s3-secure 0.2.0 → 0.5.0

data/lib/s3_secure/policy.rb

@@ -2,6 +2,8 @@ module S3Secure
   class Policy < Command
     desc "list", "List bucket policies"
     long_desc Help.text("policy/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :policy, type: :boolean, desc: "Filter for policy: all, true, false"
     def list
       List.new(options).run
     end

data/lib/s3_secure/policy/document.rb

@@ -10,7 +10,7 @@ class S3Secure::Policy
 
     # Returns JSON text
     # Currently only support adding ForceSSLOnlyAccess document policy.
-    def policy_document(sid, remove: false)
+    def policy_document(sid)
       enforcer_class = "S3Secure::Policy::Document::#{sid}"
       enforcer_class += "Remove" if @remove
       enforcer_class = enforcer_class.constantize # IE: ForceSSLOnlyAccess or ForceSSLOnlyAccessRemove

data/lib/s3_secure/policy/enforce.rb

@@ -6,12 +6,9 @@ class S3Secure::Policy
     end
 
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = S3Secure::Policy::Show.new(@options)
 
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-
-      bucket_policy = list.get_policy(@bucket)
+      bucket_policy = show.policy
       document = Document.new(@bucket, bucket_policy)
       if document.has?(@sid)
         puts "Bucket policy for #{@bucket} has ForceSSLOnlyAccess policy statement already:"
@@ -24,7 +21,7 @@ class S3Secure::Policy
         #    put_bucket_policy returns #<struct Aws::EmptyStructure>
         #
         policy_document = document.policy_document(@sid)
-        @s3.put_bucket_policy(
+        s3.put_bucket_policy(
           bucket: @bucket,
           policy: policy_document,
         )

data/lib/s3_secure/policy/list.rb

@@ -1,29 +1,25 @@
 class S3Secure::Policy
   class List < Base
     def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Policy?"]
+
       buckets.each do |bucket|
-        @s3 = s3_regional_client(bucket)
-        puts "Policy for bucket #{bucket.color(:green)}"
-        policy = get_policy(bucket)
+        $stderr.puts "Getting policy for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+        policy = show.policy
 
-        if policy
-          puts policy
+        row = [bucket, !!policy]
+        if @options[:policy].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:policy]
+          presenter.rows << row if policy # only show if bucket has a policy
         else
-          puts "Bucket does not have a bucket policy"
+          presenter.rows << row unless policy # only show if bucket doesnt have a policy
         end
       end
-    end
-
-    def get_policy(bucket)
-      resp = @s3.get_bucket_policy(bucket: bucket)
-      data = JSON.load(resp.policy.read) # String
-      JSON.pretty_generate(data)
-    rescue Aws::S3::Errors::NoSuchBucketPolicy
-    end
 
-    # Useful when calling List outside of the list CLI
-    def set_s3(client)
-      @s3 = client
+      presenter.show
     end
   end
 end

data/lib/s3_secure/policy/show.rb

@@ -1,12 +1,6 @@
 class S3Secure::Policy
   class Show < Base
     def run
-      @s3 = s3_regional_client(@bucket)
-
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-
-      policy = list.get_policy(@bucket)
       if policy
         puts "Bucket #{@bucket} is configured with this policy:"
         puts policy
@@ -15,5 +9,13 @@ class S3Secure::Policy
         puts "Bucket #{@bucket} is not configured bucket policy"
       end
     end
+
+    def policy
+      resp = s3.get_bucket_policy(bucket: @bucket)
+      data = JSON.load(resp.policy.read) # String
+      JSON.pretty_generate(data)
+    rescue Aws::S3::Errors::NoSuchBucketPolicy
+    end
+    memoize :policy
   end
 end

data/lib/s3_secure/policy/unforce.rb

@@ -6,12 +6,9 @@ class S3Secure::Policy
     end
 
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = S3Secure::Policy::Show.new(@options)
 
