RubyGems - s3-secure - Versions diffs - 0.4.1 → 0.6.0 - Mend

s3-secure 0.4.1 → 0.6.0

Files changed (72) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/LICENSE.txt +201 -22
data/README.md +39 -14
data/lib/s3_secure/access_logs/base.rb +4 -0
data/lib/s3_secure/access_logs/disable.rb +37 -0
data/lib/s3_secure/access_logs/enable.rb +41 -0
data/lib/s3_secure/access_logs/list.rb +25 -0
data/lib/s3_secure/access_logs/show.rb +89 -0
data/lib/s3_secure/aws_services/s3.rb +61 -0
data/lib/s3_secure/aws_services.rb +4 -27
data/lib/s3_secure/cli/access_logs.rb +32 -0
data/lib/s3_secure/{abstract_base.rb → cli/base.rb} +4 -3
data/lib/s3_secure/{batch.rb → cli/batch.rb} +1 -1
data/lib/s3_secure/{encryption.rb → cli/encryption.rb} +10 -6
data/lib/s3_secure/cli/help.rb +11 -0
data/lib/s3_secure/cli/lifecycle.rb +33 -0
data/lib/s3_secure/cli/policy.rb +31 -0
data/lib/s3_secure/cli/public_access.rb +32 -0
data/lib/s3_secure/cli/remediate_all.rb +12 -0
data/lib/s3_secure/cli/say.rb +7 -0
data/lib/s3_secure/{summary.rb → cli/summary.rb} +4 -4
data/lib/s3_secure/cli/versioning.rb +31 -0
data/lib/s3_secure/cli.rb +25 -3
data/lib/s3_secure/command.rb +7 -0
data/lib/s3_secure/encryption/base.rb +2 -2
data/lib/s3_secure/encryption/disable.rb +6 -10
data/lib/s3_secure/encryption/enable.rb +6 -12
data/lib/s3_secure/encryption/list.rb +13 -17
data/lib/s3_secure/encryption/show.rb +16 -10
data/lib/s3_secure/help/batch.md +14 -0
data/lib/s3_secure/help/encryption/list.md +5 -0
data/lib/s3_secure/help/lifecycle/add.md +13 -0
data/lib/s3_secure/help/lifecycle/list.md +22 -0
data/lib/s3_secure/help/lifecycle/remove.md +5 -0
data/lib/s3_secure/help/lifecycle/show.md +13 -0
data/lib/s3_secure/help/policy/list.md +5 -0
data/lib/s3_secure/lifecycle/add.rb +33 -0
data/lib/s3_secure/lifecycle/base.rb +5 -0
data/lib/s3_secure/lifecycle/builder.rb +47 -0
data/lib/s3_secure/lifecycle/list.rb +24 -0
data/lib/s3_secure/lifecycle/remove.rb +28 -0
data/lib/s3_secure/lifecycle/show.rb +40 -0
data/lib/s3_secure/policy/base.rb +2 -2
data/lib/s3_secure/policy/checker.rb +1 -1
data/lib/s3_secure/policy/document/base.rb +1 -1
data/lib/s3_secure/policy/document/force_ssl_only_access.rb +1 -1
data/lib/s3_secure/policy/document/force_ssl_only_access_remove.rb +1 -1
data/lib/s3_secure/policy/document.rb +1 -1
data/lib/s3_secure/policy/enforce.rb +7 -11
data/lib/s3_secure/policy/list.rb +14 -18
data/lib/s3_secure/policy/show.rb +12 -11
data/lib/s3_secure/policy/unforce.rb +8 -11
data/lib/s3_secure/public_access/base.rb +10 -0
data/lib/s3_secure/public_access/block.rb +18 -0
data/lib/s3_secure/public_access/list.rb +24 -0
data/lib/s3_secure/public_access/show.rb +27 -0
data/lib/s3_secure/public_access/unblock.rb +12 -0
data/lib/s3_secure/summary/item.rb +1 -1
data/lib/s3_secure/summary/items.rb +6 -9
data/lib/s3_secure/version.rb +1 -1
data/lib/s3_secure/versioning/base.rb +4 -0
data/lib/s3_secure/versioning/disable.rb +19 -0
data/lib/s3_secure/versioning/enable.rb +19 -0
data/lib/s3_secure/versioning/list.rb +24 -0
data/lib/s3_secure/versioning/show.rb +27 -0
data/lib/s3_secure.rb +4 -2
data/s3-secure.gemspec +6 -3
data/spec/lib/lifecycle/builder_spec.rb +85 -0
metadata +76 -11
data/lib/s3_secure/help.rb +0 -9
data/lib/s3_secure/policy.rb +0 -27

