s3-secure 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0ac426bde14db38fecbc1d692dc5c79ddd4078da837d9b6d389752fdb96d5805
+  data.tar.gz: 2f8a8aaf36996722a23c4b0afd95ff05936ed12e4c1e384f9594cd4b22cc4054
+SHA512:
+  metadata.gz: c0ff5d52734ae470d203b43c19fff7c87924709b15cb5f86420faa2886a4e43bc4ead66cd531fd9a98dcb480143db2286a9c58af8d3be1e4357966d357c78ac4
+  data.tar.gz: 95ca0ef971df08986f2dfb7b9fd6bcec8d1097d44fb38fc999d456e6863f0a7ba28767824a9c203c4c9f78c81b9074f16811f762efc8fc3276ec25f2e4bdcf93

data/.gitignore

@@ -0,0 +1,16 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+_yardoc
+coverage
+doc/
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,3 @@
+--require spec_helper
+--color
+--format documentation

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+This project *tries* to adhere to [Semantic Versioning](http://semver.org/), even before v1.0.
+
+## [0.1.0]
+- Initial release.

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+# Specify your gem dependencies in s3-secure.gemspec
+gemspec
+
+gem "codeclimate-test-reporter", group: :test, require: nil

data/Gemfile.lock

@@ -0,0 +1,89 @@
+PATH
+  remote: .
+  specs:
+    s3-secure (0.1.0)
+      activesupport
+      aws-sdk-s3
+      memoist
+      rainbow
+      thor
+      zeitwerk
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (6.0.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2)
+    aws-eventstream (1.0.3)
+    aws-partitions (1.240.0)
+    aws-sdk-core (3.78.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+      aws-partitions (~> 1, >= 1.239.0)
+      aws-sigv4 (~> 1.1)
+      jmespath (~> 1.0)
+    aws-sdk-kms (1.25.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.56.0)
+      aws-sdk-core (~> 3, >= 3.77.0)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.1.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+    byebug (11.0.1)
+    cli_markdown (0.1.0)
+    codeclimate-test-reporter (1.0.9)
+      simplecov (<= 0.13)
+    concurrent-ruby (1.1.5)
+    diff-lcs (1.3)
+    docile (1.1.5)
+    i18n (1.7.0)
+      concurrent-ruby (~> 1.0)
+    jmespath (1.4.0)
+    json (2.2.0)
+    memoist (0.16.1)
+    minitest (5.13.0)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-expectations (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.0)
+    simplecov (0.13.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    zeitwerk (2.2.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler
+  byebug
+  cli_markdown
+  codeclimate-test-reporter
+  rake
+  rspec
+  s3-secure!
+
+BUNDLED WITH
+   2.0.2

data/Guardfile

@@ -0,0 +1,19 @@
+guard "bundler", cmd: "bundle" do
+  watch("Gemfile")
+  watch(/^.+\.gemspec/)
+end
+
+guard :rspec, cmd: "bundle exec rspec" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2019 Tung Nguyen
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,56 @@
+# s3-secure
+
+[![Gem Version](https://badge.fury.io/rb/s3-secure.png)](http://badge.fury.io/rb/s3-secure)
+
+[![BoltOps Badge](https://img.boltops.com/boltops/badges/boltops-badge.png)](https://www.boltops.com)
+
+The s3-secure tool can be used to harden your s3 bucket security posture. The tool is useful if you have a lot of buckets to update. It supports:
+
+* enabling encryption
+* adding an enforce ssl bucket policy
+
+## Usage
+
+Summary of encryption commands:
+
+    s3-secure encryption list
+    s3-secure encryption show BUCKET
+    s3-secure encryption enable BUCKET
+    s3-secure encryption disable BUCKET
+
+Summary of policy commands:
+
+    s3-secure policy list
+    s3-secure policy show BUCKET
+    s3-secure policy enforce_ssl BUCKET
+    s3-secure policy unforce_ssl BUCKET
+
+## Batch Commands
+
+There are some supported batch commands:
+
+    s3-secure batch encryption enable FILE.txt
+    s3-secure batch encryption disable FILE.txt
+    s3-secure batch policy enforce_ssl FILE.txt
+    s3-secure batch policy unforce_ssl FILE.txt
+
+The format of FILE.txt is a list of bucket names separated by newlines.  Example:
+
+buckets.txt:
+
+    my-bucket-1
+    my-bucket-2
+
+## Installation
+
+Install with the `gem` command:
+
+    gem install s3-secure
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am "Add some feature"`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,14 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+task default: :spec
+
+RSpec::Core::RakeTask.new
+
+require_relative "lib/s3-secure"
+require "cli_markdown"
+desc "Generates cli reference docs as markdown"
+task :docs do
+  mkdir_p "docs/_includes"
+  CliMarkdown::Creator.create_all(cli_class: S3Secure::CLI, cli_name: "s3-secure")
+end

