2019-06-11 22:24:35 +00:00
|
|
|
require "helper"
|
|
|
|
require "inspec/resource"
|
|
|
|
require "resources/aws/aws_iam_users"
|
2017-08-08 13:50:35 +00:00
|
|
|
|
2019-06-11 22:24:35 +00:00
|
|
|
require "resource_support/aws"
|
|
|
|
require "resources/aws/aws_iam_users"
|
2019-05-21 00:19:38 +00:00
|
|
|
|
2018-02-08 04:26:37 +00:00
|
|
|
# Maiusb = Mock AwsIamUsers::BackendFactory
|
2017-12-08 18:34:09 +00:00
|
|
|
# Abbreviation not used outside of this file
|
|
|
|
|
|
|
|
class AwsIamUsersTestConstructor < Minitest::Test
|
2017-08-08 13:50:35 +00:00
|
|
|
def setup
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Empty)
|
2017-08-08 13:50:35 +00:00
|
|
|
end
|
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
def test_users_no_params_does_not_explode
|
|
|
|
AwsIamUsers.new
|
2017-08-08 13:50:35 +00:00
|
|
|
end
|
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
def test_users_all_params_rejected
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_raises(ArgumentError) { AwsIamUsers.new(something: "somevalue") }
|
2017-12-08 18:34:09 +00:00
|
|
|
end
|
|
|
|
end
|
2017-08-08 13:50:35 +00:00
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
class AwsIamUsersTestFilterCriteria < Minitest::Test
|
|
|
|
def setup
|
|
|
|
# Reset to empty, that's harmless
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Empty)
|
2017-08-08 13:50:35 +00:00
|
|
|
end
|
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
#------------------------------------------#
|
|
|
|
# Open Filter
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_empty_result_when_no_users_no_criteria
|
|
|
|
users = AwsIamUsers.new.where {}
|
|
|
|
assert users.entries.empty?
|
|
|
|
end
|
2017-08-08 13:50:35 +00:00
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
def test_users_all_returned_when_some_users_no_criteria
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
2017-12-08 18:34:09 +00:00
|
|
|
users = AwsIamUsers.new.where {}
|
|
|
|
assert(3, users.entries.count)
|
2017-08-08 13:50:35 +00:00
|
|
|
end
|
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
#------------------------------------------#
|
|
|
|
# has_mfa_enabled?
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_criteria_has_mfa_enabled
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
2017-12-08 18:34:09 +00:00
|
|
|
users = AwsIamUsers.new.where { has_mfa_enabled }
|
|
|
|
assert(1, users.entries.count)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.usernames, "carol"
|
|
|
|
refute_includes users.usernames, "alice"
|
2017-08-08 13:50:35 +00:00
|
|
|
end
|
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
#------------------------------------------#
|
|
|
|
# has_console_password?
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_criteria_has_console_password?
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
2017-12-08 18:34:09 +00:00
|
|
|
users = AwsIamUsers.new.where { has_console_password }
|
|
|
|
assert(2, users.entries.count)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.usernames, "carol"
|
|
|
|
refute_includes users.usernames, "alice"
|
2017-10-26 19:22:15 +00:00
|
|
|
end
|
2018-02-01 16:23:25 +00:00
|
|
|
|
|
|
|
#------------------------------------------#
|
|
|
|
# password_ever_used?
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_criteria_password_ever_used?
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
2018-02-01 16:23:25 +00:00
|
|
|
users = AwsIamUsers.new.where { password_ever_used? }
|
|
|
|
assert(2, users.entries.count)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.usernames, "carol"
|
|
|
|
refute_includes users.usernames, "alice"
|
2018-02-01 16:23:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#------------------------------------------#
|
|
|
|
# password_never_used?
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_criteria_password_never_used?
