RubyGems - s3-secure - Versions diffs - 0.3.0 → 0.5.1 - Mend

s3-secure 0.3.0 → 0.5.1

Files changed (62) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +16 -0
data/LICENSE.txt +201 -22
data/README.md +134 -16
data/lib/s3_secure.rb +3 -2
data/lib/s3_secure/abstract_base.rb +2 -1
data/lib/s3_secure/access_logs.rb +32 -0
data/lib/s3_secure/access_logs/base.rb +4 -0
data/lib/s3_secure/access_logs/disable.rb +37 -0
data/lib/s3_secure/access_logs/enable.rb +41 -0
data/lib/s3_secure/access_logs/list.rb +25 -0
data/lib/s3_secure/access_logs/show.rb +89 -0
data/lib/s3_secure/aws_services.rb +1 -30
data/lib/s3_secure/aws_services/s3.rb +54 -0
data/lib/s3_secure/cli.rb +27 -1
data/lib/s3_secure/command.rb +7 -0
data/lib/s3_secure/encryption.rb +4 -0
data/lib/s3_secure/encryption/disable.rb +5 -9
data/lib/s3_secure/encryption/enable.rb +5 -11
data/lib/s3_secure/encryption/list.rb +12 -16
data/lib/s3_secure/encryption/show.rb +14 -9
data/lib/s3_secure/help/batch.md +14 -0
data/lib/s3_secure/help/encryption/disable.md +5 -0
data/lib/s3_secure/help/encryption/enable.md +6 -0
data/lib/s3_secure/help/encryption/list.md +5 -0
data/lib/s3_secure/help/lifecycle/add.md +13 -0
data/lib/s3_secure/help/lifecycle/list.md +22 -0
data/lib/s3_secure/help/lifecycle/remove.md +5 -0
data/lib/s3_secure/help/lifecycle/show.md +13 -0
data/lib/s3_secure/help/policy/enforce_ssl.md +34 -0
data/lib/s3_secure/help/policy/list.md +5 -0
data/lib/s3_secure/help/policy/unforce_ssl.md +61 -0
data/lib/s3_secure/help/summary.md +22 -0
data/lib/s3_secure/lifecycle.rb +33 -0
data/lib/s3_secure/lifecycle/add.rb +33 -0
data/lib/s3_secure/lifecycle/base.rb +5 -0
data/lib/s3_secure/lifecycle/builder.rb +47 -0
data/lib/s3_secure/lifecycle/list.rb +24 -0
data/lib/s3_secure/lifecycle/remove.rb +28 -0
data/lib/s3_secure/lifecycle/show.rb +40 -0
data/lib/s3_secure/policy.rb +4 -0
data/lib/s3_secure/policy/enforce.rb +6 -10
data/lib/s3_secure/policy/list.rb +13 -17
data/lib/s3_secure/policy/show.rb +11 -10
data/lib/s3_secure/policy/unforce.rb +7 -10
data/lib/s3_secure/remediate_all.rb +12 -0
data/lib/s3_secure/say.rb +7 -0
data/lib/s3_secure/summary.rb +13 -0
data/lib/s3_secure/summary/item.rb +16 -0
data/lib/s3_secure/summary/items.rb +65 -0
data/lib/s3_secure/table.rb +18 -0
data/lib/s3_secure/version.rb +1 -1
data/lib/s3_secure/versioning.rb +31 -0
data/lib/s3_secure/versioning/base.rb +4 -0
data/lib/s3_secure/versioning/disable.rb +19 -0
data/lib/s3_secure/versioning/enable.rb +19 -0
data/lib/s3_secure/versioning/list.rb +24 -0
data/lib/s3_secure/versioning/show.rb +27 -0
data/s3-secure.gemspec +5 -2
data/spec/lib/lifecycle/builder_spec.rb +85 -0
metadata +72 -5
data/lib/s3_secure/help/hello.md +0 -5

data/lib/s3_secure/abstract_base.rb CHANGED

@@ -1,7 +1,8 @@
 module S3Secure
   class AbstractBase
-    include S3Secure::AwsServices
     extend Memoist
+    include S3Secure::AwsServices
+    include Say
     def initialize(options={})
       @options = options

