From 9d5abe26a3f5c362c413f6c556c3c64f9fdc411e Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Sun, 12 Dec 2021 03:16:50 +0530 Subject: [PATCH 01/12] resources and tests Signed-off-by: Nirbhay Kumar --- docs/resources/aws_waf_byte_match_set.md | 0 docs/resources/aws_waf_byte_match_sets.md | 0 libraries/aws_waf_byte_match_set.rb | 40 ++++++++++++++++ libraries/aws_waf_byte_match_sets.rb | 39 ++++++++++++++++ .../verify/controls/aws_waf_byte_match_set.rb | 0 .../controls/aws_waf_byte_match_sets.rb | 0 .../resources/aws_waf_byte_match_set_test.rb | 46 +++++++++++++++++++ .../resources/aws_waf_byte_match_sets_test.rb | 36 +++++++++++++++ 8 files changed, 161 insertions(+) create mode 100644 docs/resources/aws_waf_byte_match_set.md create mode 100644 docs/resources/aws_waf_byte_match_sets.md create mode 100644 libraries/aws_waf_byte_match_set.rb create mode 100644 libraries/aws_waf_byte_match_sets.rb create mode 100644 test/integration/verify/controls/aws_waf_byte_match_set.rb create mode 100644 test/integration/verify/controls/aws_waf_byte_match_sets.rb create mode 100644 test/unit/resources/aws_waf_byte_match_set_test.rb create mode 100644 test/unit/resources/aws_waf_byte_match_sets_test.rb diff --git a/docs/resources/aws_waf_byte_match_set.md b/docs/resources/aws_waf_byte_match_set.md new file mode 100644 index 000000000..e69de29bb diff --git a/docs/resources/aws_waf_byte_match_sets.md b/docs/resources/aws_waf_byte_match_sets.md new file mode 100644 index 000000000..e69de29bb diff --git a/libraries/aws_waf_byte_match_set.rb b/libraries/aws_waf_byte_match_set.rb new file mode 100644 index 000000000..41f47dfd1 --- /dev/null +++ b/libraries/aws_waf_byte_match_set.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +require 'aws_backend' + +class AWSWAFByteMatchSet < AwsResourceBase + name 'aws_waf_byte_match_set' + desc 'Describes one WAF byte set.' + + example " + describe aws_waf_byte_match_set(byte_match_set_id: 'BucketName') do + it { should exits } + end + " + + def initialize(opts = {}) + opts = { byte_match_set_id: opts } if opts.is_a?(String) + super(opts) + validate_parameters(required: %i(byte_match_set_id)) + raise ArgumentError, "#{@__resource_name__}: byte_match_set_id must be provided" unless opts[:byte_match_set_id] && !opts[:byte_match_set_id].empty? + @display_name = opts[:byte_match_set_id] + catch_aws_errors do + resp = @aws.waf_client.get_byte_match_set({ byte_match_set_id: opts[:byte_match_set_id] }) + @resp = resp.byte_match_set.to_h + create_resource_methods(@resp) + end + end + + def byte_match_set_id + return nil unless exists? + @resp[:byte_match_set_id] + end + + def exists? + !@resp.nil? && !@resp.empty? + end + + def to_s + "Resource ID: #{@display_name}" + end +end diff --git a/libraries/aws_waf_byte_match_sets.rb b/libraries/aws_waf_byte_match_sets.rb new file mode 100644 index 000000000..071ede5f7 --- /dev/null +++ b/libraries/aws_waf_byte_match_sets.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +require 'aws_backend' + +class AWSWAFByteMatchSets < AwsResourceBase + name 'aws_waf_byte_match_sets' + desc 'Verifies settings for all the WAF rules.' + + example " + describe aws_waf_byte_match_sets do + it { should exist } + end + " + + attr_reader :table + + def initialize(opts = {}) + super(opts) + validate_parameters + @table = fetch_data + end + + FilterTable.create + .register_column(:byte_match_set_ids, field: :byte_match_set_id) + .register_column(:names, field: :name) + .install_filter_methods_on_resource(self, :table) + + def fetch_data + catch_aws_errors do + @resp = @aws.waf_client.list_byte_match_sets.map do |table| + table.map { |table_name| { + byte_match_set_id: table_name[:byte_match_set_id], + name: table_name[:name], + } + } + end.flatten + end + end +end diff --git a/test/integration/verify/controls/aws_waf_byte_match_set.rb