mirror of
https://github.com/inspec/inspec
synced 2024-12-30 06:53:22 +00:00
5ab68ecf03
Signed-off-by: Matthew Dromazos <dromazmj@dukes.jmu.edu> Signed-off-by: Aaron Lippold <lippold@gmail.com> Signed-off-by: Sam Cornwell <14048146+samcornwell@users.noreply.github.com> Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
113 lines
3.7 KiB
Ruby
113 lines
3.7 KiB
Ruby
fixtures = {}
|
|
[
|
|
's3_bucket_public_name',
|
|
's3_bucket_private_name',
|
|
's3_bucket_auth_name',
|
|
's3_bucket_private_acl_public_policy_name',
|
|
's3_bucket_public_region',
|
|
].each do |fixture_name|
|
|
fixtures[fixture_name] = attribute(
|
|
fixture_name,
|
|
default: "default.#{fixture_name}",
|
|
description: 'See ../build/s3.tf',
|
|
)
|
|
end
|
|
|
|
control 'aws_s3_bucket recall tests' do
|
|
#------------------- Exists -------------------#
|
|
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
|
|
it { should exist }
|
|
end
|
|
|
|
#------------------- Does Not Exist -------------------#
|
|
describe aws_s3_bucket(bucket_name: 'inspec-testing-NonExistentBucket.chef.io') do
|
|
it { should_not exist }
|
|
end
|
|
end
|
|
|
|
control 'aws_s3_bucket properties tests' do
|
|
#--------------------------- Region --------------------------#
|
|
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
|
|
its('region') { should eq fixtures['s3_bucket_public_region'] }
|
|
end
|
|
|
|
#------------------- bucket_acl -------------------#
|
|
describe "Bucket ACL: Public grants on a public bucket" do
|
|
subject do
|
|
aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_acl.select do |g|
|
|
g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
|
|
end
|
|
end
|
|
it { should_not be_empty }
|
|
end
|
|
|
|
describe "Bucket ACL: Public grants on a private bucket" do
|
|
subject do
|
|
aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do |g|
|
|
g.grantee.type == 'Group' && g.grantee.uri =~ /AllUsers/
|
|
end
|
|
end
|
|
it { should be_empty }
|
|
end
|
|
|
|
describe "Bucket ACL: AuthUser grants on a private bucket" do
|
|
subject do
|
|
aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_acl.select do |g|
|
|
g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
|
|
end
|
|
end
|
|
it { should be_empty }
|
|
end
|
|
|
|
describe "Bucket ACL: AuthUser grants on an AuthUser bucket" do
|
|
subject do
|
|
aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_acl.select do |g|
|
|
g.grantee.type == 'Group' && g.grantee.uri =~ /AuthenticatedUsers/
|
|
end
|
|
end
|
|
it { should_not be_empty }
|
|
end
|
|
|
|
#------------------- bucket_policy -------------------#
|
|
describe "Bucket Policy: Allow GetObject Statement For Everyone on public" do
|
|
subject do
|
|
bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']).bucket_policy
|
|
allow_all = bucket_policy.select { |s| s.effect == 'Allow' && s.principal == '*' }
|
|
allow_all.count
|
|
end
|
|
it { should == 1 }
|
|
end
|
|
|
|
describe "Bucket Policy: Allow GetObject Statement For Everyone on private" do
|
|
subject do
|
|
bucket_policy = aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']).bucket_policy
|
|
allow_all = bucket_policy.select { |s| s.effect == 'Allow' && s.principal == '*' }
|
|
allow_all.count
|
|
end
|
|
it { should be_zero }
|
|
end
|
|
|
|
describe "Bucket Policy: Empty policy on auth" do
|
|
subject do
|
|
aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']).bucket_policy
|
|
end
|
|
it { should be_empty }
|
|
end
|
|
end
|
|
|
|
control 'aws_s3_bucket matchers test' do
|
|
|
|
#------------------------ be_public --------------------------#
|
|
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_public_name']) do
|
|
it { should be_public }
|
|
end
|
|
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_auth_name']) do
|
|
it { should be_public }
|
|
end
|
|
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_name']) do
|
|
it { should_not be_public }
|
|
end
|
|
describe aws_s3_bucket(bucket_name: fixtures['s3_bucket_private_acl_public_policy_name']) do
|
|
it { should be_public }
|
|
end
|
|
end
|