data/lib/s3_secure/access_logs.rb ADDED

@@ -0,0 +1,32 @@
+module S3Secure
+  class AccessLogs < Command
+    class_option :quiet, type: :boolean
+    desc "list", "List bucket access_logs setting"
+    long_desc Help.text("access_logs/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :access_logs, type: :boolean, desc: "Filter for access_logs: all, true, false"
+    def list
+      List.new(options).run
+    end
+    desc "show BUCKET", "show bucket access_logs"
+    long_desc Help.text("access_logs/show")
+    def show(bucket)
+      Show.new(options.merge(bucket: bucket)).run
+    end
+    desc "enable BUCKET", "enable bucket access_logs"
+    long_desc Help.text("access_logs/enable")
+    option :target_bucket, desc: "Target s3 bucket"
+    def enable(bucket)
+      Enable.new(options.merge(bucket: bucket)).run
+    end
+    desc "disable BUCKET", "disable bucket access_logs"
+    long_desc Help.text("access_logs/disable")
+    def disable(bucket)
+      Disable.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/access_logs/base.rb ADDED

@@ -0,0 +1,4 @@
+class S3Secure::AccessLogs
+  class Base < S3Secure::AbstractBase
+  end
+end

data/lib/s3_secure/access_logs/disable.rb ADDED

@@ -0,0 +1,37 @@
+class S3Secure::AccessLogs
+  class Disable < Base
+    def run
+      @show = Show.new(bucket: @bucket)
+      remove_access_logging
+      remove_bucket_acl
+    end
+    def remove_access_logging
+      unless @show.logging_enabled?
+        say "Bucket #{@bucket} is not configured with access logging. So nothing to remove."
+        return
+      end
+      s3.put_bucket_logging(
+        bucket: @bucket, # source
+        bucket_logging_status: {}, # empty hash to remove
+      )
+      say "Bucket #{@bucket} access logging removed"
+    end
+    def remove_bucket_acl
+      unless @show.acl_enabled?
+        say "Bucket #{@bucket} is not configured the log delivery ACL. So nothing to remove."
+        return
+      end
+      access_control_policy = @show.access_control_policy_without_log_delivery_permissions
+      s3.put_bucket_acl(
+        bucket: @bucket,
+        access_control_policy: access_control_policy,
+      )
+      say "Bucket #{@bucket} ACL Log Delivery removed"
+    end
+  end
+end

data/lib/s3_secure/access_logs/enable.rb ADDED

@@ -0,0 +1,41 @@
+class S3Secure::AccessLogs
+  class Enable < Base
+    def run
+      @show = Show.new(bucket: @bucket)
+      add_bucket_acl
+      enable_access_logging
+    end
+    # Bucket ACL applies on the target bucket only
+    def add_bucket_acl
+      if @show.acl_enabled?
+        say "Bucket acl already has log delivery ACL"
+        return
+      end
+      s3.put_bucket_acl(
+        bucket: @bucket,
+        access_control_policy: @show.access_control_policy_with_log_delivery_permissions,
+      )
+      say "Added to bucket acl that grants log delivery"
+    end
+    def enable_access_logging
+      if @show.logging_enabled?
+        say "Bucket access logging already enabled"
+        return
+      end
+      s3.put_bucket_logging(
+        bucket: @bucket, # source
+        bucket_logging_status: {
+          logging_enabled: {
+            target_bucket: @show.target_bucket,
+            target_prefix: @show.target_prefix,
+          },
+        },
+      )
+      say "Enabled access logging on the source bucket #{@bucket} to be delivered to the target bucket #{@show.target_bucket}"
+    end
+  end
+end

data/lib/s3_secure/access_logs/list.rb ADDED

@@ -0,0 +1,25 @@
+class S3Secure::AccessLogs
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Access Logs?"]
+      buckets.each do |bucket|
+        $stderr.puts "Getting access log setting for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+        enabled = show.logging_enabled?
+        row = [bucket, enabled]
+        if @options[:enabled].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:enabled]
+          presenter.rows << row if enabled # only show if bucket has some encryption rules
+        else
+          presenter.rows << row unless enabled # only show if bucket doesnt have any encryption rules
+        end
+      end
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/access_logs/show.rb ADDED

