s3-secure 0.4.2 → 0.6.1

data/lib/s3_secure/backwards_compatibility.rb

@@ -0,0 +1,20 @@
+module S3Secure
+  module BackwardsCompatibility
+  end
+
+  module Encryption
+    CLI::Encryption::Enable = Encryption::Enable
+  end
+  module Policy
+    CLI::Policy::Enforce = Policy::Enforce
+  end
+  module Versioning
+    CLI::Versioning::Enable = Versioning::Enable
+  end
+  module Lifecycle
+    CLI::Lifecycle::Add = Lifecycle::Add
+  end
+  module AccessLogs
+    CLI::AccessLogs::Enable = AccessLogs::Enable
+  end
+end

data/lib/s3_secure/cli/access_logs.rb

@@ -0,0 +1,32 @@
+class S3Secure::CLI
+  class AccessLogs < S3Secure::Command
+    class_option :quiet, type: :boolean
+
+    desc "list", "List bucket access_logs setting"
+    long_desc Help.text("access_logs/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :access_logs, type: :boolean, desc: "Filter for access_logs: all, true, false"
+    def list
+      S3Secure::AccessLogs::List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket access_logs"
+    long_desc Help.text("access_logs/show")
+    def show(bucket)
+      S3Secure::AccessLogs::Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "enable BUCKET", "enable bucket access_logs"
+    long_desc Help.text("access_logs/enable")
+    option :target_bucket, desc: "Target s3 bucket"
+    def enable(bucket)
+      S3Secure::AccessLogs::Enable.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "disable BUCKET", "disable bucket access_logs"
+    long_desc Help.text("access_logs/disable")
+    def disable(bucket)
+      S3Secure::AccessLogs::Disable.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/{abstract_base.rb → cli/base.rb}

@@ -1,7 +1,8 @@
-module S3Secure
-  class AbstractBase
-    include S3Secure::AwsServices
+class S3Secure::CLI
+  class Base
     extend Memoist
+    include S3Secure::AwsServices
+    include Say
 
     def initialize(options={})
       @options = options

data/lib/s3_secure/{batch.rb → cli/batch.rb}

@@ -1,4 +1,4 @@
-module S3Secure
+class S3Secure::CLI
   class Batch
     extend Memoist
 

data/lib/s3_secure/{encryption.rb → cli/encryption.rb}

@@ -1,28 +1,32 @@
-module S3Secure
-  class Encryption < Command
+class S3Secure::CLI
+  class Encryption < S3Secure::Command
+    class_option :quiet, type: :boolean
+
     desc "list", "List bucket encryptions"
     long_desc Help.text("encryption/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :encryption, type: :boolean, desc: "Filter for encryption: all, true, false"
     def list
-      List.new(options).run
+      S3Secure::Encryption::List.new(options).run
     end
 
     desc "show BUCKET", "show bucket encryption"
     long_desc Help.text("encryption/show")
     def show(bucket)
-      Show.new(options.merge(bucket: bucket)).run
+      S3Secure::Encryption::Show.new(options.merge(bucket: bucket)).run
     end
 
     desc "enable BUCKET", "enable bucket encryption"
     long_desc Help.text("encryption/enable")
     option :kms_key, desc: "KMS Key Id. If this is set will use sse_algorithm=aws:kms Otherwise will use sse_algorithm=AES256"
     def enable(bucket)
-      Enable.new(options.merge(bucket: bucket)).run
+      S3Secure::Encryption::Enable.new(options.merge(bucket: bucket)).run
     end
 
     desc "disable BUCKET", "disable bucket encryption"
     long_desc Help.text("encryption/disable")
     def disable(bucket)
-      Disable.new(options.merge(bucket: bucket)).run
+      S3Secure::Encryption::Disable.new(options.merge(bucket: bucket)).run
     end
   end
 end

data/lib/s3_secure/cli/help.rb

@@ -0,0 +1,11 @@
+class S3Secure::CLI
+  class Help
+    class << self
+      def text(namespaced_command)
+        path = namespaced_command.to_s.gsub(':','/')
+        path = File.expand_path("../help/#{path}.md", __FILE__)
+        IO.read(path) if File.exist?(path)
+      end
+    end
+  end
+end