data/exe/s3-secure

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+# Trap ^C
+Signal.trap("INT") {
+  puts "\nCtrl-C detected. Exiting..."
+  sleep 0.1
+  exit
+}
+
+$:.unshift(File.expand_path("../../lib", __FILE__))
+require "s3-secure"
+require "s3_secure/cli"
+
+S3Secure::CLI.start(ARGV)

data/lib/s3-secure.rb

@@ -0,0 +1 @@
+require_relative "s3_secure"

data/lib/s3_secure.rb

@@ -0,0 +1,14 @@
+$:.unshift(File.expand_path("../", __FILE__))
+require "json"
+require "memoist"
+require "rainbow/ext/string"
+require "s3_secure/version"
+require "active_support/core_ext/module" # for delegate
+require "active_support/core_ext/string"
+
+require "s3_secure/autoloader"
+S3Secure::Autoloader.setup
+
+module S3Secure
+  class Error < StandardError; end
+end

data/lib/s3_secure/abstract_base.rb

@@ -0,0 +1,17 @@
+module S3Secure
+  class AbstractBase
+    include S3Secure::AwsServices
+    extend Memoist
+
+    def initialize(options={})
+      @options = options
+      @bucket = options[:bucket] # not set on the list command but common enough to set here
+    end
+
+    def buckets
+      resp = s3_client.list_buckets
+      resp.buckets.map(&:name)
+    end
+    memoize :buckets
+  end
+end

data/lib/s3_secure/autoloader.rb

@@ -0,0 +1,27 @@
+require "zeitwerk"
+
+module S3Secure
+  class Autoloader
+    class Inflector < Zeitwerk::Inflector
+      def camelize(basename, _abspath)
+        map = {
+          cli: "CLI",
+          force_ssl_only_access: "ForceSSLOnlyAccess",
+          force_ssl_only_access_remove: "ForceSSLOnlyAccessRemove",
+          version: "VERSION",
+        }
+        map[basename.to_sym] || super
+      end
+    end
+
+    class << self
+      def setup
+        loader = Zeitwerk::Loader.new
+        loader.inflector = Inflector.new
+        loader.push_dir(File.dirname(__dir__)) # lib
+        loader.ignore("#{File.dirname(__dir__)}/s3-secure.rb")
+        loader.setup
+      end
+    end
+  end
+end

data/lib/s3_secure/aws_services.rb

@@ -0,0 +1,36 @@
+require "aws-sdk-s3"
+
+module S3Secure
+  module AwsServices
+    extend Memoist
+
+    @@buckets = {} # holds bucket => region map
+    def s3_regional_client(bucket)
+      region = @@buckets[bucket]
+
+      unless region
+        resp = s3_client.get_bucket_location(bucket: bucket)
+        region = resp.location_constraint
+        region = 'us-east-1' if region.empty? # "" means us-east-1
+      end
+
+      new_s3_regional_client(region)
+    end
+
+    def new_s3_regional_client(region=nil)
+      options = {}
+      options[:endpoint] = "https://s3.#{region}.amazonaws.com" if region
+      options[:region] = region if region
+      Aws::S3::Client.new(options)
+    end
+    memoize :new_s3_regional_client
+
+    # Generic s3 client. Will be configured to whatever region user has locally configured in ~/.aws/config
+    # Used to call get_bucket_location to get each specific bucket's location.
+    # Generally use the s3_regional_client instead of this.
+    def s3_client
+      Aws::S3::Client.new
+    end
+    memoize :s3_client
+  end
+end