@@ -0,0 +1,89 @@
+class S3Secure::AccessLogs
+  class Show < Base
+    def run
+      say "Bucket ACL:"
+      pp bucket_acl_grants
+      say "Bucket Logging:"
+      pp bucket_logging
+    end
+    def bucket_logging
+      # Tricky here, need to swtich the s3 client in case target_bucket is in another region
+      with_regional_s3(target_bucket) do
+        s3.get_bucket_logging(bucket: target_bucket).to_h
+      end
+    end
+    memoize :bucket_logging
+    def bucket_acl
+      # Tricky here, need to swtich the s3 client in case target_bucket is in another region
+      with_regional_s3(target_bucket) do
+        s3.get_bucket_acl(bucket: target_bucket)
+      end
+    end
+    memoize :bucket_acl
+    def bucket_acl_grants
+      bucket_acl.grants.map(&:to_h)
+    end
+    def enabled?
+      acl_enabled? && logging_enabled?
+    end
+    def acl_enabled?
+      grants = bucket_acl_grants & log_delivery_access_grants
+      !grants.empty?
+    end
+    def logging_enabled?
+      !bucket_logging.empty?
+    end
+    def log_delivery_access_grants
+      [
+        {
+          grantee: {type: "Group", uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"},
+          permission: "WRITE"
+        },{
+          grantee: {type: "Group", uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"},
+          permission: "READ_ACP"
+        }
+      ]
+    end
+    def access_control_policy_with_log_delivery_permissions
+      grants = bucket_acl_grants + log_delivery_access_grants
+      { grants: grants, owner: owner }
+    end
+    def access_control_policy_without_log_delivery_permissions
+      grants = bucket_acl_grants - log_delivery_access_grants
+      { grants: grants, owner: owner }
+    end
+    def owner
+      {
+        display_name: bucket_acl.owner.display_name,
+        id: bucket_acl.owner.id,
+      }
+    end
+    def target_bucket
+      @options[:target_bucket] || @bucket
+    end
+    def target_prefix
+      prefix = @options[:target_prefix] || "access-logs"
+      prefix += "/" unless prefix.ends_with?("/")
+      prefix
+    end
+    def with_regional_s3(bucket)
+      current_bucket, @bucket = @bucket, bucket
+      result = yield
+      @bucket = current_bucket
+      result
+    end
+  end
+end

data/lib/s3_secure/aws_services.rb CHANGED

@@ -2,35 +2,6 @@ require "aws-sdk-s3"
 module S3Secure
   module AwsServices
-    extend Memoist
-    @@buckets = {} # holds bucket => region map
-    def s3_regional_client(bucket)
-      region = @@buckets[bucket]
-      unless region
-        resp = s3_client.get_bucket_location(bucket: bucket)
-        region = resp.location_constraint
-        region = 'us-east-1' if region.empty? # "" means us-east-1
-      end
-      new_s3_regional_client(region)
-    end
-    def new_s3_regional_client(region=nil)
-      options = {}
-      options[:endpoint] = "https://s3.#{region}.amazonaws.com" if region
-      options[:region] = region if region
-      Aws::S3::Client.new(options)
-    end
-    memoize :new_s3_regional_client
-    # Generic s3 client. Will be configured to whatever region user has locally configured in ~/.aws/config
-    # Used to call get_bucket_location to get each specific bucket's location.
-    # Generally use the s3_regional_client instead of this.
-    def s3_client
-      Aws::S3::Client.new
-    end
-    memoize :s3_client
+    include S3
   end
 end

data/lib/s3_secure/aws_services/s3.rb ADDED

@@ -0,0 +1,54 @@
+module S3Secure::AwsServices
+  module S3
+    extend Memoist
+    @@s3_clients = {} # holds cached s3 regional clients cache
+    def s3
+      check_bucket!
+      @@s3_clients[@bucket] ||= new_s3_regional_client
+    end
+    def new_s3_regional_client
+      options = {}
+      options[:endpoint] = "https://s3.#{region}.amazonaws.com"
+      options[:region] = region
+      Aws::S3::Client.new(options)
+    rescue Aws::STS::Errors::RegionDisabledException
+      puts "ERROR: Fail to establish client connection to region #{region}".color(:red)
+      raise
+    end
+    # Generic s3 client. Will be configured to whatever region user has locally configured in ~/.aws/config
+    # Used to call get_bucket_location to get each specific bucket's location.
+    # Generally use the s3_regional_client instead of this.
+    def s3_client
+      Aws::S3::Client.new
+    end
+    memoize :s3_client
+    def check_bucket!
+      # IMPORANT: The class that includes this module must set @bucket before using the s3 method.
+      unless @bucket
+        raise "@bucket #{@bucket.inspect} is not set. The class must set @bucket before using the any client method."
+      end
+      region_map # triggers building region map for specific @bucket
+    end
+    @@region_map = {} # bucket to region map cache
+    def region_map
+      region = @@region_map[@bucket]
+      return @@region_map if region # return cache
+      # build cache
+      resp = s3_client.get_bucket_location(bucket: @bucket)
+      region = resp.location_constraint
+      region = 'us-east-1' if region.empty? # "" means us-east-1
+      @@region_map[@bucket] = region
+      @@region_map
+    end
+    def region
+      region_map[@bucket]
+    end
+  end
+end