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
2018-02-01 16:23:25 +00:00
|
|
|
users = AwsIamUsers.new.where { password_never_used? }
|
|
|
|
assert(1, users.entries.count)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.usernames, "alice"
|
|
|
|
refute_includes users.usernames, "carol"
|
2018-02-01 16:23:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#------------------------------------------#
|
|
|
|
# password_last_used_days_ago
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_criteria_has_password_last_used_days_ago_10
|
2018-02-08 04:26:37 +00:00
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
2018-02-01 16:23:25 +00:00
|
|
|
users = AwsIamUsers.new.where(password_last_used_days_ago: 10)
|
|
|
|
assert(1, users.entries.count)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.usernames, "bob"
|
|
|
|
refute_includes users.usernames, "alice"
|
2018-04-17 17:22:28 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#------------------------------------------#
|
|
|
|
# has_inline_policies
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_have_inline_policies
|
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
|
|
|
users = AwsIamUsers.new.where(has_inline_policies?: true)
|
|
|
|
assert_equal(2, users.entries.count)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.usernames, "bob"
|
|
|
|
assert_includes users.usernames, "carol"
|
|
|
|
refute_includes users.usernames, "alice"
|
2018-04-17 17:22:28 +00:00
|
|
|
|
|
|
|
users.inline_policy_names.each do |name|
|
|
|
|
assert_kind_of(String, name)
|
|
|
|
end
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.inline_policy_names, "bob-inline-01"
|
|
|
|
assert_includes users.inline_policy_names, "bob-inline-02"
|
|
|
|
assert_includes users.inline_policy_names, "carol-inline-01"
|
2018-04-17 17:22:28 +00:00
|
|
|
assert_equal(3, users.inline_policy_names.count)
|
|
|
|
end
|
|
|
|
|
|
|
|
#------------------------------------------#
|
|
|
|
# has_attached_policies
|
|
|
|
#------------------------------------------#
|
|
|
|
def test_users_have_attached_policies
|
|
|
|
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
|
|
|
|
users = AwsIamUsers.new.where(has_attached_policies: true)
|
|
|
|
assert_equal(2, users.entries.count)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.usernames, "bob"
|
|
|
|
assert_includes users.usernames, "carol"
|
|
|
|
refute_includes users.usernames, "alice"
|
2018-04-17 17:22:28 +00:00
|
|
|
|
|
|
|
users.attached_policy_names.each do |name|
|
|
|
|
assert_kind_of(String, name)
|
|
|
|
end
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.attached_policy_names, "AdministratorAccess"
|
|
|
|
assert_includes users.attached_policy_names, "ReadOnlyAccess"
|
2018-04-17 17:22:28 +00:00
|
|
|
assert_equal(2, users.attached_policy_names.count)
|
|
|
|
|
|
|
|
users.attached_policy_arns.each do |arn|
|
|
|
|
assert_kind_of(String, arn)
|
|
|
|
end
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_includes users.attached_policy_arns, "arn:aws:iam::aws:policy/ReadOnlyAccess"
|
2018-04-17 17:22:28 +00:00
|
|
|
assert_equal(3, users.attached_policy_arns.count)
|
2018-02-01 16:23:25 +00:00
|
|
|
end
|
2017-12-08 18:34:09 +00:00
|
|
|
end
|
2017-10-26 19:22:15 +00:00
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
#=============================================================================#
|
|
|
|
# Test Fixture Classes
|
|
|
|
#=============================================================================#
|
|
|
|
module Maiusb
|
|
|
|
|
|
|
|
# --------------------------------
|
|
|
|
# Empty - No users
|
|
|
|
# --------------------------------
|
2018-02-08 04:26:37 +00:00
|
|
|
class Empty < AwsBackendBase
|
2018-03-02 14:14:05 +00:00
|
|
|
def list_users(criteria = {})
|
2017-12-08 18:34:09 +00:00
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
users: [],
|
2017-12-08 18:34:09 +00:00
|
|
|
})
|
2017-10-26 19:22:15 +00:00
|
|
|
end
|
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
def get_login_profile(criteria)
|
2019-06-11 22:24:35 +00:00
|
|
|
raise Aws::IAM::Errors::NoSuchEntity.new("No login profile for #{criteria[:user_name]}", "Nope")
|
2017-12-08 18:34:09 +00:00
|
|
|
end
|
2017-08-08 13:50:35 +00:00
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
def list_mfa_devices(_criteria)
|
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
mfa_devices: [],
|
2017-12-08 18:34:09 +00:00
|
|
|
})
|
|
|
|
end
|
2017-08-08 13:50:35 +00:00
|
|
|
end
|
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
