s3-secure 0.2.0 → 0.5.0

data/lib/s3_secure/encryption/show.rb

@@ -1,12 +1,6 @@
 class S3Secure::Encryption
   class Show < Base
     def run
-      @s3 = s3_regional_client(@bucket)
-
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-
-      rules = list.get_encryption_rules(@bucket)
       if rules
         puts "Bucket #{@bucket} is configured with these encryption rules:"
         puts rules.map(&:to_h)
@@ -14,5 +8,16 @@ class S3Secure::Encryption
         puts "Bucket #{@bucket} is not configured with encryption at the bucket level"
       end
     end
+
+    def enabled?
+      !!(rules && !rules.empty?)
+    end
+
+    def rules
+      resp = s3.get_bucket_encryption(bucket: @bucket)
+      resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
+    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
+    end
+    memoize :rules
   end
 end

data/lib/s3_secure/help/batch.md

@@ -0,0 +1,14 @@
+There are some supported batch commands:
+
+    s3-secure batch encryption enable FILE.txt
+    s3-secure batch encryption disable FILE.txt
+    s3-secure batch policy enforce_ssl FILE.txt
+    s3-secure batch policy unforce_ssl FILE.txt
+
+The format of FILE.txt is a list of bucket names separated by newlines.  Example:
+
+buckets.txt:
+
+    my-bucket-1
+    my-bucket-2
+

data/lib/s3_secure/help/encryption/disable.md

@@ -0,0 +1,5 @@
+## Example
+
+    $ s3-secure encryption disable a-test-bucket-in-us-east-1
+    Bucket a-test-bucket-in-us-east-1 encryption has been removed
+    $

data/lib/s3_secure/help/encryption/enable.md

@@ -0,0 +1,6 @@
+## Example
+
+    $ s3-secure encryption enable a-test-bucket-in-us-east-1
+    Encyption enabled on bucket a-test-bucket-in-us-east-1 with rules:
+    {:apply_server_side_encryption_by_default=>{:sse_algorithm=>"AES256"}}
+    $

data/lib/s3_secure/help/encryption/list.md

@@ -0,0 +1,5 @@
+## Examples
+
+    s3-secure encryption list                 # shows all buckets with and without polices
+    s3-secure encryption list --encryption    # only shows buckets with encryption
+    s3-secure encryption list --no-encryption # only shows buckets without encryption

data/lib/s3_secure/help/lifecycle/add.md

@@ -0,0 +1,13 @@
+## Example
+
+    $ s3-secure lifecycle add a-test-bucket-in-us-east-1
+    Added lifecycle policy to bucket a-test-bucket-in-us-east-1
+    $
+
+By default, the add command will only add a lifecycle policy if you none exists.
+
+It may be useful to test adding an additional lifecycle policy, for this you can use both the `--additive` and `--prefix` options. Note, you must make sure that the lifecycle policies can work together. For example, they must have different prefixes.
+
+    $ s3-secure lifecycle add a-test-bucket-in-us-east-1 --additive --prefix /foo
+    Added lifecycle policy to bucket a-test-bucket-in-us-east-1
+    $

data/lib/s3_secure/help/lifecycle/list.md

@@ -0,0 +1,22 @@
+## Examples
+
+    $ s3-secure lifecycle list
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-east-1 | false                |
+    | a-test-bucket-in-us-west-1 | true                 |
+    +----------------------------+----------------------+
+    $ s3-secure lifecycle list --lifecycle true
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-west-1 | true                 |
+    +----------------------------+----------------------+
+    $ s3-secure lifecycle list --lifecycle false
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-east-1 | false                |
+    +----------------------------+----------------------+
+    $

data/lib/s3_secure/help/lifecycle/remove.md

@@ -0,0 +1,5 @@
+## Examples
+
+    $ s3-secure lifecycle remove a-test-bucket-in-us-east-1
+    Removed the s3-secure-automated-cleanup lifecycle rule on bucket a-test-bucket-in-us-east-1
+    $

data/lib/s3_secure/help/lifecycle/show.md

@@ -0,0 +1,13 @@
+## Examples
+
+    $ s3-secure lifecycle show a-test-bucket-in-us-east-1
+    This S3 bucket has lifecycle rules
+    Bucket lifecycle details:
+    {:rules=>
+      [{:expiration=>{:expired_object_delete_marker=>true},
+        :id=>"s3-secure-automated-cleanup",
+        :prefix=>"/bar",
+        :status=>"Enabled",
+        :noncurrent_version_expiration=>{:noncurrent_days=>365},
+        :abort_incomplete_multipart_upload=>{:days_after_initiation=>30}}]}
+    $

