: @bucket, # source
+        bucket_logging_status: {
+          logging_enabled: {
+            target_bucket: @show.target_bucket,
+            target_prefix: @show.target_prefix,
+          },
+        },
+      )
+      puts "Enabled access logging on the source bucket #{@bucket} to be delivered to the target bucket #{@show.target_bucket}"
+    end
+  end
+end

data/lib/s3_secure/access_logs/list.rb ADDED

@@ -0,0 +1,25 @@
+class S3Secure::AccessLogs
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Access Logs?"]
+      buckets.each do |bucket|
+        $stderr.puts "Getting access log setting for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+        enabled = show.logging_enabled?
+        row = [bucket, enabled]
+        if @options[:enabled].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:enabled]
+          presenter.rows << row if enabled # only show if bucket has some encryption rules
+        else
+          presenter.rows << row unless enabled # only show if bucket doesnt have any encryption rules
+        end
+      end
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/access_logs/show.rb ADDED

@@ -0,0 +1,89 @@
+class S3Secure::AccessLogs
+  class Show < Base
+    def run
+      puts "Bucket ACL:"
+      pp bucket_acl_grants
+      puts "Bucket Logging:"
+      pp bucket_logging
+    end
+    def bucket_logging
+      # Tricky here, need to swtich the s3 client in case target_bucket is in another region
+      with_regional_s3(target_bucket) do
+        s3.get_bucket_logging(bucket: target_bucket).to_h
+      end
+    end
+    memoize :bucket_logging
+    def bucket_acl
+      # Tricky here, need to swtich the s3 client in case target_bucket is in another region
+      with_regional_s3(target_bucket) do
+        s3.get_bucket_acl(bucket: target_bucket)
+      end
+    end
+    memoize :bucket_acl
+    def bucket_acl_grants
+      bucket_acl.grants.map(&:to_h)
+    end
+    def enabled?
+      acl_enabled? && logging_enabled?
+    end
+    def acl_enabled?
+      grants = bucket_acl_grants & log_delivery_access_grants
+      !grants.empty?
+    end
+    def logging_enabled?
+      !bucket_logging.empty?
+    end
+    def log_delivery_access_grants
+      [
+        {
+          grantee: {type: "Group", uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"},
+          permission: "WRITE"
+        },{
+          grantee: {type: "Group", uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"},
+          permission: "READ_ACP"
+        }
+      ]
+    end
+    def access_control_policy_with_log_delivery_permissions
+      grants = bucket_acl_grants + log_delivery_access_grants
+      { grants: grants, owner: owner }
+    end
+    def access_control_policy_without_log_delivery_permissions
+      grants = bucket_acl_grants - log_delivery_access_grants
+      { grants: grants, owner: owner }
+    end
+    def owner
+      {
+        display_name: bucket_acl.owner.display_name,
+        id: bucket_acl.owner.id,
+      }
+    end
+    def target_bucket
+      @options[:target_bucket] || @bucket
+    end
+    def target_prefix
+      prefix = @options[:target_prefix] || "access-logs"
+      prefix += "/" unless prefix.ends_with?("/")
+      prefix
+    end
+    def with_regional_s3(bucket)
+      current_bucket, @bucket = @bucket, bucket
+      result = yield
+      @bucket = current_bucket
+      result
+    end
+  end
+end

data/lib/s3_secure/aws_services.rb CHANGED

@@ -2,35 +2,6 @@ require "aws-sdk-s3"
 module S3Secure
   module AwsServices
-    extend Memoist
-    @@buckets = {} # holds bucket => region map
-    def s3_regional_client(bucket)
-      region = @@buckets[bucket]
-      unless region
-        resp = s3_client.get_bucket_location(bucket: bucket)
-        region = resp.location_constraint
-        region = 'us-east-1' if region.empty? # "" means us-east-1
-      end
-      new_s3_regional_client(region)
-    end
-    def new_s3_regional_client(region=nil)
-      options = {}
-      options[:endpoint] = "https://s3.#{region}.amazonaws.com" if region
-      options[:region] = region if region
-      Aws::S3::Client.new(options)
-    end
-    memoize :new_s3_regional_client
-    # Generic s3 client. Will be configured to whatever region user has locally configured in ~/.aws/config
-    # Used to call get_bucket_location to get each specific bucket's location.
-    # Generally use the s3_regional_client instead of this.
-    def s3_client
-      Aws::S3::Client.new
-    end
-    memoize :s3_client
+    include S3
   end
 end

data/lib/s3_secure/aws_services/s3.rb ADDED

@@ -0,0 +1,54 @@
+module S3Secure::AwsServices
+  module S3
+    extend Memoist
+    @@s3_clients = {} # holds cached s3 regional clients cache
+    def s3
+      check_bucket!
+      @@s3_clients[@bucket] ||= new_s3_regional_client
+    end
+    def new_s3_regional_client
+      options = {}
+      options[:endpoint] = "https://s3.#{region}.amazonaws.com"
+      options[:region] = region
+      Aws::S3::Client.new(options)
+    rescue Aws::STS::Errors::RegionDisabledException
+      puts "ERROR: Fail to establish client connection to region #{region}".color(:red)
+      raise
+    end
+    # Generic s3 client. Will be configured to whatever region user has locally configured in ~/.aws/config
+    # Used to call get_bucket_location to get each specific bucket's location.
+    # Generally use the s3_regional_client instead of this.
+    def s3_client
+      Aws::S3::Client.new
+    end
+    memoize :s3_client
+    def check_bucket!
+      # IMPORANT: The class that includes this module must set @bucket before using the s3 method.
+      unless @bucket
+        raise "@bucket #{@bucket.inspect} is not set. The class must set @bucket before using the any client method."
+      end
+      region_map # triggers building region map for specific @bucket
+    end
+    @@region_map = {} # bucket to region map cache
+    def region_map
+      region = @@region_map[@bucket]
+      return @@region_map if region # return cache
+      # build cache
+      resp = s3_client.get_bucket_location(bucket: @bucket)
+      region = resp.location_constraint
+      region = 'us-east-1' if region.empty? # "" means us-east-1
+      @@region_map[@bucket] = region
+      @@region_map
+    end
+    def region
+      region_map[@bucket]
+    end
+  end
+end