data/lib/s3_secure/lifecycle/list.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module S3Secure::Lifecycle
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Lifecycle Rules?"]
+      buckets.each do |bucket|
+        $stderr.puts "Getting lifecycle policy for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+        row = [bucket, show.any?]
+        if @options[:lifecycle].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:lifecycle]
+          presenter.rows << row if status # only show if bucket has some encryption rules
+        else
+          presenter.rows << row unless status # only show if bucket doesnt have any encryption rules
+        end
+      end
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/lifecycle/remove.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module S3Secure::Lifecycle
+  class Remove < Base
+    RULE_ID = Base::RULE_ID
+    def run
+      show = Show.new(@options)
+      unless show.has?(RULE_ID)
+        say "Bucket #{@bucket} already does not have the #{RULE_ID} lifecycle rule."
+        return
+      end
+      builder = Builder.new(show.get_lifecycle_rules(@bucket))
+      rules = builder.rules_with_removal
+      if rules.empty?
+        s3.delete_bucket_lifecycle(bucket: @bucket)
+      else
+        # update config with removal
+        s3.put_bucket_lifecycle_configuration(
+          bucket: @bucket, # required
+          # content_md5: "ContentMD5",
+          lifecycle_configuration: {rules: rules}
+        )
+      end
+      say "Removed the #{RULE_ID} lifecycle rule on bucket #{@bucket}"
+    end
+  end
+end

data/lib/s3_secure/lifecycle/show.rb ADDED Viewed

@@ -0,0 +1,40 @@
+module S3Secure::Lifecycle
+  class Show < Base
+    RULE_ID = Base::RULE_ID
+    def run
+      if any?
+        say "This S3 bucket has lifecycle rules"
+      else
+        say "This S3 bucket does not have lifecycle rules"
+      end
+      if any?
+        say "Bucket lifecycle details: "
+        pp get_lifecycle(@bucket).to_h
+      end
+    end
+    def any?
+      rules = get_lifecycle_rules(@bucket)
+      !!(rules && !rules.empty?)
+    end
+    def has?(rule_id)
+      rules = get_lifecycle_rules(@bucket)
+      rules && rules.detect { |rule| rule[:id] == rule_id }
+    end
+    def get_lifecycle(bucket)
+      s3.get_bucket_lifecycle_configuration(bucket: bucket) # resp
+    rescue Aws::S3::Errors::NoSuchLifecycleConfiguration
+    end
+    memoize :get_lifecycle
+    # Also used by add and remove
+    def get_lifecycle_rules(bucket)
+      resp = get_lifecycle(bucket)
+      resp.rules.map(&:to_h) if resp
+    end
+  end
+end

data/lib/s3_secure/policy/base.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy
-  class Base < S3Secure::AbstractBase
+module S3Secure::Policy
+  class Base < S3Secure::CLI::Base
   end
 end

data/lib/s3_secure/policy/checker.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy
+module S3Secure::Policy
   class Checker
     def initialize(bucket_policy)
       @bucket_policy = bucket_policy # existing document policy

data/lib/s3_secure/policy/document/base.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy::Document
+module S3Secure::Policy::Document
   class Base
     extend Memoist

data/lib/s3_secure/policy/document/force_ssl_only_access.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy::Document
+module S3Secure::Policy::Document
   class ForceSSLOnlyAccess < Base
     def policy_document
       if @bucket_policy.blank?