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-
-      bucket_policy = list.get_policy(@bucket)
+      bucket_policy = show.policy
       document = Document.new(@bucket, bucket_policy, remove: true)
       if document.has?(@sid)
         # Set encryption rules
@@ -23,15 +20,15 @@ class S3Secure::Policy
         policy_document = document.policy_document(@sid)
 
         if policy_document
-          @s3.put_bucket_policy(
+          s3.put_bucket_policy(
             bucket: @bucket,
             policy: policy_document,
           )
         else
-          @s3.delete_bucket_policy(bucket: @bucket)
+          s3.delete_bucket_policy(bucket: @bucket)
         end
 
-        puts "Remove bucket policy to bucket #{@bucket}:"
+        puts "Remove bucket policy statement from bucket #{@bucket}:"
         puts policy_document if policy_document
       else
         puts "Bucket policy for #{@bucket} does not have ForceSSLOnlyAccess policy statement. Nothing to be done."

data/lib/s3_secure/remediate_all.rb

@@ -0,0 +1,11 @@
+module S3Secure
+  class RemediateAll < AbstractBase
+    def run
+      Encryption::Enable.new(bucket: @bucket).run
+      Policy::Enforce.new(bucket: @bucket, sid: "ForceSSLOnlyAccess").run
+      Versioning::Enable.new(bucket: @bucket).run
+      Lifecycle::Add.new(bucket: @bucket).run
+      AccessLogs::Enable.new(bucket: @bucket).run
+    end
+  end
+end

data/lib/s3_secure/summary.rb

@@ -0,0 +1,13 @@
+module S3Secure
+  class Summary < AbstractBase
+    def run
+      $stderr.puts("Determining bucket security-related settings. Can take a while for lots of buckets...")
+      data = [%w[Bucket SSL? Encrypted?]]
+      items = Items.new(@options, buckets)
+      items.filtered_items.each do |i|
+        data << [i.bucket, i.ssl, i.encrypted]
+      end
+      S3Secure::Table.new(@options, data).display
+    end
+  end
+end

data/lib/s3_secure/summary/item.rb

@@ -0,0 +1,16 @@
+class S3Secure::Summary
+  class Item
+    attr_reader :bucket
+    def initialize(bucket, properties={})
+      @bucket, @properties = bucket, properties
+    end
+
+    def method_missing(name, *args, &block)
+      if @properties.key?(name)
+        @properties[name]
+      else
+        super
+      end
+    end
+  end
+end

data/lib/s3_secure/summary/items.rb

@@ -0,0 +1,65 @@
+class S3Secure::Summary
+  class Items < S3Secure::AbstractBase
+    extend Memoist
+
+    # override initialize
+    def initialize(options, buckets)
+      @options, @buckets = options, buckets
+      @ssl, @encrypted = @options[:ssl], @options[:encrypted]
+    end
+
+    def filtered_items
+      items = all_items.select do |item|
+        case @ssl
+        when "yes", "no"
+          @ssl == item.ssl
+        else # any or fallback
+          true
+        end
+      end
+
+      items.select do |item|
+        case @encrypted
+        when "yes", "no"
+          @encrypted == item.encrypted
+        else # any or fallback
+          true
+        end
+      end
+    end
+
+    # Triggers loading of items
+    def all_items
+      load_items!
+    end
+
+    def load_items!
+      @buckets.map do |bucket|
+        Item.new(bucket,
+                 ssl: ssl?(bucket) ? "yes" : "no",
+                 encrypted: encrypted?(bucket) ? "yes" : "no")
+      end
+    end
+    memoize :load_items!
+
+  private
+    def ssl?(bucket)
+      list = S3Secure::Policy::List.new(@options)
+
+      bucket_policy = list.get_policy(bucket)
+      document = S3Secure::Policy::Document.new(bucket, bucket_policy)
+      document.has?("ForceSSLOnlyAccess")
+    end
+    memoize :ssl?
+
+    def encrypted?(bucket)
+      s3 = s3_regional_client(bucket)
+      list = S3Secure::Encryption::List.new(@options)
+      list.set_s3(s3)
+
+      rules = list.get_encryption_rules(bucket)
+      !!rules
+    end
+    memoize :encrypted?
+  end
+end