# --------------------------------
|
|
|
|
# Basic - 3 Users
|
|
|
|
# --------------------------------
|
|
|
|
# Alice has no password or MFA device
|
|
|
|
# Bob has a password but no MFA device
|
|
|
|
# Carol has a password and MFA device
|
2018-02-08 04:26:37 +00:00
|
|
|
class Basic < AwsBackendBase
|
2017-12-08 18:34:09 +00:00
|
|
|
# arn, path, user_id omitted
|
2018-03-02 14:14:05 +00:00
|
|
|
def list_users(criteria = {})
|
2017-12-08 18:34:09 +00:00
|
|
|
OpenStruct.new({
|
|
|
|
users: [
|
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
user_name: "alice",
|
|
|
|
create_date: DateTime.parse("2017-10-10T16:19:30Z"),
|
2017-12-08 18:34:09 +00:00
|
|
|
# Password last used is absent, never logged in w/ password
|
|
|
|
}),
|
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
user_name: "bob",
|
|
|
|
create_date: DateTime.parse("2017-11-06T16:19:30Z"),
|
|
|
|
password_last_used: Time.now - 10 * 24 * 60 * 60,
|
2017-12-08 18:34:09 +00:00
|
|
|
}),
|
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
user_name: "carol",
|
|
|
|
create_date: DateTime.parse("2017-10-10T16:19:30Z"),
|
|
|
|
password_last_used: Time.now - 91 * 24 * 60 * 60,
|
2017-12-08 18:34:09 +00:00
|
|
|
}),
|
2019-06-11 22:24:35 +00:00
|
|
|
],
|
2017-12-08 18:34:09 +00:00
|
|
|
})
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_login_profile(criteria)
|
2019-06-11 22:24:35 +00:00
|
|
|
if %w{bob carol}.include?(criteria[:user_name])
|
2017-12-08 18:34:09 +00:00
|
|
|
OpenStruct.new({
|
|
|
|
login_profile: OpenStruct.new({
|
|
|
|
user_name: criteria[:user_name],
|
2019-06-11 22:24:35 +00:00
|
|
|
created_date: DateTime.parse("2017-10-10T16:19:30Z"),
|
|
|
|
}),
|
2017-12-08 18:34:09 +00:00
|
|
|
})
|
|
|
|
else
|
2019-06-11 22:24:35 +00:00
|
|
|
raise Aws::IAM::Errors::NoSuchEntity.new("No login profile for #{criteria[:user_name]}", "Nope")
|
2017-12-08 18:34:09 +00:00
|
|
|
end
|
|
|
|
end
|
2017-08-08 13:50:35 +00:00
|
|
|
|
2017-12-08 18:34:09 +00:00
|
|
|
def list_mfa_devices(criteria)
|
2019-06-11 22:24:35 +00:00
|
|
|
if ["carol"].include?(criteria[:user_name])
|
2017-12-08 18:34:09 +00:00
|
|
|
OpenStruct.new({
|
|
|
|
mfa_devices: [
|
|
|
|
OpenStruct.new({
|
|
|
|
user_name: criteria[:user_name],
|
2019-06-11 22:24:35 +00:00
|
|
|
serial_number: "1234567890",
|
|
|
|
enable_date: DateTime.parse("2017-10-10T16:19:30Z"),
|
2017-12-08 18:34:09 +00:00
|
|
|
})
|
2019-06-11 22:24:35 +00:00
|
|
|
],
|
2017-12-08 18:34:09 +00:00
|
|
|
})
|
|
|
|
else
|
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
mfa_devices: [],
|
2017-12-08 18:34:09 +00:00
|
|
|
})
|
|
|
|
end
|
|
|
|
end
|
2019-06-11 22:24:35 +00:00
|
|
|
|
2018-04-17 17:22:28 +00:00
|
|
|
def list_user_policies(query)
|
|
|
|
people = {
|
2019-06-11 22:24:35 +00:00
|
|
|
"alice" => Aws::IAM::Types::ListUserPoliciesResponse.new(
|
2018-04-17 17:22:28 +00:00
|
|
|
policy_names: []
|
|
|
|
),
|
2019-06-11 22:24:35 +00:00
|
|
|
"bob" => Aws::IAM::Types::ListUserPoliciesResponse.new(
|
|
|
|
policy_names: ["bob-inline-01", "bob-inline-02"]
|
|
|
|
),
|
|
|
|
"carol" => Aws::IAM::Types::ListUserPoliciesResponse.new(
|
|
|
|
policy_names: ["carol-inline-01"]
|
|
|
|
),
|
2018-04-17 17:22:28 +00:00
|
|
|
}
|
|
|
|
people[query[:user_name]]
|
|
|
|
end
|
|
|
|
|
|
|
|
def list_attached_user_policies(query)
|
|
|
|
people = {
|
2019-06-11 22:24:35 +00:00
|
|
|
"alice" => Aws::IAM::Types::ListAttachedUserPoliciesResponse.new(
|
|
|
|
attached_policies: []
|
2018-04-17 17:22:28 +00:00
|
|
|
),
|
2019-06-11 22:24:35 +00:00
|
|
|
"bob" => Aws::IAM::Types::ListAttachedUserPoliciesResponse.new(
|
2018-04-17 17:22:28 +00:00
|
|
|
attached_policies: [
|
|
|
|
{
|
2019-06-11 22:24:35 +00:00
|
|
|
policy_arn: "arn:aws:iam::aws:policy/AdministratorAccess",
|
|
|
|
policy_name: "AdministratorAccess",
|
2018-04-17 17:22:28 +00:00
|
|
|
},
|
|
|
|
]
|
|
|
|
),
|
2019-06-11 22:24:35 +00:00
|
|
|
"carol" => Aws::IAM::Types::ListAttachedUserPoliciesResponse.new(
|
2018-04-17 17:22:28 +00:00
|
|
|
attached_policies: [
|
|
|
|
{
|
2019-06-11 22:24:35 +00:00
|
|
|
policy_arn: "arn:aws:iam::aws:policy/ReadOnlyAccess",
|
|
|
|
policy_name: "ReadOnlyAccess",
|
2018-04-17 17:22:28 +00:00
|
|
|
},
|
|
|
|
{
|
2019-06-11 22:24:35 +00:00
|
|
|
policy_arn: "arn:aws:iam::123456789012:policy/some-policy",
|
|
|
|
policy_name: "AdministratorAccess",
|
2018-04-17 17:22:28 +00:00
|
|
|
},
|
|
|
|
]
|
|
|
|
),
|
|
|
|
}
|
|
|
|
people[query[:user_name]]
|
|
|
|
end
|
2017-08-08 13:50:35 +00:00
|
|
|
end
|
|
|
|
end
|