data/lib/s3_secure/cli/lifecycle.rb

@@ -0,0 +1,33 @@
+class S3Secure::CLI
+  class Lifecycle < S3Secure::Command
+    class_option :quiet, type: :boolean
+
+    desc "list", "List bucket lifecycles"
+    long_desc Help.text("lifecycle/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :lifecycle, desc: "Filter for lifecycle: all, true, false"
+    def list
+      S3Secure::Lifecycle::List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket lifecycle"
+    long_desc Help.text("lifecycle/show")
+    def show(bucket)
+      S3Secure::Lifecycle::Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "add BUCKET", "add bucket lifecycle"
+    long_desc Help.text("lifecycle/add")
+    option :additive, type: :boolean, desc: "Force adding another lifecycle rule even if one exists. Note, may fail, need a different prefix filter"
+    option :prefix, desc: "Filter prefix. Used with additive mode."
+    def add(bucket)
+      S3Secure::Lifecycle::Add.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "remove BUCKET", "remove bucket lifecycle"
+    long_desc Help.text("lifecycle/remove")
+    def remove(bucket)
+      S3Secure::Lifecycle::Remove.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/cli/policy.rb

@@ -0,0 +1,31 @@
+class S3Secure::CLI
+  class Policy < S3Secure::Command
+    class_option :quiet, type: :boolean
+
+    desc "list", "List bucket policies"
+    long_desc Help.text("policy/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :policy, type: :boolean, desc: "Filter for policy: all, true, false"
+    def list
+      S3Secure::Policy::List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket policy"
+    long_desc Help.text("policy/show")
+    def show(bucket)
+      S3Secure::Policy::Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "enforce_ssl BUCKET", "Add enforce ssl bucket policy"
+    long_desc Help.text("policy/enforce_ssl")
+    def enforce_ssl(bucket)
+      S3Secure::Policy::Enforce.new(options.merge(bucket: bucket, sid: "ForceSSLOnlyAccess")).run
+    end
+
+    desc "unforce_ssl BUCKET", "Remove enforce ssl bucket policy"
+    long_desc Help.text("policy/unforce_ssl")
+    def unforce_ssl(bucket)
+      S3Secure::Policy::Unforce.new(options.merge(bucket: bucket, sid: "ForceSSLOnlyAccess")).run
+    end
+  end
+end

data/lib/s3_secure/cli/public_access.rb

@@ -0,0 +1,32 @@
+class S3Secure::CLI
+  class PublicAccess < S3Secure::Command
+    class_option :quiet, type: :boolean
+
+    desc "list", "List bucket public access policy"
+    long_desc Help.text("public_access/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :blocked, desc: "Filter for public_access: all, true, false"
+    def list
+      S3Secure::PublicAccess::List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket public_access"
+    long_desc Help.text("public_access/show")
+    def show(bucket)
+      S3Secure::PublicAccess::Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "block BUCKET", "block bucket public_access"
+    long_desc Help.text("public_access/block")
+    option :prefix, desc: "Filter prefix. Used with mode."
+    def block(bucket)
+      S3Secure::PublicAccess::Block.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "unblock BUCKET", "unblock bucket public_access"
+    long_desc Help.text("public_access/unblock")
+    def unblock(bucket)
+      S3Secure::PublicAccess::Unblock.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/cli/remediate_all.rb

@@ -0,0 +1,12 @@
+class S3Secure::CLI
+  class RemediateAll < Base
+    def run
+      o = @options.merge(bucket: @bucket)
+      Encryption::Enable.new(o).run
+      Policy::Enforce.new(o.merge(sid: "ForceSSLOnlyAccess")).run
+      Versioning::Enable.new(o).run
+      Lifecycle::Add.new(o).run
+      AccessLogs::Enable.new(o).run
+    end
+  end
+end

data/lib/s3_secure/cli/say.rb

@@ -0,0 +1,7 @@
+class S3Secure::CLI
+  module Say
+    def say(msg)
+      puts msg unless @options[:quiet]
+    end
+  end
+end

data/lib/s3_secure/{summary.rb → cli/summary.rb}

@@ -1,9 +1,9 @@
-module S3Secure
-  class Summary < AbstractBase
+class S3Secure::CLI
+  class Summary < Base
     def run
       $stderr.puts("Determining bucket security-related settings. Can take a while for lots of buckets...")
       data = [%w[Bucket SSL? Encrypted?]]
-      items = Items.new(@options, buckets)
+      items = S3Secure::Summary::Items.new(@options, buckets)
       items.filtered_items.each do |i|
         data << [i.bucket, i.ssl, i.encrypted]
       end

