mirror of
https://github.com/inspec/inspec
synced 2024-11-23 21:23:29 +00:00
6aaab8691c
Includes train aws:// targeting and some new resources Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
85 lines
2.1 KiB
Ruby
85 lines
2.1 KiB
Ruby
# author: Viktor Yakovlyev
|
|
class AwsIamPasswordPolicy < Inspec.resource(1)
|
|
name 'aws_iam_password_policy'
|
|
desc 'Verifies iam password policy'
|
|
|
|
example <<-EOX
|
|
describe aws_iam_password_policy do
|
|
its('requires_lowercase_characters?') { should be true }
|
|
end
|
|
|
|
describe aws_iam_password_policy do
|
|
its('requires_uppercase_characters?') { should be true }
|
|
end
|
|
EOX
|
|
supports platform: 'aws'
|
|
|
|
# TODO: rewrite to avoid direct injection, match other resources, use AwsSingularResourceMixin
|
|
def initialize(conn = nil)
|
|
iam_resource = conn ? conn.iam_resource : inspec_runner.backend.aws_resource(Aws::IAM::Resource, {})
|
|
@policy = iam_resource.account_password_policy
|
|
rescue Aws::IAM::Errors::NoSuchEntity
|
|
@policy = nil
|
|
end
|
|
|
|
def inspec_runner
|
|
# When running under inspec-cli, we have an 'inspec' method that
|
|
# returns the runner. When running under unit tests, we don't
|
|
# have that, but we still have to call this to pass something
|
|
# (nil is OK) to the backend.
|
|
# TODO: remove with https://github.com/chef/inspec-aws/issues/216
|
|
# TODO: remove after rewrite to include AwsSingularResource
|
|
inspec if respond_to?(:inspec)
|
|
end
|
|
|
|
def exists?
|
|
!@policy.nil?
|
|
end
|
|
|
|
def requires_lowercase_characters?
|
|
@policy.require_lowercase_characters
|
|
end
|
|
|
|
def requires_uppercase_characters?
|
|
@policy.require_uppercase_characters
|
|
end
|
|
|
|
def minimum_password_length
|
|
@policy.minimum_password_length
|
|
end
|
|
|
|
def requires_numbers?
|
|
@policy.require_numbers
|
|
end
|
|
|
|
def requires_symbols?
|
|
@policy.require_symbols
|
|
end
|
|
|
|
def allows_users_to_change_password?
|
|
@policy.allow_users_to_change_password
|
|
end
|
|
|
|
def expires_passwords?
|
|
@policy.expire_passwords
|
|
end
|
|
|
|
def max_password_age
|
|
raise 'this policy does not expire passwords' unless expires_passwords?
|
|
@policy.max_password_age
|
|
end
|
|
|
|
def prevents_password_reuse?
|
|
!@policy.password_reuse_prevention.nil?
|
|
end
|
|
|
|
def number_of_passwords_to_remember
|
|
raise 'this policy does not prevent password reuse' \
|
|
unless prevents_password_reuse?
|
|
@policy.password_reuse_prevention
|
|
end
|
|
|
|
def to_s
|
|
'IAM Password-Policy'
|
|
end
|
|
end
|