data/lib/s3_secure/batch.rb

@@ -0,0 +1,25 @@
+module S3Secure
+  class Batch
+    extend Memoist
+
+    def initialize(*params)
+      @params = params
+      @command, @subcommand, @file = params
+    end
+
+    def run
+      buckets.each do |bucket|
+        args = @params
+        args.pop
+        args << bucket
+        puts "Running: s3-secure #{args.join(' ')}".color(:green)
+        S3Secure::CLI.start(args)
+      end
+    end
+
+    def buckets
+      IO.readlines(@file).map(&:strip).reject(&:empty?)
+    end
+    memoize :buckets
+  end
+end

data/lib/s3_secure/cli.rb

@@ -0,0 +1,37 @@
+module S3Secure
+  class CLI < Command
+    class_option :verbose, type: :boolean
+    class_option :noop, type: :boolean
+
+    desc "encryption SUBCOMMAND", "encryption subcommands"
+    long_desc Help.text(:encryption)
+    subcommand "encryption", Encryption
+
+    desc "policy SUBCOMMAND", "policy subcommands"
+    long_desc Help.text(:policy)
+    subcommand "policy", Policy
+
+    desc "batch *PARAMS", "Batch wrapper method"
+    long_desc Help.text(:batch)
+    def batch(*params)
+      Batch.new(*params).run
+    end
+
+    desc "completion *PARAMS", "Prints words for auto-completion."
+    long_desc Help.text(:completion)
+    def completion(*params)
+      Completer.new(CLI, *params).run
+    end
+
+    desc "completion_script", "Generates a script that can be eval to setup auto-completion."
+    long_desc Help.text(:completion_script)
+    def completion_script
+      Completer::Script.generate
+    end
+
+    desc "version", "prints version"
+    def version
+      puts VERSION
+    end
+  end
+end

data/lib/s3_secure/command.rb

@@ -0,0 +1,82 @@
+require "thor"
+
+# Override thor's long_desc identation behavior
+# https://github.com/erikhuda/thor/issues/398
+class Thor
+  module Shell
+    class Basic
+      def print_wrapped(message, options = {})
+        message = "\n#{message}" unless message[0] == "\n"
+        stdout.puts message
+      end
+    end
+  end
+end
+
+module S3Secure
+  class Command < Thor
+    class << self
+      def dispatch(m, args, options, config)
+        # Allow calling for help via:
+        #   s3-secure command help
+        #   s3-secure command -h
+        #   s3-secure command --help
+        #   s3-secure command -D
+        #
+        # as well thor's normal way:
+        #
+        #   s3-secure help command
+        help_flags = Thor::HELP_MAPPINGS + ["help"]
+        if args.length > 1 && !(args & help_flags).empty?
+          args -= help_flags
+          args.insert(-2, "help")
+        end
+
+        #   s3-secure version
+        #   s3-secure --version
+        #   s3-secure -v
+        version_flags = ["--version", "-v"]
+        if args.length == 1 && !(args & version_flags).empty?
+          args = ["version"]
+        end
+
+        super
+      end
+
+      # Override command_help to include the description at the top of the
+      # long_description.
+      def command_help(shell, command_name)
+        meth = normalize_command_name(command_name)
+        command = all_commands[meth]
+        alter_command_description(command)
+        super
+      end
+
+      def alter_command_description(command)
+        return unless command
+
+        # Add description to beginning of long_description
+        long_desc = if command.long_description
+            "#{command.description}\n\n#{command.long_description}"
+          else
+            command.description
+          end
+
+        # add reference url to end of the long_description
+        unless website.empty?
+          full_command = [command.ancestor_name, command.name].compact.join('-')
+          url = "#{website}/reference/s3-secure-#{full_command}"
+          long_desc += "\n\nHelp also available at: #{url}"
+        end
+
+        command.long_description = long_desc
+      end
+      private :alter_command_description
+
+      # meant to be overriden
+      def website
+        ""
+      end
+    end
+  end
+end