s3-secure 0.4.2 → 0.5.0

data/lib/s3_secure/access_logs/list.rb

@@ -0,0 +1,25 @@
+class S3Secure::AccessLogs
+  class List < Base
+    def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Access Logs?"]
+
+      buckets.each do |bucket|
+        $stderr.puts "Getting access log setting for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
+
+        enabled = show.logging_enabled?
+        row = [bucket, enabled]
+        if @options[:enabled].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:enabled]
+          presenter.rows << row if enabled # only show if bucket has some encryption rules
+        else
+          presenter.rows << row unless enabled # only show if bucket doesnt have any encryption rules
+        end
+      end
+
+      presenter.show
+    end
+  end
+end

data/lib/s3_secure/access_logs/show.rb

@@ -0,0 +1,89 @@
+class S3Secure::AccessLogs
+  class Show < Base
+    def run
+      puts "Bucket ACL:"
+      pp bucket_acl_grants
+      puts "Bucket Logging:"
+      pp bucket_logging
+    end
+
+    def bucket_logging
+      # Tricky here, need to swtich the s3 client in case target_bucket is in another region
+      with_regional_s3(target_bucket) do
+        s3.get_bucket_logging(bucket: target_bucket).to_h
+      end
+    end
+    memoize :bucket_logging
+
+    def bucket_acl
+      # Tricky here, need to swtich the s3 client in case target_bucket is in another region
+      with_regional_s3(target_bucket) do
+        s3.get_bucket_acl(bucket: target_bucket)
+      end
+    end
+    memoize :bucket_acl
+
+    def bucket_acl_grants
+      bucket_acl.grants.map(&:to_h)
+    end
+
+    def enabled?
+      acl_enabled? && logging_enabled?
+    end
+
+    def acl_enabled?
+      grants = bucket_acl_grants & log_delivery_access_grants
+      !grants.empty?
+    end
+
+    def logging_enabled?
+      !bucket_logging.empty?
+    end
+
+    def log_delivery_access_grants
+      [
+        {
+          grantee: {type: "Group", uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"},
+          permission: "WRITE"
+        },{
+          grantee: {type: "Group", uri: "http://acs.amazonaws.com/groups/s3/LogDelivery"},
+          permission: "READ_ACP"
+        }
+      ]
+    end
+
+    def access_control_policy_with_log_delivery_permissions
+      grants = bucket_acl_grants + log_delivery_access_grants
+      { grants: grants, owner: owner }
+    end
+
+    def access_control_policy_without_log_delivery_permissions
+      grants = bucket_acl_grants - log_delivery_access_grants
+      { grants: grants, owner: owner }
+    end
+
+    def owner
+      {
+        display_name: bucket_acl.owner.display_name,
+        id: bucket_acl.owner.id,
+      }
+    end
+
+    def target_bucket
+      @options[:target_bucket] || @bucket
+    end
+
+    def target_prefix
+      prefix = @options[:target_prefix] || "access-logs"
+      prefix += "/" unless prefix.ends_with?("/")
+      prefix
+    end
+
+    def with_regional_s3(bucket)
+      current_bucket, @bucket = @bucket, bucket
+      result = yield
+      @bucket = current_bucket
+      result
+    end
+  end
+end

data/lib/s3_secure/aws_services.rb

@@ -2,38 +2,6 @@ require "aws-sdk-s3"
 
 module S3Secure
   module AwsServices
-    extend Memoist
-
-    @@buckets = {} # holds bucket => region map
-    def s3_regional_client(bucket)
-      region = @@buckets[bucket]
-
-      unless region
-        resp = s3_client.get_bucket_location(bucket: bucket)
-        region = resp.location_constraint
-        region = 'us-east-1' if region.empty? # "" means us-east-1
-      end
-
-      new_s3_regional_client(region)
-    end
-
-    def new_s3_regional_client(region=nil)
-      options = {}
-      options[:endpoint] = "https://s3.#{region}.amazonaws.com" if region
-      options[:region] = region if region
-      Aws::S3::Client.new(options)
-    rescue Aws::STS::Errors::RegionDisabledException
-      puts "ERROR: Fail to establish client connection to region #{region}".color(:red)
-      raise
-    end
-    memoize :new_s3_regional_client
-
-    # Generic s3 client. Will be configured to whatever region user has locally configured in ~/.aws/config
-    # Used to call get_bucket_location to get each specific bucket's location.
-    # Generally use the s3_regional_client instead of this.
-    def s3_client
-      Aws::S3::Client.new
-    end
-    memoize :s3_client
+    include S3
   end
 end