data/lib/s3_secure/cli.rb CHANGED

@@ -3,6 +3,10 @@ module S3Secure
     class_option :verbose, type: :boolean
     class_option :noop, type: :boolean
+    desc "access_logs SUBCOMMAND", "access_logs subcommands"
+    long_desc Help.text(:access_logs)
+    subcommand "access_logs", AccessLogs
     desc "encryption SUBCOMMAND", "encryption subcommands"
     long_desc Help.text(:encryption)
     subcommand "encryption", Encryption
@@ -11,6 +15,28 @@ module S3Secure
     long_desc Help.text(:policy)
     subcommand "policy", Policy
+    desc "versioning SUBCOMMAND", "versioning subcommands"
+    long_desc Help.text(:versioning)
+    subcommand "versioning", Versioning
+    desc "lifecycle SUBCOMMAND", "lifecycle subcommands"
+    long_desc Help.text(:lifecycle)
+    subcommand "lifecycle", Lifecycle
+    desc "remediate_all", "Remediate all. For more fine-grain control use each of the commands directly."
+    long_desc Help.text("remediate_all")
+    def remediate_all(bucket)
+      RemediateAll.new(options.merge(bucket: bucket)).run
+    end
+    desc "summary", "Summarize buckets"
+    long_desc Help.text("summary")
+    option :encrypted, default: "any", desc: "filter for encryption enabled. Examples: any, yes, no"
+    option :ssl, default: "any", desc: "filter for ssl enforcement. Examples: any, yes, no"
+    def summary
+      Summary.new(options).run
+    end
     desc "batch *PARAMS", "Batch wrapper method"
     long_desc Help.text(:batch)
     def batch(*params)

data/lib/s3_secure/command.rb CHANGED

@@ -77,6 +77,13 @@ module S3Secure
       def website
         ""
       end
+      # https://github.com/erikhuda/thor/issues/244
+      # Deprecation warning: Thor exit with status 0 on errors. To keep this behavior, you must define `exit_on_failure?` in `Lono::CLI`
+      # You can silence deprecations warning by setting the environment variable THOR_SILENCE_DEPRECATION.
+      def exit_on_failure?
+        true
+      end
     end
   end
 end

data/lib/s3_secure/encryption.rb CHANGED

@@ -2,6 +2,8 @@ module S3Secure
   class Encryption < Command
     desc "list", "List bucket encryptions"
     long_desc Help.text("encryption/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :encryption, type: :boolean, desc: "Filter for encryption: all, true, false"
     def list
       List.new(options).run
     end

data/lib/s3_secure/encryption/disable.rb CHANGED

@@ -1,17 +1,13 @@
 class S3Secure::Encryption
   class Disable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-      rules = list.get_encryption_rules(@bucket)
-      if rules
-        @s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
+      if show.enabled?
+        s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
         puts "Bucket #{@bucket} encryption has been removed"
       else
-        puts "WARN: Bucket #{@bucket} is not configured with encryption at the bucket level".color(:yellow)
+        puts "Bucket #{@bucket} is not configured with encryption at the bucket level"
       end
     end
   end

data/lib/s3_secure/encryption/enable.rb CHANGED

@@ -1,16 +1,12 @@
 class S3Secure::Encryption
   class Enable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-      rules = list.get_encryption_rules(@bucket)
-      if rules
+      if show.enabled?
         # check rules to see if encryption is already set of some sort
         puts "Bucket #{@bucket} already has encryption rules:"
-        puts rules.map(&:to_h)
+        puts show.rules.map(&:to_h)
       else
         # Set encryption rules
         # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_encryption-instance_method
@@ -18,7 +14,7 @@ class S3Secure::Encryption
         #
         #    put_bucket_encryption returns #<struct Aws::EmptyStructure>
         #
-        @s3.put_bucket_encryption(
+        s3.put_bucket_encryption(
           bucket: @bucket,
           server_side_encryption_configuration: {
             rules: [rule]})

data/lib/s3_secure/encryption/list.rb CHANGED

@@ -1,28 +1,24 @@
 class S3Secure::Encryption
   class List < Base
     def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Encryption?"]
       buckets.each do |bucket|
-        @s3 = s3_regional_client(bucket)
-        puts "Policy for bucket #{bucket.color(:green)}"
-        encryption_rules = get_encryption_rules(bucket)
+        $stderr.puts "Getting encryption for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
-        if encryption_rules
-          puts encryption_rules
+        row = [bucket, show.enabled?]
+        if @options[:encryption].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:encryption]
+          presenter.rows << row if show.enabled? # only show if bucket has some encryption rules
         else
-          puts "Bucket does not have bucket encryption enabled"
+          presenter.rows << row unless show.enabled? # only show if bucket doesnt have any encryption rules
         end
       end
-    end
-    def get_encryption_rules(bucket)
-      resp = @s3.get_bucket_encryption(bucket: bucket)
-      resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
-    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
-    end
-    # Useful when calling List outside of the list CLI
-    def set_s3(client)
-      @s3 = client
+      presenter.show
     end
   end
 end