data/lib/s3_secure/table.rb

@@ -0,0 +1,18 @@
+require "text-table"
+
+module S3Secure
+  class Table
+    attr_reader :data
+    def initialize(options, data)
+      @options = options
+      @data = data
+    end
+
+    def display
+      table = Text::Table.new
+      table.head = data.shift
+      table.rows = data
+      puts table
+    end
+  end
+end

data/lib/s3_secure/version.rb

@@ -1,3 +1,3 @@
 module S3Secure
-  VERSION = "0.2.0"
+  VERSION = "0.5.0"
 end

data/lib/s3_secure/versioning.rb

@@ -0,0 +1,29 @@
+module S3Secure
+  class Versioning < Command
+    desc "list", "List bucket versionings"
+    long_desc Help.text("versioning/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :versioning, desc: "Filter for versioning: all, true, false"
+    def list
+      List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket versioning"
+    long_desc Help.text("versioning/show")
+    def show(bucket)
+      Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "enable BUCKET", "enable bucket versioning"
+    long_desc Help.text("versioning/enable")
+    def enable(bucket)
+      Enable.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "disable BUCKET", "disable bucket versioning"
+    long_desc Help.text("versioning/disable")
+    def disable(bucket)
+      Disable.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/versioning/base.rb

@@ -0,0 +1,4 @@
+class S3Secure::Versioning
+  class Base < S3Secure::AbstractBase
+  end
+end

data/lib/s3_secure/versioning/disable.rb

@@ -0,0 +1,19 @@
+class S3Secure::Versioning
+  class Disable < Base
+    def run
+      show = Show.new(@options)
+      if show.enabled?
+        s3.put_bucket_versioning(
+          bucket: @bucket,
+          versioning_configuration: {
+            # mfa_delete: "Disabled",
+            status: "Suspended",
+          },
+        )
+        puts "Versioning Suspended on bucket #{@bucket}"
+      else
+        puts "Bucket #{@bucket} is already has versioning already Suspended or not Enabled."
+      end
+    end
+  end
+end

data/lib/s3_secure/versioning/enable.rb

@@ -0,0 +1,19 @@
+class S3Secure::Versioning
+  class Enable < Base
+    def run
+      show = Show.new(@options)
+      if show.enabled?
+        puts "Bucket #{@bucket} is has versioning already enabled."
+      else
+        s3.put_bucket_versioning(
+          bucket: @bucket,
+          versioning_configuration: {
+            # mfa_delete: "Disabled",
+            status: "Enabled",
+          },
+        )
+        puts "Versioning enabled on bucket #{@bucket}"
+      end
+    end
+  end
+end

data/lib/s3_secure/versioning/list.rb

@@ -0,0 +1,24 @@
+class S3Secure::Versioning
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Versioning?"]
+
+      buckets.each do |bucket|
+        $stderr.puts "Getting versioning for bucket #{bucket.color(:green)}"
+
+        show = Show.new(bucket: bucket)
+        row = [bucket, show.enabled?]
+        if @options[:versioning].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:versioning]
+          presenter.rows << row if show.enabled? # only show if bucket has some encryption rules
+        else
+          presenter.rows << row unless show.enabled? # only show if bucket doesnt have any encryption rules
+        end
+      end
+
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/versioning/show.rb

