2019-06-11 22:24:35 +00:00
|
|
|
require "resource_support/aws/aws_singular_resource_mixin"
|
|
|
|
require "resource_support/aws/aws_backend_base"
|
|
|
|
require "aws-sdk-s3"
|
2019-05-25 08:33:26 +00:00
|
|
|
|
2018-01-19 16:50:08 +00:00
|
|
|
class AwsS3Bucket < Inspec.resource(1)
|
2019-06-11 22:24:35 +00:00
|
|
|
name "aws_s3_bucket"
|
|
|
|
desc "Verifies settings for a s3 bucket"
|
2019-03-19 14:17:32 +00:00
|
|
|
example <<~EXAMPLE
|
2018-01-19 16:50:08 +00:00
|
|
|
describe aws_s3_bucket(bucket_name: 'test_bucket') do
|
|
|
|
it { should exist }
|
|
|
|
end
|
2019-03-19 14:17:32 +00:00
|
|
|
EXAMPLE
|
2019-06-11 22:24:35 +00:00
|
|
|
supports platform: "aws"
|
2018-01-19 16:50:08 +00:00
|
|
|
|
2018-02-08 04:26:37 +00:00
|
|
|
include AwsSingularResourceMixin
|
2018-05-03 13:55:29 +00:00
|
|
|
attr_reader :bucket_name, :has_default_encryption_enabled, :has_access_logging_enabled, :region
|
2018-01-19 16:50:08 +00:00
|
|
|
|
|
|
|
def to_s
|
|
|
|
"S3 Bucket #{@bucket_name}"
|
|
|
|
end
|
|
|
|
|
|
|
|
def bucket_acl
|
2018-02-14 19:15:20 +00:00
|
|
|
catch_aws_errors do
|
|
|
|
@bucket_acl ||= BackendFactory.create(inspec_runner).get_bucket_acl(bucket: bucket_name).grants
|
|
|
|
end
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def bucket_policy
|
|
|
|
@bucket_policy ||= fetch_bucket_policy
|
|
|
|
end
|
|
|
|
|
|
|
|
# RSpec will alias this to be_public
|
|
|
|
def public?
|
|
|
|
# first line just for formatting
|
|
|
|
false || \
|
2019-06-11 22:24:35 +00:00
|
|
|
bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AllUsers/ } || \
|
|
|
|
bucket_acl.any? { |g| g.grantee.type == "Group" && g.grantee.uri =~ /AuthenticatedUsers/ } || \
|
|
|
|
bucket_policy.any? { |s| s.effect == "Allow" && s.principal == "*" }
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
|
|
|
|
2018-05-03 13:55:29 +00:00
|
|
|
def has_default_encryption_enabled?
|
|
|
|
return false unless @exists
|
|
|
|
@has_default_encryption_enabled ||= fetch_bucket_encryption_configuration
|
|
|
|
end
|
|
|
|
|
2018-02-01 16:50:38 +00:00
|
|
|
def has_access_logging_enabled?
|
2018-05-03 13:55:29 +00:00
|
|
|
return false unless @exists
|
2018-02-14 19:15:20 +00:00
|
|
|
catch_aws_errors do
|
|
|
|
@has_access_logging_enabled ||= !BackendFactory.create(inspec_runner).get_bucket_logging(bucket: bucket_name).logging_enabled.nil?
|
|
|
|
end
|
2018-02-01 16:50:38 +00:00
|
|
|
end
|
|
|
|
|
2018-01-19 16:50:08 +00:00
|
|
|
private
|
|
|
|
|
|
|
|
def validate_params(raw_params)
|
|
|
|
validated_params = check_resource_param_names(
|
|
|
|
raw_params: raw_params,
|
|
|
|
allowed_params: [:bucket_name],
|
|
|
|
allowed_scalar_name: :bucket_name,
|
2019-06-11 22:24:35 +00:00
|
|
|
allowed_scalar_type: String
|
2018-01-19 16:50:08 +00:00
|
|
|
)
|
2019-06-11 22:24:35 +00:00
|
|
|
if validated_params.empty? || !validated_params.key?(:bucket_name)
|
|
|
|
raise ArgumentError, "You must provide a bucket_name to aws_s3_bucket."
