inspec/test/integration/default/verify/controls/aws_s3_bucket.rb

fixtures = {}
[
  's3_bucket_public_name',
  's3_bucket_private_name',
  's3_bucket_auth_name',
  's3_bucket_private_acl_public_policy_name',  
  's3_bucket_public_region',
].each do |fixture_name|
  fixtures[fixture_name] = attribute(
    fixture_name,
    default: "default.#{fixture_name}",
    description: 'See ../build/s3.tf',
  )
end

control 'aws_s3_bucket recall tests' do
  #------------------- Exists -------------------#
  describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
    it { should exist }
  end

  #------------------- Does Not Exist -------------------#
  describe aws_s3_bucket(bucket_name: 'inspec-testing-NonExistentBucket.chef.io') do
    it { should_not exist }
  end
end

control 'aws_s3_bucket properties tests' do
  #--------------------------- Region --------------------------#
  describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
    its('region') { should eq fixtures['s3_bucket_public_region'] }
  end

  #------------------- bucket_acl -------------------#
  describe "Bucket ACL: Public grants on a public bucket" do
    subject do
      aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_acl.select do |g|
        g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
      end
    end
    it { should_not be_empty }
  end
  
  describe "Bucket ACL: Public grants on a private bucket" do
    subject do
      aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do |g|
        g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
      end
    end
    it { should be_empty }
  end

  describe "Bucket ACL: AuthUser grants on a private bucket" do
    subject do
      aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do |g|
        g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
      end
    end
    it { should be_empty }
  end

  describe "Bucket ACL: AuthUser grants on an AuthUser bucket" do
    subject do
      aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_acl.select do |g|
        g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
      end
    end
    it { should_not be_empty }
  end

  #------------------- bucket_policy -------------------#
  describe "Bucket Policy: Allow GetObject Statement For Everyone on public" do
    subject do
      bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_policy
      allow_all = bucket_policy.select { |s| s.effect == 'Allow' && s.principal == '*' }
      allow_all.count
    end
    it { should == 1 }
  end

  describe "Bucket Policy: Allow GetObject Statement For Everyone on private" do
    subject do
      bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_policy
      allow_all = bucket_policy.select { |s| s.effect == 'Allow' && s.principal == '*' }
      allow_all.count
    end
    it { should be_zero }
  end

  describe "Bucket Policy: Empty policy on auth" do
    subject do
      aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_policy
    end
    it { should be_empty }
  end
end

control 'aws_s3_bucket matchers test' do
  
  #------------------------  be_public --------------------------#  
  describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
    it { should be_public }
  end
  describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']) do
    it { should be_public }
  end
  describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']) do
    it { should_not be_public }
  end
  describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_acl_public_policy_name']) do
    it { should be_public }
  end
end
aws_s3_bucket with modified interface (#183) Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu> Signed-off-by: Aaron Lippold <lippold@gmail.com> Signed-off-by: Sam Cornwell <14048146+samcornwell@users.noreply.github.com> Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-01-19 16:50:08 +00:00			`fixtures = {}`
			`[`
			`'s3_bucket_public_name',`
			`'s3_bucket_private_name',`
			`'s3_bucket_auth_name',`
			`'s3_bucket_private_acl_public_policy_name',`
			`'s3_bucket_public_region',`
			`].each do \|fixture_name\|`
			`fixtures[fixture_name] = attribute(`
			`fixture_name,`
			`default: "default.#{fixture_name}",`
			`description: 'See ../build/s3.tf',`
			`)`
			`end`

			`control 'aws_s3_bucket recall tests' do`
			`#------------------- Exists -------------------#`
			`describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do`
			`it { should exist }`
			`end`

			`#------------------- Does Not Exist -------------------#`
			`describe aws_s3_bucket(bucket_name: 'inspec-testing-NonExistentBucket.chef.io') do`
			`it { should_not exist }`
			`end`
			`end`

			`control 'aws_s3_bucket properties tests' do`
			`#--------------------------- Region --------------------------#`
			`describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do`
			`its('region') { should eq fixtures['s3_bucket_public_region'] }`
			`end`

			`#------------------- bucket_acl -------------------#`
			`describe "Bucket ACL: Public grants on a public bucket" do`
			`subject do`
			`aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_acl.select do \|g\|`
			`g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/`
			`end`
			`end`
			`it { should_not be_empty }`
			`end`

			`describe "Bucket ACL: Public grants on a private bucket" do`
			`subject do`
			`aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do \|g\|`
			`g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/`
			`end`
			`end`
			`it { should be_empty }`
			`end`

			`describe "Bucket ACL: AuthUser grants on a private bucket" do`
			`subject do`
			`aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do \|g\|`
			`g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/`
			`end`
			`end`
			`it { should be_empty }`
			`end`

			`describe "Bucket ACL: AuthUser grants on an AuthUser bucket" do`
			`subject do`
			`aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_acl.select do \|g\|`
			`g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/`
			`end`
			`end`
			`it { should_not be_empty }`
			`end`

			`#------------------- bucket_policy -------------------#`
			`describe "Bucket Policy: Allow GetObject Statement For Everyone on public" do`
			`subject do`
			`bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_policy`
			`allow_all = bucket_policy.select { \|s\| s.effect == 'Allow' && s.principal == '*' }`
			`allow_all.count`
			`end`
			`it { should == 1 }`
			`end`

			`describe "Bucket Policy: Allow GetObject Statement For Everyone on private" do`
			`subject do`
			`bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_policy`
			`allow_all = bucket_policy.select { \|s\| s.effect == 'Allow' && s.principal == '*' }`
			`allow_all.count`
			`end`
			`it { should be_zero }`
			`end`

			`describe "Bucket Policy: Empty policy on auth" do`
			`subject do`
			`aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_policy`
			`end`
			`it { should be_empty }`
			`end`
			`end`

			`control 'aws_s3_bucket matchers test' do`

			`#------------------------ be_public --------------------------#`
			`describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do`
			`it { should be_public }`
			`end`
			`describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']) do`
			`it { should be_public }`
			`end`
			`describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']) do`
			`it { should_not be_public }`
			`end`
			`describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_acl_public_policy_name']) do`
			`it { should be_public }`
			`end`
			`end`