Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-12-21 10:33:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
inspec/test/integration/default/verify/controls/aws_s3_bucket.rb
Rony Xavier 23b57ab591 Add have_access_logging_enabled matcher to aws_s3_bucket (#212) 
Signed-off-by: Rony Xavier <rx294@nyu.edu>
2018-02-01 11:50:38 -05:00

123 lines
4.1 KiB
Ruby
Raw Blame History

fixtures = {}
[
's3_bucket_public_name',
's3_bucket_private_name',
's3_bucket_auth_name',
's3_bucket_private_acl_public_policy_name',
's3_bucket_public_region',
's3_bucket_access_logging_enabled_name',
's3_bucket_access_logging_not_enabled_name',
].each do |fixture_name|
fixtures[fixture_name] = attribute(
fixture_name,
default: "default.#{fixture_name}",
description: 'See ../build/s3.tf',
)
end
control 'aws_s3_bucket recall tests' do
#------------------- Exists -------------------#
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
it { should exist }
end
#------------------- Does Not Exist -------------------#
describe aws_s3_bucket(bucket_name: 'inspec-testing-NonExistentBucket.chef.io') do
it { should_not exist }
end
end
control 'aws_s3_bucket properties tests' do
#--------------------------- Region --------------------------#
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
its('region') { should eq fixtures['s3_bucket_public_region'] }
end
#------------------- bucket_acl -------------------#
describe "Bucket ACL: Public grants on a public bucket" do
subject do
aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_acl.select do |g|
g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
end
end
it { should_not be_empty }
end
describe "Bucket ACL: Public grants on a private bucket" do
subject do
aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do |g|
g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
end
end
it { should be_empty }
end
describe "Bucket ACL: AuthUser grants on a private bucket" do
subject do
aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do |g|
g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
end
end
it { should be_empty }
end
describe "Bucket ACL: AuthUser grants on an AuthUser bucket" do
subject do
aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_acl.select do |g|
g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
end
end
it { should_not be_empty }
end
#------------------- bucket_policy -------------------#
describe "Bucket Policy: Allow GetObject Statement For Everyone on public" do
subject do
bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_policy
allow_all = bucket_policy.select { |s| s.effect == 'Allow' && s.principal == '*' }
allow_all.count
end
it { should == 1 }
end
describe "Bucket Policy: Allow GetObject Statement For Everyone on private" do
subject do
bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_policy
allow_all = bucket_policy.select { |s| s.effect == 'Allow' && s.principal == '*' }
allow_all.count
end
it { should be_zero }
end
describe "Bucket Policy: Empty policy on auth" do
subject do
aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_policy
end
it { should be_empty }
end
end
control 'aws_s3_bucket matchers test' do
#------------------------ be_public --------------------------#
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
it { should be_public }
end
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']) do
it { should be_public }
end
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']) do
it { should_not be_public }
end
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_acl_public_policy_name']) do
it { should be_public }
end
#----------------- have_access_logging_enabled -----------------#
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_access_logging_enabled_name']) do
it { should have_access_logging_enabled }
end
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_access_logging_not_enabled_name']) do
it { should_not have_access_logging_enabled }
end
end
Reference in a new issue View git blame Copy permalink