data/lib/s3_secure/cli/versioning.rb

@@ -0,0 +1,31 @@
+class S3Secure::CLI
+  class Versioning < S3Secure::Command
+    class_option :quiet, type: :boolean
+
+    desc "list", "List bucket versionings"
+    long_desc Help.text("versioning/list")
+    option :format, desc: "Format options: #{CliFormat.formats.join(', ')}"
+    option :versioning, desc: "Filter for versioning: all, true, false"
+    def list
+      S3Secure::Versioning::List.new(options).run
+    end
+
+    desc "show BUCKET", "show bucket versioning"
+    long_desc Help.text("versioning/show")
+    def show(bucket)
+      S3Secure::Versioning::Show.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "enable BUCKET", "enable bucket versioning"
+    long_desc Help.text("versioning/enable")
+    def enable(bucket)
+      S3Secure::Versioning::Enable.new(options.merge(bucket: bucket)).run
+    end
+
+    desc "disable BUCKET", "disable bucket versioning"
+    long_desc Help.text("versioning/disable")
+    def disable(bucket)
+      S3Secure::Versioning::Disable.new(options.merge(bucket: bucket)).run
+    end
+  end
+end

data/lib/s3_secure/cli.rb

@@ -1,8 +1,12 @@
 module S3Secure
-  class CLI < Command
-    class_option :verbose, type: :boolean
+  class CLI < S3Secure::Command
+    class_option :quiet, type: :boolean
     class_option :noop, type: :boolean
 
+    desc "access_logs SUBCOMMAND", "access_logs subcommands"
+    long_desc Help.text(:access_logs)
+    subcommand "access_logs", AccessLogs
+
     desc "encryption SUBCOMMAND", "encryption subcommands"
     long_desc Help.text(:encryption)
     subcommand "encryption", Encryption
@@ -11,10 +15,28 @@ module S3Secure
     long_desc Help.text(:policy)
     subcommand "policy", Policy
 
+    desc "versioning SUBCOMMAND", "versioning subcommands"
+    long_desc Help.text(:versioning)
+    subcommand "versioning", Versioning
+
+    desc "lifecycle SUBCOMMAND", "lifecycle subcommands"
+    long_desc Help.text(:lifecycle)
+    subcommand "lifecycle", Lifecycle
+
+    desc "public_access SUBCOMMAND", "public_access subcommands"
+    long_desc Help.text(:public_access)
+    subcommand "public_access", PublicAccess
+
+    desc "remediate_all BUCKET", "Remediate all. For more fine-grain control use each of the commands directly."
+    long_desc Help.text("remediate_all")
+    def remediate_all(bucket)
+      RemediateAll.new(options.merge(bucket: bucket)).run
+    end
+
     desc "summary", "Summarize buckets"
     long_desc Help.text("summary")
-    option :ssl, default: "any", desc: "filter for ssl enforcement. Examples: any, yes, no"
     option :encrypted, default: "any", desc: "filter for encryption enabled. Examples: any, yes, no"
+    option :ssl, default: "any", desc: "filter for ssl enforcement. Examples: any, yes, no"
     def summary
       Summary.new(options).run
     end

data/lib/s3_secure/command.rb

@@ -77,6 +77,13 @@ module S3Secure
       def website
         ""
       end
+
+      # https://github.com/erikhuda/thor/issues/244
+      # Deprecation warning: Thor exit with status 0 on errors. To keep this behavior, you must define `exit_on_failure?` in `Lono::CLI`
+      # You can silence deprecations warning by setting the environment variable THOR_SILENCE_DEPRECATION.
+      def exit_on_failure?
+        true
+      end
     end
   end
 end

data/lib/s3_secure/encryption/base.rb

@@ -1,4 +1,4 @@
-class S3Secure::Encryption
-  class Base < S3Secure::AbstractBase
+module S3Secure::Encryption
+  class Base < S3Secure::CLI::Base
   end
 end

data/lib/s3_secure/encryption/disable.rb

@@ -1,17 +1,13 @@
-class S3Secure::Encryption
+module S3Secure::Encryption
   class Disable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
 
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-
-      rules = list.get_encryption_rules(@bucket)
-      if rules
-        @s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
-        puts "Bucket #{@bucket} encryption has been removed"
+      if show.enabled?
+        s3.delete_bucket_encryption(bucket: @bucket) # returns resp = #<struct Aws::EmptyStructure>
+        say "Bucket #{@bucket} encryption has been removed"
       else
-        puts "WARN: Bucket #{@bucket} is not configured with encryption at the bucket level".color(:yellow)
+        say "Bucket #{@bucket} is not configured with encryption at the bucket level"
       end
     end
   end

data/lib/s3_secure/encryption/enable.rb

@@ -1,16 +1,11 @@
-class S3Secure::Encryption
+module S3Secure::Encryption
   class Enable < Base
     def run
-      @s3 = s3_regional_client(@bucket)
+      show = Show.new(@options)
 