data/lib/s3_secure/policy/document/force_ssl_only_access_remove.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy::Document
+module S3Secure::Policy::Document
   class ForceSSLOnlyAccessRemove < Base
     def initialize(bucket, bucket_policy)
       # @bucket_policy is existing document policy

data/lib/s3_secure/policy/document.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy
+module S3Secure::Policy
   class Document
     extend Memoist

data/lib/s3_secure/policy/enforce.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy
+module S3Secure::Policy
   class Enforce < Base
     def initialize(options={})
       super
@@ -6,16 +6,13 @@ class S3Secure::Policy
     end
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = S3Secure::Policy::Show.new(@options)
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-      bucket_policy = list.get_policy(@bucket)
+      bucket_policy = show.policy
       document = Document.new(@bucket, bucket_policy)
       if document.has?(@sid)
-        puts "Bucket policy for #{@bucket} has ForceSSLOnlyAccess policy statement already:"
-        puts bucket_policy
+        say "Bucket policy for #{@bucket} has ForceSSLOnlyAccess policy statement already:"
+        say bucket_policy
       else
         # Set encryption rules
         # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_policy-instance_method
@@ -24,12 +21,11 @@ class S3Secure::Policy
         #    put_bucket_policy returns #<struct Aws::EmptyStructure>
         #
         policy_document = document.policy_document(@sid)
-        @s3.put_bucket_policy(
+        s3.put_bucket_policy(
           bucket: @bucket,
           policy: policy_document,
         )
-        puts "Add bucket policy to bucket #{@bucket}:"
-        puts policy_document
+        say "Add bucket policy to bucket #{@bucket}:"
       end
     end
   end

data/lib/s3_secure/policy/list.rb CHANGED Viewed

@@ -1,29 +1,25 @@
-class S3Secure::Policy
+module S3Secure::Policy
   class List < Base
     def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Policy?"]
       buckets.each do |bucket|
-        @s3 = s3_regional_client(bucket)
-        puts "Policy for bucket #{bucket.color(:green)}"
-        policy = get_policy(bucket)
+        $stderr.puts "Getting policy for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+        policy = show.policy
-        if policy
-          puts policy
+        row = [bucket, !!policy]
+        if @options[:policy].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:policy]
+          presenter.rows << row if policy # only show if bucket has a policy
         else
-          puts "Bucket does not have a bucket policy"
+          presenter.rows << row unless policy # only show if bucket doesnt have a policy
         end
       end
-    end
-    def get_policy(bucket)
-      resp = @s3.get_bucket_policy(bucket: bucket)
-      data = JSON.load(resp.policy.read) # String
-      JSON.pretty_generate(data)
-    rescue Aws::S3::Errors::NoSuchBucketPolicy
-    end
-    # Useful when calling List outside of the list CLI
-    def set_s3(client)
-      @s3 = client
+      presenter.show
     end
   end
 end

data/lib/s3_secure/policy/show.rb CHANGED Viewed

@@ -1,19 +1,20 @@
-class S3Secure::Policy
+module S3Secure::Policy
   class Show < Base
     def run
-      @s3 = s3_regional_client(@bucket)
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-      policy = list.get_policy(@bucket)
       if policy
-        puts "Bucket #{@bucket} is configured with this policy:"
-        puts policy
-        # puts policy.map(&:to_h)
+        say "Bucket #{@bucket} is configured with this policy:"
+        say policy
       else
-        puts "Bucket #{@bucket} is not configured bucket policy"
+        say "Bucket #{@bucket} is not configured bucket policy"
       end
     end
+    def policy
+      resp = s3.get_bucket_policy(bucket: @bucket)
+      data = JSON.load(resp.policy.read) # String
+      JSON.pretty_generate(data)
+    rescue Aws::S3::Errors::NoSuchBucketPolicy
+    end
+    memoize :policy
   end
 end

data/lib/s3_secure/policy/unforce.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Policy
+module S3Secure::Policy
   class Unforce < Base
     def initialize(options={})
       super
@@ -6,12 +6,9 @@ class S3Secure::Policy
     end
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = S3Secure::Policy::Show.new(@options)
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(@s3)
-      bucket_policy = list.get_policy(@bucket)
+      bucket_policy = show.policy
       document = Document.new(@bucket, bucket_policy, remove: true)
       if document.has?(@sid)
         # Set encryption rules
@@ -23,18 +20,18 @@ class S3Secure::Policy
         policy_document = document.policy_document(@sid)
         if policy_document
-          @s3.put_bucket_policy(
+          s3.put_bucket_policy(
             bucket: @bucket,
             policy: policy_document,
           )
         else
-          @s3.delete_bucket_policy(bucket: @bucket)
+          s3.delete_bucket_policy(bucket: @bucket)
         end
-        puts "Remove bucket policy statement from bucket #{@bucket}:"
-        puts policy_document if policy_document
+        say "Remove bucket policy statement from bucket #{@bucket}:"
+        say policy_document if policy_document
       else
-        puts "Bucket policy for #{@bucket} does not have ForceSSLOnlyAccess policy statement. Nothing to be done."
+        say "Bucket policy for #{@bucket} does not have ForceSSLOnlyAccess policy statement. Nothing to be done."
       end
     end
   end