data/lib/s3_secure/help/policy/enforce_ssl.md

@@ -0,0 +1,34 @@
+## Example
+
+    $ s3-secure policy enforce_ssl a-test-bucket-in-us-east-1
+    Add bucket policy to bucket a-test-bucket-in-us-east-1:
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "IPAllow",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "s3:*",
+          "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
+          "Condition": {
+            "NotIpAddress": {
+              "aws:SourceIp": "54.240.143.0/24"
+            }
+          }
+        },
+        {
+          "Sid": "ForceSSLOnlyAccess",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "s3:GetObject",
+          "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
+          "Condition": {
+            "Bool": {
+              "aws:SecureTransport": "false"
+            }
+          }
+        }
+      ]
+    }
+    $

data/lib/s3_secure/help/policy/list.md

@@ -0,0 +1,5 @@
+## Examples
+
+    s3-secure policy list             # shows all buckets with and without polices
+    s3-secure policy list --policy    # only shows buckets with policy
+    s3-secure policy list --no-policy # only shows buckets without policy

data/lib/s3_secure/help/policy/unforce_ssl.md

@@ -0,0 +1,61 @@
+## Example
+
+If the policy only has the ForceSSLOnlyAccess statement, then the entire bucket policy is removed:
+
+    $ s3-secure policy unforce_ssl a-test-bucket-in-us-west-1
+    Remove bucket policy to bucket a-test-bucket-in-us-west-1:
+    $
+
+If the policy has other statements, then only the ForceSSLOnlyAccess is removed any other policies are kept in tact.
+
+    $ s3-secure policy show a-test-bucket-in-us-east-1
+    Bucket a-test-bucket-in-us-east-1 is configured with this policy:
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "IPAllow",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "s3:*",
+          "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
+          "Condition": {
+            "NotIpAddress": {
+              "aws:SourceIp": "54.240.143.0/24"
+            }
+          }
+        },
+        {
+          "Sid": "ForceSSLOnlyAccess",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "s3:GetObject",
+          "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
+          "Condition": {
+            "Bool": {
+              "aws:SecureTransport": "false"
+            }
+          }
+        }
+      ]
+    }
+    $ s3-secure policy unforce_ssl a-test-bucket-in-us-east-1
+    Remove bucket policy statement from bucket a-test-bucket-in-us-east-1:
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "IPAllow",
+          "Effect": "Deny",
+          "Principal": "*",
+          "Action": "s3:*",
+          "Resource": "arn:aws:s3:::a-test-bucket-in-us-east-1/*",
+          "Condition": {
+            "NotIpAddress": {
+              "aws:SourceIp": "54.240.143.0/24"
+            }
+          }
+        }
+      ]
+    }
+    $

data/lib/s3_secure/help/summary.md

@@ -0,0 +1,22 @@
+## Examples
+
+    $ s3-secure summary
+    Determining bucket security-related settings...
+    +----------------------------+------+------------+
+    |           Bucket           | SSL? | Encrypted? |
+    +----------------------------+------+------------+
+    | a-test-bucket-in-us-east-1 | yes  | no         |
+    | a-test-bucket-in-us-west-1 | no   | no         |
+    +----------------------------+------+------------+
+    $
+
+There are `--ssl no` and `--encrypted no` filtering options:
+
+    $ s3-secure summary --ssl no --encrypted no
+    Determining bucket security-related settings...
+    +----------------------------+------+------------+
+    |           Bucket           | SSL? | Encrypted? |
+    +----------------------------+------+------------+
+    | a-test-bucket-in-us-west-1 | no   | no         |
+    +----------------------------+------+------------+
+    $

data/lib/s3_secure/lifecycle.rb

@@ -0,0 +1,31 @@
+module S3Secure
+  class Lifecycle < Command
+    desc "list", "List bucket lifecycles"
+    long_desc Help.text("lifecycle/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :lifecycle, desc: "Filter for lifecycle: all, true, false"
+    def list
+      List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket lifecycle"
+    long_desc Help.text("lifecycle/show")
+    def show(bucket)
+      Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "add BUCKET", "add bucket lifecycle"
+    long_desc Help.text("lifecycle/add")
+    option :additive, type: :boolean, desc: "Force adding another lifecycle rule even if one exists. Note, may fail, need a different prefix filter"
+    option :prefix, desc: "Filter prefix. Used with additive mode."
+    def add(bucket)
+      Add.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "remove BUCKET", "remove bucket lifecycle"
+    long_desc Help.text("lifecycle/remove")
+    def remove(bucket)
+      Remove.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/lifecycle/add.rb