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-
-      rules = list.get_encryption_rules(@bucket)
-      if rules
+      if show.enabled?
         # check rules to see if encryption is already set of some sort
-        puts "Bucket #{@bucket} already has encryption rules:"
-        puts rules.map(&:to_h)
+        say "Bucket #{@bucket} already has encryption rules:"
       else
         # Set encryption rules
         # Ruby docs: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html#put_bucket_encryption-instance_method
@@ -18,12 +13,11 @@ class S3Secure::Encryption
         #
         #    put_bucket_encryption returns #<struct Aws::EmptyStructure>
         #
-        @s3.put_bucket_encryption(
+        s3.put_bucket_encryption(
           bucket: @bucket,
           server_side_encryption_configuration: {
             rules: [rule]})
-        puts "Encyption enabled on bucket #{@bucket} with rules:"
-        pp rule
+        say "Encyption enabled on bucket #{@bucket} with rules:"
       end
     end
 

data/lib/s3_secure/encryption/list.rb

@@ -1,28 +1,24 @@
-class S3Secure::Encryption
+module S3Secure::Encryption
   class List < Base
     def run
+      presenter = CliFormat::Presenter.new(@options)
+      presenter.header = ["Bucket", "Has Encryption?"]
+
       buckets.each do |bucket|
-        @s3 = s3_regional_client(bucket)
-        puts "Policy for bucket #{bucket.color(:green)}"
-        encryption_rules = get_encryption_rules(bucket)
+        $stderr.puts "Getting encryption for bucket #{bucket.color(:green)}"
+        show = Show.new(bucket: bucket)
 
-        if encryption_rules
-          puts encryption_rules
+        row = [bucket, show.enabled?]
+        if @options[:encryption].nil?
+          presenter.rows << row # always show policy
+        elsif @options[:encryption]
+          presenter.rows << row if show.enabled? # only show if bucket has some encryption rules
         else
-          puts "Bucket does not have bucket encryption enabled"
+          presenter.rows << row unless show.enabled? # only show if bucket doesnt have any encryption rules
         end
       end
-    end
-
-    def get_encryption_rules(bucket)
-      resp = @s3.get_bucket_encryption(bucket: bucket)
-      resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
-    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
-    end
 
-    # Useful when calling List outside of the list CLI
-    def set_s3(client)
-      @s3 = client
+      presenter.show
     end
   end
 end

data/lib/s3_secure/encryption/show.rb

@@ -1,18 +1,24 @@
-class S3Secure::Encryption
+module S3Secure::Encryption
   class Show < Base
     def run
-      @s3 = s3_regional_client(@bucket)
-
-      list = S3Secure::Encryption::List.new(@options)
-      list.set_s3(@s3)
-
-      rules = list.get_encryption_rules(@bucket)
       if rules
-        puts "Bucket #{@bucket} is configured with these encryption rules:"
-        puts rules.map(&:to_h)
+        say "Bucket #{@bucket} is configured with these encryption rules:"
+        say rules.map(&:to_h)
       else
-        puts "Bucket #{@bucket} is not configured with encryption at the bucket level"
+        say "Bucket #{@bucket} is not configured with encryption at the bucket level"
       end
+      rules
+    end
+
+    def enabled?
+      !!(rules && !rules.empty?)
+    end
+
+    def rules
+      resp = s3.get_bucket_encryption(bucket: @bucket)
+      resp.server_side_encryption_configuration.rules # Aws::Xml::DefaultList object
+    rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
     end
+    memoize :rules
   end
 end

data/lib/s3_secure/help/batch.md

@@ -0,0 +1,14 @@
+There are some supported batch commands:
+
+    s3-secure batch encryption enable FILE.txt
+    s3-secure batch encryption disable FILE.txt
+    s3-secure batch policy enforce_ssl FILE.txt
+    s3-secure batch policy unforce_ssl FILE.txt
+
+The format of FILE.txt is a list of bucket names separated by newlines.  Example:
+
+buckets.txt:
+
+    my-bucket-1
+    my-bucket-2
+