data/lib/s3_secure/public_access/base.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module S3Secure::PublicAccess
+  class Base < S3Secure::CLI::Base
+    extend Memoist
+    def account_id
+      sts.get_caller_identity.account
+    end
+    memoize :account_id
+  end
+end

data/lib/s3_secure/public_access/block.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module S3Secure::PublicAccess
+  class Block < Base
+    def run
+      resp = s3.put_public_access_block(
+        bucket: @bucket,
+        public_access_block_configuration: {
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        },
+      )
+      $stderr.puts("Public access blocked for bucket: #{@bucket}")
+      resp
+    end
+  end
+end

data/lib/s3_secure/public_access/list.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module S3Secure::PublicAccess
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Block Public Access?"]
+      buckets.each do |bucket|
+        $stderr.puts "Getting bucket public access configuration for bucket #{bucket.color(:green)}"
+        blocked = Show.new(bucket: bucket).blocked?
+        row = [bucket, blocked]
+        if @options[:blocked].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:blocked]
+          presenter.rows << row if blocked # only show if bucket is blocked
+        else
+          presenter.rows << row unless blocked # only show if bucket is unblocked
+        end
+      end
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/public_access/show.rb ADDED Viewed

@@ -0,0 +1,27 @@
+module S3Secure::PublicAccess
+  class Show < Base
+    def run
+      resp = s3.get_public_access_block(
+        bucket: @bucket,
+      )
+      $stderr.puts(resp.to_h)
+      resp
+    rescue Aws::S3::Errors::NoSuchPublicAccessBlockConfiguration
+      $stderr.puts "No public access block configuration found for bucket: #{@bucket}"
+    end
+    def blocked?
+      resp = s3.get_public_access_block(
+        bucket: @bucket,
+      )
+      resp.to_h[:public_access_block_configuration] == {
+        block_public_acls: true,
+        block_public_policy: true,
+        ignore_public_acls: true,
+        restrict_public_buckets: true,
+      }
+    rescue Aws::S3::Errors::NoSuchPublicAccessBlockConfiguration
+      false
+    end
+  end
+end

data/lib/s3_secure/public_access/unblock.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module S3Secure::PublicAccess
+  class Unblock < Base
+    def run
+      resp = s3.delete_public_access_block(
+        bucket: @bucket,
+      )
+      $stderr.puts("Removed public access block configuration for bucket: #{@bucket}")
+      resp
+    end
+  end
+end

data/lib/s3_secure/summary/item.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-class S3Secure::Summary
+module S3Secure::Summary
   class Item
     attr_reader :bucket
     def initialize(bucket, properties={})

data/lib/s3_secure/summary/items.rb CHANGED Viewed

@@ -1,5 +1,5 @@
-class S3Secure::Summary
-  class Items < S3Secure::AbstractBase
+module S3Secure::Summary
+  class Items < S3Secure::CLI::Base
     extend Memoist
     # override initialize
@@ -44,11 +44,9 @@ class S3Secure::Summary
   private
     def ssl?(bucket)
-      s3 = s3_regional_client(bucket)
-      list = S3Secure::Policy::List.new(@options)
-      list.set_s3(s3)
+      show = S3Secure::Policy::Show.new(@options.merge(bucket: bucket))
-      bucket_policy = list.get_policy(bucket)
+      bucket_policy = show.run
       document = S3Secure::Policy::Document.new(bucket, bucket_policy)
       document.has?("ForceSSLOnlyAccess")
     end
@@ -56,10 +54,9 @@ class S3Secure::Summary
     def encrypted?(bucket)
       s3 = s3_regional_client(bucket)
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(s3)
+      show = S3Secure::Encryption::Show.new(@options.merge(bucket: bucket))
-      rules = list.get_encryption_rules(bucket)
+      rules = show.run
       !!rules
     end
     memoize :encrypted?