data/lib/s3_secure/cli.rb CHANGED

@@ -1,8 +1,12 @@
 module S3Secure
   class CLI < Command
-    class_option :verbose, type: :boolean
+    class_option :quiet, type: :boolean
     class_option :noop, type: :boolean
+    desc "access_logs SUBCOMMAND", "access_logs subcommands"
+    long_desc Help.text(:access_logs)
+    subcommand "access_logs", AccessLogs
     desc "encryption SUBCOMMAND", "encryption subcommands"
     long_desc Help.text(:encryption)
     subcommand "encryption", Encryption
@@ -11,6 +15,28 @@ module S3Secure
     long_desc Help.text(:policy)
     subcommand "policy", Policy
+    desc "versioning SUBCOMMAND", "versioning subcommands"
+    long_desc Help.text(:versioning)
+    subcommand "versioning", Versioning
+    desc "lifecycle SUBCOMMAND", "lifecycle subcommands"
+    long_desc Help.text(:lifecycle)
+    subcommand "lifecycle", Lifecycle
+    desc "remediate_all BUCKET", "Remediate all. For more fine-grain control use each of the commands directly."
+    long_desc Help.text("remediate_all")
+    def remediate_all(bucket)
+      RemediateAll.new(options.merge(bucket: bucket)).run
+    end
+    desc "summary", "Summarize buckets"
+    long_desc Help.text("summary")
+    option :encrypted, default: "any", desc: "filter for encryption enabled. Examples: any, yes, no"
+    option :ssl, default: "any", desc: "filter for ssl enforcement. Examples: any, yes, no"
+    def summary
+      Summary.new(options).run
+    end
     desc "batch *PARAMS", "Batch wrapper method"
     long_desc Help.text(:batch)
     def batch(*params)

data/lib/s3_secure/command.rb CHANGED

@@ -77,6 +77,13 @@ module S3Secure
       def website
         ""
       end
+      # https://github.com/erikhuda/thor/issues/244
+      # Deprecation warning: Thor exit with status 0 on errors. To keep this behavior, you must define `exit_on_failure?` in `Lono::CLI`
+      # You can silence deprecations warning by setting the environment variable THOR_SILENCE_DEPRECATION.
+      def exit_on_failure?
+        true
+      end
     end
   end
 end

data/lib/s3_secure/encryption.rb CHANGED

@@ -1,7 +1,11 @@
 module S3Secure
   class Encryption < Command
+    class_option :quiet, type: :boolean
     desc "list", "List bucket encryptions"
     long_desc Help.text("encryption/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :encryption, type: :boolean, desc: "Filter for encryption: all, true, false"
     def list
       List.new(options).run
     end

data/lib/s3_secure/encryption/disable.rb CHANGED

@@ -1,17 +1,13 @@
 class S3Secure::Encryption
   class Disable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-      rules = list.get_encryption_rules(@bucket)
-      if rules
-        @s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
-        puts "Bucket #{@bucket} encryption has been removed"
+      if show.enabled?
+        s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
+        say "Bucket #{@bucket} encryption has been removed"
       else
-        puts "WARN: Bucket #{@bucket} is not configured with encryption at the bucket level".color(:yellow)
+        say "Bucket #{@bucket} is not configured with encryption at the bucket level"
       end
     end
   end

data/lib/s3_secure/encryption/enable.rb CHANGED

@@ -1,16 +1,11 @@
 class S3Secure::Encryption
   class Enable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-      rules = list.get_encryption_rules(@bucket)
-      if rules
+      if show.enabled?
         # check rules to see if encryption is already set of some sort
-        puts "Bucket #{@bucket} already has encryption rules:"
-        puts rules.map(&:to_h)
+        say "Bucket #{@bucket} already has encryption rules:"
       else
         # Set encryption rules
         # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_encryption-instance_method
@@ -18,12 +13,11 @@ class S3Secure::Encryption
         #
         #    put_bucket_encryption returns #<struct Aws::EmptyStructure>
         #
-        @s3.put_bucket_encryption(
+        s3.put_bucket_encryption(
           bucket: @bucket,
           server_side_encryption_configuration: {
             rules: [rule]})
-        puts "Encyption enabled on bucket #{@bucket} with rules:"
-        pp rule
+        say "Encyption enabled on bucket #{@bucket} with rules:"
       end
     end