data/lib/s3_secure/help/encryption/list.md

@@ -0,0 +1,5 @@
+## Examples
+
+    s3-secure encryption list                 # shows all buckets with and without polices
+    s3-secure encryption list --encryption    # only shows buckets with encryption
+    s3-secure encryption list --no-encryption # only shows buckets without encryption

data/lib/s3_secure/help/lifecycle/add.md

@@ -0,0 +1,13 @@
+## Example
+
+    $ s3-secure lifecycle add a-test-bucket-in-us-east-1
+    Added lifecycle policy to bucket a-test-bucket-in-us-east-1
+    $
+
+By default, the add command will only add a lifecycle policy if you none exists.
+
+It may be useful to test adding an additional lifecycle policy, for this you can use both the `--additive` and `--prefix` options. Note, you must make sure that the lifecycle policies can work together. For example, they must have different prefixes.
+
+    $ s3-secure lifecycle add a-test-bucket-in-us-east-1 --additive --prefix /foo
+    Added lifecycle policy to bucket a-test-bucket-in-us-east-1
+    $

data/lib/s3_secure/help/lifecycle/list.md

@@ -0,0 +1,22 @@
+## Examples
+
+    $ s3-secure lifecycle list
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-east-1 | false                |
+    | a-test-bucket-in-us-west-1 | true                 |
+    +----------------------------+----------------------+
+    $ s3-secure lifecycle list --lifecycle true
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-west-1 | true                 |
+    +----------------------------+----------------------+
+    $ s3-secure lifecycle list --lifecycle false
+    +----------------------------+----------------------+
+    |           Bucket           | Has Lifecycle Rules? |
+    +----------------------------+----------------------+
+    | a-test-bucket-in-us-east-1 | false                |
+    +----------------------------+----------------------+
+    $

data/lib/s3_secure/help/lifecycle/remove.md

@@ -0,0 +1,5 @@
+## Examples
+
+    $ s3-secure lifecycle remove a-test-bucket-in-us-east-1
+    Removed the s3-secure-automated-cleanup lifecycle rule on bucket a-test-bucket-in-us-east-1
+    $

data/lib/s3_secure/help/lifecycle/show.md

@@ -0,0 +1,13 @@
+## Examples
+
+    $ s3-secure lifecycle show a-test-bucket-in-us-east-1
+    This S3 bucket has lifecycle rules
+    Bucket lifecycle details:
+    {:rules=>
+      [{:expiration=>{:expired_object_delete_marker=>true},
+        :id=>"s3-secure-automated-cleanup",
+        :prefix=>"/bar",
+        :status=>"Enabled",
+        :noncurrent_version_expiration=>{:noncurrent_days=>365},
+        :abort_incomplete_multipart_upload=>{:days_after_initiation=>30}}]}
+    $

data/lib/s3_secure/help/policy/list.md

@@ -0,0 +1,5 @@
+## Examples
+
+    s3-secure policy list             # shows all buckets with and without polices
+    s3-secure policy list --policy    # only shows buckets with policy
+    s3-secure policy list --no-policy # only shows buckets without policy

data/lib/s3_secure/lifecycle/add.rb

@@ -0,0 +1,33 @@
+module S3Secure::Lifecycle
+  class Add < Base
+    RULE_ID = Base::RULE_ID
+
+    def run
+      show = Show.new(@options)
+      if @options[:additive]
+        current_rules = show.get_lifecycle_rules(@bucket)
+        builder = Builder.new(current_rules)
+        rules = builder.rules_with_addition(@options[:prefix])
+        if current_rules.size == rules.size
+          say "WARN: rule wasnt added because a #{RULE_ID} already exists".color(:yellow)
+        else
+          s3.put_bucket_lifecycle_configuration(
+            bucket: @bucket, # required
+            lifecycle_configuration: {rules: rules}
+          )
+        end
+      elsif show.any?
+        say "Bucket #{@bucket} is has a lifecycle policy already."
+        return
+      else
+        options = {
+          bucket: @bucket, # required
+          lifecycle_configuration: {rules: [Builder::DEFAULT_RULE]}
+        }
+        s3.put_bucket_lifecycle_configuration(options)
+      end
+
+      say "Added lifecycle policy to bucket #{@bucket}"
+    end
+  end
+end

data/lib/s3_secure/lifecycle/base.rb

@@ -0,0 +1,5 @@
+module S3Secure::Lifecycle
+  class Base < S3Secure::CLI::Base
+    RULE_ID = "s3-secure-automated-cleanup"
+  end
+end