data/lib/s3_secure/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module S3Secure
-  VERSION = "0.4.1"
+  VERSION = "0.6.0"
 end

data/lib/s3_secure/versioning/base.rb ADDED Viewed

@@ -0,0 +1,4 @@
+module S3Secure::Versioning
+  class Base < S3Secure::CLI::Base
+  end
+end

data/lib/s3_secure/versioning/disable.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module S3Secure::Versioning
+  class Disable < Base
+    def run
+      show = Show.new(@options)
+      if show.enabled?
+        s3.put_bucket_versioning(
+          bucket: @bucket,
+          versioning_configuration: {
+            # mfa_delete: "Disabled",
+            status: "Suspended",
+          },
+        )
+        say "Versioning Suspended on bucket #{@bucket}"
+      else
+        say "Bucket #{@bucket} is already has versioning already Suspended or not Enabled."
+      end
+    end
+  end
+end

data/lib/s3_secure/versioning/enable.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module S3Secure::Versioning
+  class Enable < Base
+    def run
+      show = Show.new(@options)
+      if show.enabled?
+        say "Bucket #{@bucket} is has versioning already enabled."
+      else
+        s3.put_bucket_versioning(
+          bucket: @bucket,
+          versioning_configuration: {
+            # mfa_delete: "Disabled",
+            status: "Enabled",
+          },
+        )
+        say "Versioning enabled on bucket #{@bucket}"
+      end
+    end
+  end
+end

data/lib/s3_secure/versioning/list.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module S3Secure::Versioning
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Versioning?"]
+      buckets.each do |bucket|
+        $stderr.puts "Getting versioning for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+        row = [bucket, show.enabled?]
+        if @options[:versioning].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:versioning]
+          presenter.rows << row if show.enabled? # only show if bucket has some encryption rules
+        else
+          presenter.rows << row unless show.enabled? # only show if bucket doesnt have any encryption rules
+        end
+      end
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/versioning/show.rb ADDED Viewed

@@ -0,0 +1,27 @@
+module S3Secure::Versioning
+  class Show < Base
+    def run
+      if enabled?
+        say "This S3 bucket has versioning enabled"
+      else
+        say "This S3 bucket does not have versioning enabled"
+      end
+      details = get_versioning(@bucket).to_h
+      unless details.empty?
+        say "Bucket versioning details: "
+        pp details
+      end
+    end
+    def enabled?
+      versioning = get_versioning(@bucket)
+      versioning.status == "Enabled" # Can be Enabled, Suspended, or nil
+    end
+    def get_versioning(bucket)
+      s3.get_bucket_versioning(bucket: bucket) # resp
+    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
+    end
+    memoize :get_versioning
+  end
+end

data/lib/s3_secure.rb CHANGED Viewed

@@ -1,10 +1,12 @@
 $:.unshift(File.expand_path("../", __FILE__))
+require "active_support"
+require "active_support/core_ext/module" # for delegate
+require "active_support/core_ext/string"
+require "cli_format"
 require "json"
 require "memoist"
 require "rainbow/ext/string"
 require "s3_secure/version"
-require "active_support/core_ext/module" # for delegate
-require "active_support/core_ext/string"
 require "s3_secure/autoloader"
 S3Secure::Autoloader.setup

data/s3-secure.gemspec CHANGED Viewed

@@ -9,10 +9,11 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Tung Nguyen"]
   spec.email         = ["tongueroo@gmail.com"]
   spec.summary       = "S3 Bucket security hardening tool"
-  spec.homepage      = "https://github.com/tongueroo/s3-secure"
-  spec.license       = "MIT"
+  spec.homepage      = "https://github.com/boltops-tools/s3-secure"
+  spec.license       = "Apache2.0"
-  spec.files         = `git ls-files`.split($/)
+  git_installed      = system("type git > /dev/null 2>&1")
+  spec.files         = git_installed ? `git ls-files`.split($/) : Dir.glob("**/*")
   spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
@@ -20,8 +21,10 @@ Gem::Specification.new do |spec|
   spec.add_dependency "activesupport"
   spec.add_dependency "aws-sdk-s3"
+  spec.add_dependency "cli-format"
   spec.add_dependency "memoist"
   spec.add_dependency "rainbow"
+  spec.add_dependency "rexml"
   spec.add_dependency "text-table"
   spec.add_dependency "thor"
   spec.add_dependency "zeitwerk"