@@ -0,0 +1,27 @@
+class S3Secure::Versioning
+  class Show < Base
+    def run
+      if enabled?
+        puts "This S3 bucket has versioning enabled"
+      else
+        puts "This S3 bucket does not have versioning enabled"
+      end
+      details = get_versioning(@bucket).to_h
+      unless details.empty?
+        puts "Bucket versioning details: "
+        pp details
+      end
+    end
+
+    def enabled?
+      versioning = get_versioning(@bucket)
+      versioning.status == "Enabled" # Can be Enabled, Suspended, or nil
+    end
+
+    def get_versioning(bucket)
+      s3.get_bucket_versioning(bucket: bucket) # resp
+    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
+    end
+    memoize :get_versioning
+  end
+end

data/s3-secure.gemspec

@@ -10,9 +10,10 @@ Gem::Specification.new do |spec|
   spec.email         = ["tongueroo@gmail.com"]
   spec.summary       = "S3 Bucket security hardening tool"
   spec.homepage      = "https://github.com/tongueroo/s3-secure"
-  spec.license       = "MIT"
+  spec.license       = "Apache2.0"
 
-  spec.files         = `git ls-files`.split($/)
+  git_installed      = system("type git > /dev/null 2>&1")
+  spec.files         = git_installed ? `git ls-files`.split($/) : Dir.glob("**/*")
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
@@ -20,8 +21,10 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "activesupport"
   spec.add_dependency "aws-sdk-s3"
+  spec.add_dependency "cli-format"
   spec.add_dependency "memoist"
   spec.add_dependency "rainbow"
+  spec.add_dependency "text-table"
   spec.add_dependency "thor"
   spec.add_dependency "zeitwerk"
 

data/spec/lib/lifecycle/builder_spec.rb

@@ -0,0 +1,85 @@
+describe S3Secure::Lifecycle::Builder do
+  subject { S3Secure::Lifecycle::Builder.new(rules) }
+
+  describe "already has s3-secure-automated-cleanup rule" do
+    let(:rules) {
+      [{:expiration=>{:expired_object_delete_marker=>true},
+        :id=>"s3-secure-automated-cleanup",
+        :status=>"Enabled",
+        :noncurrent_version_expiration=>{:noncurrent_days=>365},
+        :abort_incomplete_multipart_upload=>{:days_after_initiation=>30}}]
+    }
+
+    it "has?" do
+      result = subject.has?("s3-secure-automated-cleanup")
+      expect(result).to be true
+    end
+
+    it "rules_with_addition" do
+      rules = subject.rules_with_addition
+      expect(rules.size).to eq 1 # no dups
+      result = has_lifecycle?(rules)
+      expect(result).to be true
+    end
+
+    it "rules_with_removal" do
+      rules = subject.rules_with_removal
+      result = has_lifecycle?(rules)
+      expect(result).to be false
+    end
+  end
+
+  describe "doesnt have s3-secure-automated-cleanup rule" do
+    let(:rules) {
+      [{:rules=>
+        [{:expiration=>{:expired_object_delete_marker=>true},
+          :id=>"someother-policy",
+          :status=>"Enabled",
+          :noncurrent_version_expiration=>{:noncurrent_days=>365},
+          :abort_incomplete_multipart_upload=>{:days_after_initiation=>30}}]}]
+    }
+
+    it "has?" do
+      result = subject.has?("s3-secure-automated-cleanup")
+      expect(result).to be false
+    end
+
+    it "rules_with_addition" do
+      rules = subject.rules_with_addition
+      expect(rules.size).to eq 2 # no dups
+      result = has_lifecycle?(rules)
+      expect(result).to be true
+    end
+
+    it "rules_with_removal" do
+      rules = subject.rules_with_removal
+      result = has_lifecycle?(rules)
+      expect(result).to be false
+    end
+  end
+
+  describe "empty policy" do
+    let(:rules) { nil }
+
+    it "has?" do
+      result = subject.has?("s3-secure-automated-cleanup")
+      expect(result).to be false
+    end
+
+    it "rules_with_addition" do
+      rules = subject.rules_with_addition
+      result = has_lifecycle?(rules)
+      expect(result).to be true
+    end
+
+    it "rules_with_removal" do
+      rules = subject.rules_with_removal
+      result = has_lifecycle?(rules)
+      expect(result).to be false
+    end
+  end
+
+  def has_lifecycle?(rules)
+    !!rules.detect { |rule| rule[:id] == S3Secure::Lifecycle::Builder::RULE_ID }
+  end
+end