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
validated_params
|
|
|
|
end
|
|
|
|
|
2018-02-08 04:26:37 +00:00
|
|
|
def fetch_from_api
|
|
|
|
backend = BackendFactory.create(inspec_runner)
|
2018-01-19 16:50:08 +00:00
|
|
|
|
|
|
|
# Since there is no basic "get_bucket" API call, use the
|
|
|
|
# region fetch as the existence check.
|
|
|
|
begin
|
|
|
|
@region = backend.get_bucket_location(bucket: bucket_name).location_constraint
|
|
|
|
rescue Aws::S3::Errors::NoSuchBucket
|
|
|
|
@exists = false
|
|
|
|
return
|
|
|
|
end
|
|
|
|
@exists = true
|
|
|
|
end
|
|
|
|
|
|
|
|
def fetch_bucket_policy
|
2018-02-08 04:26:37 +00:00
|
|
|
backend = BackendFactory.create(inspec_runner)
|
2018-02-14 19:15:20 +00:00
|
|
|
catch_aws_errors do
|
|
|
|
begin
|
|
|
|
# AWS SDK returns a StringIO, we have to read()
|
|
|
|
raw_policy = backend.get_bucket_policy(bucket: bucket_name).policy
|
2019-06-11 22:24:35 +00:00
|
|
|
return JSON.parse(raw_policy.read)["Statement"].map do |statement|
|
2018-02-14 19:15:20 +00:00
|
|
|
lowercase_hash = {}
|
|
|
|
statement.each_key { |k| lowercase_hash[k.downcase] = statement[k] }
|
|
|
|
@bucket_policy = OpenStruct.new(lowercase_hash)
|
|
|
|
end
|
|
|
|
rescue Aws::S3::Errors::NoSuchBucketPolicy
|
|
|
|
@bucket_policy = []
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-05-03 13:55:29 +00:00
|
|
|
def fetch_bucket_encryption_configuration
|
|
|
|
@has_default_encryption_enabled ||= catch_aws_errors do
|
|
|
|
begin
|
|
|
|
!BackendFactory.create(inspec_runner)
|
|
|
|
.get_bucket_encryption(bucket: bucket_name)
|
|
|
|
.server_side_encryption_configuration
|
|
|
|
.nil?
|
|
|
|
rescue Aws::S3::Errors::ServerSideEncryptionConfigurationNotFoundError
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-01-19 16:50:08 +00:00
|
|
|
# Uses the SDK API to really talk to AWS
|
|
|
|
class Backend
|
2018-02-08 04:26:37 +00:00
|
|
|
class AwsClientApi < AwsBackendBase
|
2018-01-19 16:50:08 +00:00
|
|
|
BackendFactory.set_default_backend(self)
|
2018-02-08 04:26:37 +00:00
|
|
|
self.aws_client_class = Aws::S3::Client
|
2018-01-19 16:50:08 +00:00
|
|
|
|
|
|
|
def get_bucket_acl(query)
|
2018-02-08 04:26:37 +00:00
|
|
|
aws_service_client.get_bucket_acl(query)
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def get_bucket_location(query)
|
2018-02-08 04:26:37 +00:00
|
|
|
aws_service_client.get_bucket_location(query)
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def get_bucket_policy(query)
|
2018-02-08 04:26:37 +00:00
|
|
|
aws_service_client.get_bucket_policy(query)
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
2018-02-01 16:50:38 +00:00
|
|
|
|
|
|
|
def get_bucket_logging(query)
|
2018-02-08 04:26:37 +00:00
|
|
|
aws_service_client.get_bucket_logging(query)
|
2018-02-01 16:50:38 +00:00
|
|
|
end
|
2018-05-03 13:55:29 +00:00
|
|
|
|
|
|
|
def get_bucket_encryption(query)
|
|
|
|
aws_service_client.get_bucket_encryption(query)
|
|
|
|
end
|
2018-01-19 16:50:08 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|