@@ -0,0 +1,33 @@
+class S3Secure::Lifecycle
+  class Add < Base
+    RULE_ID = Base::RULE_ID
+
+    def run
+      show = Show.new(@options)
+      if @options[:additive]
+        current_rules = show.get_lifecycle_rules(@bucket)
+        builder = Builder.new(current_rules)
+        rules = builder.rules_with_addition(@options[:prefix])
+        if current_rules.size == rules.size
+          puts "WARN: rule wasnt added because a #{RULE_ID} already exists".color(:yellow)
+        else
+          s3.put_bucket_lifecycle_configuration(
+            bucket: @bucket, # required
+            lifecycle_configuration: {rules: rules}
+          )
+        end
+      elsif show.any?
+        puts "Bucket #{@bucket} is has a lifecycle policy already."
+        return
+      else
+        options = {
+          bucket: @bucket, # required
+          lifecycle_configuration: {rules: [Builder::DEFAULT_RULE]}
+        }
+        s3.put_bucket_lifecycle_configuration(options)
+      end
+
+      puts "Added lifecycle policy to bucket #{@bucket}"
+    end
+  end
+end

data/lib/s3_secure/lifecycle/base.rb

@@ -0,0 +1,5 @@
+class S3Secure::Lifecycle
+  class Base < S3Secure::AbstractBase
+    RULE_ID = "s3-secure-automated-cleanup"
+  end
+end

data/lib/s3_secure/lifecycle/builder.rb

@@ -0,0 +1,47 @@
+class S3Secure::Lifecycle
+  class Builder
+    # Note: put_bucket_lifecycle_configuration and put_bucket_lifecycle understand different payloads.
+    # put_bucket_lifecycle is old and shouldnt be used
+    RULE_ID = Base::RULE_ID
+    DEFAULT_RULE = {
+      expiration: {expired_object_delete_marker: true},
+      id: RULE_ID,
+      status: "Enabled",
+      prefix: "",
+      noncurrent_version_expiration: {noncurrent_days: 365},
+      abort_incomplete_multipart_upload: {days_after_initiation: 30}
+    }
+
+    def initialize(rules)
+      @rules = rules || []
+    end
+
+    def has?(id)
+      !!@rules.detect { |rule| rule[:id] == id }
+    end
+
+    def rules_with_addition(prefix=nil)
+      rules = @rules.dup
+      unless has?(RULE_ID)
+        rule = DEFAULT_RULE
+        rule[:prefix] = prefix if prefix
+        rules << rule
+      end
+      rules
+    end
+
+    def rules_with_removal
+      rules = @rules.dup
+      rules.delete_if { |rule| rule[:id] == RULE_ID }
+      rules
+    end
+
+    def build(type)
+      if type == :remove
+        remove_lifecycle
+      else
+        add_lifecycle
+      end
+    end
+  end
+end

data/lib/s3_secure/lifecycle/list.rb

@@ -0,0 +1,24 @@
+class S3Secure::Lifecycle
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Lifecycle Rules?"]
+
+      buckets.each do |bucket|
+        $stderr.puts "Getting lifecycle policy for bucket #{bucket.color(:green)}"
+
+        show = Show.new(bucket: bucket)
+        row = [bucket, show.any?]
+        if @options[:lifecycle].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:lifecycle]
+          presenter.rows << row if status # only show if bucket has some encryption rules
+        else
+          presenter.rows << row unless status # only show if bucket doesnt have any encryption rules
+        end
+      end
+
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/lifecycle/remove.rb

@@ -0,0 +1,28 @@
+class S3Secure::Lifecycle
+  class Remove < Base
+    RULE_ID = Base::RULE_ID
+
+    def run
+      show = Show.new(@options)
+      unless show.has?(RULE_ID)
+        puts "Bucket #{@bucket} already does not have the #{RULE_ID} lifecycle rule."
+        return
+      end
+
+      builder = Builder.new(show.get_lifecycle_rules(@bucket))
+      rules = builder.rules_with_removal
+      if rules.empty?
+        s3.delete_bucket_lifecycle(bucket: @bucket)
+      else
+        # update config with removal
+        s3.put_bucket_lifecycle_configuration(
+          bucket: @bucket, # required
+          # content_md5: "ContentMD5",
+          lifecycle_configuration: {rules: rules}
+        )
+      end
+
+      puts "Removed the #{RULE_ID} lifecycle rule on bucket #{@bucket}"
+    end
+  end
+end

data/lib/s3_secure/lifecycle/show.rb

@@ -0,0 +1,40 @@
+class S3Secure::Lifecycle
+  class Show < Base
+    RULE_ID = Base::RULE_ID
+
+    def run
+      if any?
+        puts "This S3 bucket has lifecycle rules"
+      else
+        puts "This S3 bucket does not have lifecycle rules"
+      end
+
+      if any?
+        puts "Bucket lifecycle details: "
+        pp get_lifecycle(@bucket).to_h
+      end
+    end
+
+    def any?
+      rules = get_lifecycle_rules(@bucket)
+      !!(rules && !rules.empty?)
+    end
+
+    def has?(rule_id)
+      rules = get_lifecycle_rules(@bucket)
+      rules && rules.detect { |rule| rule[:id] == rule_id }
+    end
+
+    def get_lifecycle(bucket)
+      s3.get_bucket_lifecycle_configuration(bucket: bucket) # resp
+    rescue Aws::S3::Errors::NoSuchLifecycleConfiguration
+    end
+    memoize :get_lifecycle
+
+    # Also used by add and remove
+    def get_lifecycle_rules(bucket)
+      resp = get_lifecycle(bucket)
+      resp.rules.map(&:to_h) if resp
+    end
+  end
+end