data/lib/s3_secure/aws_services/s3.rb

@@ -0,0 +1,54 @@
+module S3Secure::AwsServices
+  module S3
+    extend Memoist
+
+    @@s3_clients = {} # holds cached s3 regional clients cache
+    def s3
+      check_bucket!
+      @@s3_clients[@bucket] ||= new_s3_regional_client
+    end
+
+    def new_s3_regional_client
+      options = {}
+      options[:endpoint] = "https://s3.#{region}.amazonaws.com"
+      options[:region] = region
+      Aws::S3::Client.new(options)
+    rescue Aws::STS::Errors::RegionDisabledException
+      puts "ERROR: Fail to establish client connection to region #{region}".color(:red)
+      raise
+    end
+
+    # Generic s3 client. Will be configured to whatever region user has locally configured in ~/.aws/config
+    # Used to call get_bucket_location to get each specific bucket's location.
+    # Generally use the s3_regional_client instead of this.
+    def s3_client
+      Aws::S3::Client.new
+    end
+    memoize :s3_client
+
+    def check_bucket!
+      # IMPORANT: The class that includes this module must set @bucket before using the s3 method.
+      unless @bucket
+        raise "@bucket #{@bucket.inspect} is not set. The class must set @bucket before using the any client method."
+      end
+      region_map # triggers building region map for specific @bucket
+    end
+
+    @@region_map = {} # bucket to region map cache
+    def region_map
+      region = @@region_map[@bucket]
+      return @@region_map if region # return cache
+
+      # build cache
+      resp = s3_client.get_bucket_location(bucket: @bucket)
+      region = resp.location_constraint
+      region = 'us-east-1' if region.empty? # "" means us-east-1
+      @@region_map[@bucket] = region
+      @@region_map
+    end
+
+    def region
+      region_map[@bucket]
+    end
+  end
+end

data/lib/s3_secure/cli.rb

@@ -3,6 +3,10 @@ module S3Secure
     class_option :verbose, type: :boolean
     class_option :noop, type: :boolean
 
+    desc "access_logs SUBCOMMAND", "access_logs subcommands"
+    long_desc Help.text(:access_logs)
+    subcommand "access_logs", AccessLogs
+
     desc "encryption SUBCOMMAND", "encryption subcommands"
     long_desc Help.text(:encryption)
     subcommand "encryption", Encryption
@@ -11,10 +15,24 @@ module S3Secure
     long_desc Help.text(:policy)
     subcommand "policy", Policy
 
+    desc "versioning SUBCOMMAND", "versioning subcommands"
+    long_desc Help.text(:versioning)
+    subcommand "versioning", Versioning
+
+    desc "lifecycle SUBCOMMAND", "lifecycle subcommands"
+    long_desc Help.text(:lifecycle)
+    subcommand "lifecycle", Lifecycle
+
+    desc "remediate_all", "Remediate all. For more fine-grain control use each of the commands directly."
+    long_desc Help.text("remediate_all")
+    def remediate_all(bucket)
+      RemediateAll.new(options.merge(bucket: bucket)).run
+    end
+
     desc "summary", "Summarize buckets"
     long_desc Help.text("summary")
-    option :ssl, default: "any", desc: "filter for ssl enforcement. Examples: any, yes, no"
     option :encrypted, default: "any", desc: "filter for encryption enabled. Examples: any, yes, no"
+    option :ssl, default: "any", desc: "filter for ssl enforcement. Examples: any, yes, no"
     def summary
       Summary.new(options).run
     end

data/lib/s3_secure/command.rb

@@ -77,6 +77,13 @@ module S3Secure
       def website
         ""
       end
+
+      # https://github.com/erikhuda/thor/issues/244
+      # Deprecation warning: Thor exit with status 0 on errors. To keep this behavior, you must define `exit_on_failure?` in `Lono::CLI`
+      # You can silence deprecations warning by setting the environment variable THOR_SILENCE_DEPRECATION.
+      def exit_on_failure?
+        true
+      end
     end
   end
 end

data/lib/s3_secure/encryption.rb

@@ -2,6 +2,8 @@ module S3Secure
   class Encryption < Command
     desc "list", "List bucket encryptions"
     long_desc Help.text("encryption/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :encryption, type: :boolean, desc: "Filter for encryption: all, true, false"
     def list
       List.new(options).run
     end

data/lib/s3_secure/encryption/disable.rb

@@ -1,17 +1,13 @@
 class S3Secure::Encryption
   class Disable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
 
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-
-      rules = list.get_encryption_rules(@bucket)
-      if rules
-        @s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
+      if show.enabled?
+        s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
         puts "Bucket #{@bucket} encryption has been removed"
       else
-        puts "WARN: Bucket #{@bucket} is not configured with encryption at the bucket level".color(:yellow)
+        puts "Bucket #{@bucket} is not configured with encryption at the bucket level"
       end
     end
   end

data/lib/s3_secure/encryption/enable.rb

@@ -1,16 +1,12 @@
 class S3Secure::Encryption
   class Enable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
 
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-
-      rules = list.get_encryption_rules(@bucket)
-      if rules
+      if show.enabled?
         # check rules to see if encryption is already set of some sort
         puts "Bucket #{@bucket} already has encryption rules:"
-        puts rules.map(&:to_h)
+        puts show.rules.map(&:to_h)
       else
         # Set encryption rules
         # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_encryption-instance_method
@@ -18,7 +14,7 @@ class S3Secure::Encryption
         #
         #    put_bucket_encryption returns #<struct Aws::EmptyStructure>
         #
-        @s3.put_bucket_encryption(
+        s3.put_bucket_encryption(
           bucket: @bucket,
           server_side_encryption_configuration: {
             rules: [rule]})

data/lib/s3_secure/encryption/list.rb

@@ -1,28 +1,24 @@
 class S3Secure::Encryption
   class List < Base
     def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Encryption?"]
+
       buckets.each do |bucket|
-        @s3 = s3_regional_client(bucket)
-        puts "Policy for bucket #{bucket.color(:green)}"
-        encryption_rules = get_encryption_rules(bucket)
+        $stderr.puts "Getting encryption for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
 
-        if encryption_rules
-          puts encryption_rules
+        row = [bucket, show.enabled?]
+        if @options[:encryption].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:encryption]
+          presenter.rows << row if show.enabled? # only show if bucket has some encryption rules
         else
-          puts "Bucket does not have bucket encryption enabled"
+          presenter.rows << row unless show.enabled? # only show if bucket doesnt have any encryption rules
         end
       end
-    end
-
-    def get_encryption_rules(bucket)
-      resp = @s3.get_bucket_encryption(bucket: bucket)
-      resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
-    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
-    end
 
-    # Useful when calling List outside of the list CLI
-    def set_s3(client)
-      @s3 = client
+      presenter.show
     end
   end
 end

data/lib/s3_secure/encryption/show.rb

@@ -1,12 +1,6 @@
 class S3Secure::Encryption
   class Show < Base
     def run
-      @s3 = s3_regional_client(@bucket)
-
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-
-      rules = list.get_encryption_rules(@bucket)
       if rules
         puts "Bucket #{@bucket} is configured with these encryption rules:"
         puts rules.map(&:to_h)
@@ -14,5 +8,16 @@ class S3Secure::Encryption
         puts "Bucket #{@bucket} is not configured with encryption at the bucket level"
       end
     end
+
+    def enabled?
+      !!(rules && !rules.empty?)
+    end
+
+    def rules
+      resp = s3.get_bucket_encryption(bucket: @bucket)
+      resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
+    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
+    end
+    memoize :rules
   end
 end

data/lib/s3_secure/help/batch.md

@@ -0,0 +1,14 @@
+There are some supported batch commands:
+
+    s3-secure batch encryption enable FILE.txt
+    s3-secure batch encryption disable FILE.txt
+    s3-secure batch policy enforce_ssl FILE.txt
+    s3-secure batch policy unforce_ssl FILE.txt
+
+The format of FILE.txt is a list of bucket names separated by newlines.  Example:
+
+buckets.txt:
+
+    my-bucket-1
+    my-bucket-2
+

data/lib/s3_secure/help/encryption/list.md

@@ -0,0 +1,5 @@
+## Examples
+
+    s3-secure encryption list                 # shows all buckets with and without polices
+    s3-secure encryption list --encryption    # only shows buckets with encryption
+    s3-secure encryption list --no-encryption # only shows buckets without encryption

data/lib/s3_secure/help/lifecycle/add.md

@@ -0,0 +1,13 @@
+## Example
+
+    $ s3-secure lifecycle add a-test-bucket-in-us-east-1
+    Added lifecycle policy to bucket a-test-bucket-in-us-east-1
+    $
+
+By default, the add command will only add a lifecycle policy if you none exists.
+
+It may be useful to test adding an additional lifecycle policy, for this you can use both the `--additive` and `--prefix` options. Note, you must make sure that the lifecycle policies can work together. For example, they must have different prefixes.
+
+    $ s3-secure lifecycle add a-test-bucket-in-us-east-1 --additive --prefix /foo
+    Added lifecycle policy to bucket a-test-bucket-in-us-east-1
+    $

data/lib/s3_secure/help/lifecycle/list.md

@@ -0,0 +1,22 @@
+## Examples
+
+    $ s3-secure lifecycle list
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-east-1 | false                |
+    | a-test-bucket-in-us-west-1 | true                 |
+    +----------------------------+----------------------+
+    $ s3-secure lifecycle list --lifecycle true
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-west-1 | true                 |
+    +----------------------------+----------------------+
+    $ s3-secure lifecycle list --lifecycle false
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-east-1 | false                |
+    +----------------------------+----------------------+
+    $