b/test/integration/verify/controls/aws_waf_byte_match_set.rb new file mode 100644 index 000000000..e69de29bb diff --git a/test/integration/verify/controls/aws_waf_byte_match_sets.rb b/test/integration/verify/controls/aws_waf_byte_match_sets.rb new file mode 100644 index 000000000..e69de29bb diff --git a/test/unit/resources/aws_waf_byte_match_set_test.rb b/test/unit/resources/aws_waf_byte_match_set_test.rb new file mode 100644 index 000000000..c8e7042b6 --- /dev/null +++ b/test/unit/resources/aws_waf_byte_match_set_test.rb @@ -0,0 +1,46 @@ +require 'helper' +require 'aws_waf_byte_match_set' +require 'aws-sdk-core' + +class AWSWAFByteMatchSetConstructorTest < Minitest::Test + + def test_empty_params_not_ok + assert_raises(ArgumentError) { AWSWAFByteMatchSet.new(client_args: { stub_responses: true }) } + end + + def test_empty_param_arg_not_ok + assert_raises(ArgumentError) { AWSWAFByteMatchSet.new('', client_args: { stub_responses: true }) } + end + + def test_rejects_unrecognized_params + assert_raises(ArgumentError) { AWSWAFByteMatchSet.new(unexpected: 9) } + end +end + +class AWSWAFByteMatchSetHappyPathTest < Minitest::Test + + def setup + data = {} + data[:method] = :get_rule + mock_data = {} + mock_data[:byte_match_set_id] = 'test1' + mock_data[:name] = 'test1' + mock_data[:metric_name] = 'test1' + mock_data[:byte_match_tuples] = [{ target_string: "test1", field_to_match: { type: 'test1', data: 'test1'}, text_transformation: 'test1', positional_constraint: 'test1' }] + data[:data] = { byte_match_set: mock_data } + data[:client] = Aws::WAF::Client + @resp = AWSWAFByteMatchSet.new(byte_match_set_id: 'test1', client_args: { stub_responses: true }, stub_data: [data]) + end + + def test_rule_exists + assert @resp.exist? + end + + def byte_match_set_id + assert_equal(@resp.byte_match_set_id, 'test1') + end + + def test_byte_match_set_name + assert_equal(@resp.name, 'test1') + end +end \ No newline at end of file diff --git a/test/unit/resources/aws_waf_byte_match_sets_test.rb b/test/unit/resources/aws_waf_byte_match_sets_test.rb new file mode 100644 index 000000000..4d69dc916 --- /dev/null +++ b/test/unit/resources/aws_waf_byte_match_sets_test.rb @@ -0,0 +1,36 @@ +require 'helper' +require 'aws_waf_byte_match_sets' +require 'aws-sdk-core' + +class AWSWAFByteMatchSetsConstructorTest < Minitest::Test + + def test_empty_params_ok + AWSWAFByteMatchSets.new(client_args: { stub_responses: true }) + end + + def test_rejects_other_args + assert_raises(ArgumentError) { AWSWAFByteMatchSets.new(test: 'rubbish') } + end +end + +class AWSWAFByteMatchSetsHappyPathTest < Minitest::Test + + def setup + data = {} + data[:method] = :list_rules + mock_data = {} + mock_data[:byte_match_set_id] = 'byte_match_set_ids' + mock_data[:name] = 'name' + data[:data] = mock_data + data[:client] = Aws::WAF::Client + @resp = AWSWAFByteMatchSets.new(client_args: { stub_responses: true }, stub_data: [data]) + end + + def test_rule_exists + assert @resp.exist? + end + + def test_rule_ids + assert_equal(@resp.byte_match_set_ids, ['byte_match_set_ids']) + end +end \ No newline at end of file From 251a77c7dd51515c704a0503de13a47f989a3ff8 Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Sun, 12 Dec 2021 11:40:19 +0530 Subject: [PATCH 02/12] test-fix Signed-off-by: Nirbhay Kumar --- libraries/aws_waf_byte_match_sets.rb | 8 ++++---- test/unit/resources/aws_waf_byte_match_set_test.rb | 3 +-- test/unit/resources/aws_waf_byte_match_sets_test.rb | 7 +++---- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/libraries/aws_waf_byte_match_sets.rb b/libraries/aws_waf_byte_match_sets.rb index 071ede5f7..11060bab8 100644 --- a/libraries/aws_waf_byte_match_sets.rb +++ b/libraries/aws_waf_byte_match_sets.rb @@ -21,16 +21,16 @@ def initialize(opts = {}) end FilterTable.create - .register_column(:byte_match_set_ids, field: :byte_match_set_id) - .register_column(:names, field: :name) + .register_column(:byte_match_set_ids, field: :byte_match_set_id, style: :simple) + .register_column(:names, field: :name, style: :simple) .install_filter_methods_on_resource(self, :table) def fetch_data catch_aws_errors do @resp = @aws.waf_client.list_byte_match_sets.map do |table| table.map { |table_name| { - byte_match_set_id: table_name[:byte_match_set_id], - name: table_name[:name], + byte_match_set_id: table_name.byte_match_sets.map(&:byte_match_set_id), + name: table_name.byte_match_sets.map(&:name), } } end.flatten diff --git a/test/unit/resources/aws_waf_byte_match_set_test.rb b/test/unit/resources/aws_waf_byte_match_set_test.rb index c8e7042b6..26a527a85 100644 --- a/test/unit/resources/aws_waf_byte_match_set_test.rb +++ b/test/unit/resources/aws_waf_byte_match_set_test.rb @@ -21,11 +21,10 @@ class AWSWAFByteMatchSetHappyPathTest < Minitest::Test def setup data = {} - data[:method] = :get_rule + data[:method] = :get_byte_match_set mock_data = {} mock_data[:byte_match_set_id] = 'test1' mock_data[:name] = 'test1' - mock_data[:metric_name] = 'test1' mock_data[:byte_match_tuples] = [{ target_string: "test1", field_to_match: { type: 'test1', data: 'test1'}, text_transformation: 'test1', positional_constraint: 'test1' }] data[:data] = { byte_match_set: mock_data } data[:client] = Aws::WAF::Client diff --git a/test/unit/resources/aws_waf_byte_match_sets_test.rb b/test/unit/resources/aws_waf_byte_match_sets_test.rb index 4d69dc916..fb4d4619a 100644 --- a/test/unit/resources/aws_waf_byte_match_sets_test.rb +++ b/test/unit/resources/aws_waf_byte_match_sets_test.rb @@ -17,10 +17,9 @@ class AWSWAFByteMatchSetsHappyPathTest < Minitest::Test def setup data = {} - data[:method] = :list_rules + data[:method] = :list_byte_match_sets mock_data = {} - mock_data[:byte_match_set_id] = 'byte_match_set_ids' - mock_data[:name] = 'name' + mock_data[:byte_match_sets] = [{ byte_match_set_id: 'byte_match_set_id', name: 'name' }] data[:data] = mock_data data[:client] = Aws::WAF::Client @resp = AWSWAFByteMatchSets.new(client_args: { stub_responses: true }, stub_data: [data]) @@ -31,6 +30,6 @@ def test_rule_exists end def test_rule_ids - assert_equal(@resp.byte_match_set_ids, ['byte_match_set_ids']) + assert_equal(@resp.byte_match_set_ids, ['byte_match_set_id']) end end \ No newline at end of file From fc7af108fb77a32e59f005e801483b5fc33af190 Mon Sep 17 00:00:00 2001 From: Nirbhay Kumar Date: Mon, 13 Dec 2021 08:53:40 +0530 Subject: [PATCH 03/12] integration test Signed-off-by: Nirbhay Kumar --- .../verify/controls/aws_waf_byte_match_set.rb | 12 ++++++++++++ .../verify/controls/aws_waf_byte_match_sets.rb | 13 +++++++++++++ 2 files changed, 25 insertions(+) diff --git a/test/integration/verify/controls/aws_waf_byte_match_set.rb b/test/integration/verify/controls/aws_waf_byte_match_set.rb index e69de29bb..2951cd222 100644 --- a/test/integration/verify/controls/aws_waf_byte_match_set.rb +++ b/test/integration/verify/controls/aws_waf_byte_match_set.rb @@ -0,0 +1,12 @@ +aws_waf_byte_match_set_name = attribute(:aws_waf_byte_match_set_name, value: '') +byte_match_set_ids = attribute(:byte_match_set_ids, value: '') + +control 'aws_waf_byte_match_set-1.0' do + impact 1.0 + title 'Test the properties of a WAF BYte Match Set.' + describe aws_waf_byte_match_set(byte_match_set_id: byte_match_set_ids) do + it { should exist } + its('name') { should eq aws_waf_byte_match_set_name } + its('byte_match_set_id') { should eq byte_match_set_ids } + end +end diff --git a/test/integration/verify/controls/aws_waf_byte_match_sets.rb b/test/integration/verify/controls/aws_waf_byte_match_sets.rb index e69de29bb..a7bdee5a5 100644 --- a/test/integration/verify/controls/aws_waf_byte_match_sets.rb +++ b/test/integration/verify/controls/aws_waf_byte_match_sets.rb @@ -0,0 +1,13 @@ +aws_waf_byte_match_set_name = attribute(:aws_waf_byte_match_set_name, value: '') +byte_match_set_ids = attribute(:byte_match_set_ids, value: '') + +control 'aws_waf_byte_match_sets-1.0' do + impact 1.0 + title 'Test the properties of all the WAF Byte Match Sets.' + describe aws_waf_byte_match_sets do + it { should exist } + its('names') { should include aws_waf_byte_match_set_name } + its('byte_match_set_ids') { should include byte_match_set_ids } + end +end + From 279c843ee32731f8e14cbda007f73b10805fface Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Mon, 13 Dec 2021 09:59:24 +0530 Subject: [PATCH 04/12] Update libraries/aws_waf_byte_match_set.rb --- libraries/aws_waf_byte_match_set.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/aws_waf_byte_match_set.rb b/libraries/aws_waf_byte_match_set.rb index 41f47dfd1..a815d8fd9 100644 --- a/libraries/aws_waf_byte_match_set.rb +++ b/libraries/aws_waf_byte_match_set.rb @@ -7,7 +7,7 @@ class AWSWAFByteMatchSet < AwsResourceBase desc 'Describes one WAF byte set.' example " - describe aws_waf_byte_match_set(byte_match_set_id: 'BucketName') do + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do it { should exits } end " From 1d11d309edee124c03a344768b8c44587f0457c0 Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Mon, 13 Dec 2021 09:59:31 +0530 Subject: [PATCH 05/12] Update libraries/aws_waf_byte_match_set.rb --- libraries/aws_waf_byte_match_set.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/aws_waf_byte_match_set.rb b/libraries/aws_waf_byte_match_set.rb index a815d8fd9..6c851ea87 100644 --- a/libraries/aws_waf_byte_match_set.rb +++ b/libraries/aws_waf_byte_match_set.rb @@ -35,6 +35,6 @@ def exists? end def to_s - "Resource ID: #{@display_name}" + "Byte Match Set ID: #{@display_name}" end end From 5e406d5b0de6027fd35c2f59bb66ee2bc39e703b Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Mon, 13 Dec 2021 09:59:38 +0530 Subject: [PATCH 06/12] Update test/unit/resources/aws_waf_byte_match_set_test.rb --- test/unit/resources/aws_waf_byte_match_set_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/aws_waf_byte_match_set_test.rb b/test/unit/resources/aws_waf_byte_match_set_test.rb index 26a527a85..50b71a6ac 100644 --- a/test/unit/resources/aws_waf_byte_match_set_test.rb +++ b/test/unit/resources/aws_waf_byte_match_set_test.rb @@ -31,7 +31,7 @@ def setup @resp = AWSWAFByteMatchSet.new(byte_match_set_id: 'test1', client_args: { stub_responses: true }, stub_data: [data]) end - def test_rule_exists + def test_byte_match_set_exists assert @resp.exist? end From ec8501a855af78f4cfa152953644cfd83d8bfddf Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Mon, 13 Dec 2021 09:59:44 +0530 Subject: [PATCH 07/12] Update test/unit/resources/aws_waf_byte_match_sets_test.rb --- test/unit/resources/aws_waf_byte_match_sets_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/aws_waf_byte_match_sets_test.rb b/test/unit/resources/aws_waf_byte_match_sets_test.rb index fb4d4619a..6a00905a7 100644 --- a/test/unit/resources/aws_waf_byte_match_sets_test.rb +++ b/test/unit/resources/aws_waf_byte_match_sets_test.rb @@ -9,7 +9,7 @@ def test_empty_params_ok end def test_rejects_other_args - assert_raises(ArgumentError) { AWSWAFByteMatchSets.new(test: 'rubbish') } + assert_raises(ArgumentError) { AWSWAFByteMatchSets.new(test: 'dummy') } end end From 7c8a35a38f55a8ea2de304ddc6b42b219e0e16ca Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Mon, 13 Dec 2021 09:59:50 +0530 Subject: [PATCH 08/12] Update test/unit/resources/aws_waf_byte_match_sets_test.rb --- test/unit/resources/aws_waf_byte_match_sets_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/aws_waf_byte_match_sets_test.rb b/test/unit/resources/aws_waf_byte_match_sets_test.rb index 6a00905a7..85815fac3 100644 --- a/test/unit/resources/aws_waf_byte_match_sets_test.rb +++ b/test/unit/resources/aws_waf_byte_match_sets_test.rb @@ -25,7 +25,7 @@ def setup @resp = AWSWAFByteMatchSets.new(client_args: { stub_responses: true }, stub_data: [data]) end - def test_rule_exists + def test_byte_match_set_exists assert @resp.exist? end From ed276588eeb417b7fa1ec06f4b741c464c559eab Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar Date: Tue, 14 Dec 2021 13:56:06 +0530 Subject: [PATCH 09/12] added docs and updated the singular resource Signed-off-by: Soumyodeep Karmakar --- docs/resources/aws_waf_byte_match_set.md | 90 +++++++++++++++++++++++ docs/resources/aws_waf_byte_match_sets.md | 67 +++++++++++++++++ libraries/aws_waf_byte_match_set.rb | 24 ++++++ 3 files changed, 181 insertions(+) diff --git a/docs/resources/aws_waf_byte_match_set.md b/docs/resources/aws_waf_byte_match_set.md index e69de29bb..9e4e9d369 100644 --- a/docs/resources/aws_waf_byte_match_set.md +++ b/docs/resources/aws_waf_byte_match_set.md @@ -0,0 +1,90 @@ +--- +title: About the aws_waf_byte_match_set resource +platform: aws +--- + +# aws_waf_byte_match_set + +Use the `aws_waf_byte_match_set` InSpec audit resource to test the properties of the singular resource of AWS WAF ByteMatchSet. + +## Syntax + +Ensure that byte match set exists. + + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should exist } + end + +## Parameters + +`aws_waf_byte_match_set` _(required)_ + +The unique identifier for the ByteMatchSet. + +For additional information, see the [AWS documentation on AWS WAF ByteMatchSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). + +## Properties + +| Property | Description | Fields | +| --- | --- | --- | +| byte_match_set_id | The unique identifier for the ByteMatchSet. | byte_match_set_id | +| name | The name of the ByteMatchSet. | name | +| byte_match_tuples | Specifies the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. | byte_match_tuples | +| byte_match_tuples_field_to_matches | The part of a web request that you want AWS WAF to search, such as a specified header or a query string. | byte_match_tuples (field_to_match) | +| byte_match_tuples_field_to_match_types | The part of the web request that you want AWS WAF to search for a specified string. | byte_match_tuples (field_to_match (type)) | +| byte_match_tuples_field_to_match_data | When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. | byte_match_tuples (field_to_match ((data)) | +| byte_match_tuples_target_strings | The value that you want AWS WAF to search for. | byte_match_tuples (target_string) | +| byte_match_tuples_text_transformations | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. | byte_match_tuples (text_transformation) | +| byte_match_tuples_positional_constraints | Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want AWS WAF to search. | byte_match_tuples (positional_constraint) | + +## Examples + +### Ensure a byte match set is available. + + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + its('byte_match_set_id') { should eq 'BYTE_MATCH_SET_ID' } + end + +### Ensure a byte match set name is available.. + + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + its('name') { should eq 'BYTE_MATCH_SET_NAME' } + end + +### Ensure a byte match set type is `REGULAR`. + + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + its('byte_match_tuples_positional_constraints') { should include 'REGULAR' } + end + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `get` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should exist } + end + +Use `should_not` to test the entity does not exist. + + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should_not exist } + end + +### be_available + +Use `should` to check if the entity is available. + + describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do + it { should be_available } + end + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `WAF:Client:GetByteMatchSetResponse` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/docs/resources/aws_waf_byte_match_sets.md b/docs/resources/aws_waf_byte_match_sets.md index e69de29bb..d9b731903 100644 --- a/docs/resources/aws_waf_byte_match_sets.md +++ b/docs/resources/aws_waf_byte_match_sets.md @@ -0,0 +1,67 @@ +--- +title: About the aws_waf_byte_match_sets resource +platform: aws +--- + +# aws_waf_byte_match_sets + +Use the `aws_waf_byte_match_sets` InSpec audit resource to test the properties of the plural resource of AWS WAF ByteMatchSet. + +## Syntax + +### Ensure that byte match set exists. + + describe aws_waf_byte_match_sets do + it { should exist } + end + +## Parameters + +This resource does not expect any parameters. + +For additional information, see the [AWS documentation on AWS WAF ByteMatchSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). + +## Properties + +| Property | Description | Fields | +| --- | --- | --- | +| byte_match_set_ids | The unique identifier for the ByteMatchSet. | byte_match_set_id | +| names | The name of the ByteMatchSet. | name | + +## Examples + +### Ensure a byte match set is available. + + describe aws_waf_byte_match_sets do + its('byte_match_set_ids') { should include 'BYTE_MATCH_SET_ID' } + end + +### Ensure a byte match set name is available.. + + describe aws_waf_byte_match_sets do + its('names') { should include 'BYTE_MATCH_SET_NAME' } + end + +## Matchers + +This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). + +The controls will pass if the `list` method returns at least one result. + +### exist + +Use `should` to test that the entity exists. + + describe aws_waf_byte_match_sets do + it { should exist } + end + +Use `should_not` to test the entity does not exist. + + describe aws_waf_byte_match_sets do + it { should_not exist } + end + +## AWS Permissions + +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `WAF:Client:ListByteMatchSetsResponse` action with `Effect` set to `Allow`. \ No newline at end of file diff --git a/libraries/aws_waf_byte_match_set.rb b/libraries/aws_waf_byte_match_set.rb index 6c851ea87..dc44ab167 100644 --- a/libraries/aws_waf_byte_match_set.rb +++ b/libraries/aws_waf_byte_match_set.rb @@ -37,4 +37,28 @@ def exists? def to_s "Byte Match Set ID: #{@display_name}" end + + def byte_match_tuples_field_to_matches + byte_match_tuples.map(&:field_to_match) + end + + def byte_match_tuples_field_to_match_types + (byte_match_tuples.map(&:field_to_match)).map(&:type) + end + + def byte_match_tuples_field_to_match_data + (byte_match_tuples.map(&:field_to_match)).map(&:data) + end + + def byte_match_tuples_target_strings + byte_match_tuples.map(&:target_string) + end + + def byte_match_tuples_text_transformations + byte_match_tuples.map(&:text_transformation) + end + + def byte_match_tuples_positional_constraints + byte_match_tuples.map(&:positional_constraint) + end end From 00378115af12400a637083823e4beb868aa83dcd Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar Date: Tue, 14 Dec 2021 14:50:04 +0530 Subject: [PATCH 10/12] added the integration tests Signed-off-by: Soumyodeep Karmakar --- .../verify/controls/aws_waf_byte_match_set.rb | 24 ++++++++++++++----- .../controls/aws_waf_byte_match_sets.rb | 15 ++++++++---- 2 files changed, 28 insertions(+), 11 deletions(-) diff --git a/test/integration/verify/controls/aws_waf_byte_match_set.rb b/test/integration/verify/controls/aws_waf_byte_match_set.rb index 2951cd222..2ef7aabfd 100644 --- a/test/integration/verify/controls/aws_waf_byte_match_set.rb +++ b/test/integration/verify/controls/aws_waf_byte_match_set.rb @@ -1,12 +1,24 @@ -aws_waf_byte_match_set_name = attribute(:aws_waf_byte_match_set_name, value: '') -byte_match_set_ids = attribute(:byte_match_set_ids, value: '') +aws_waf_byte_match_set_id = attribute(aws_waf_byte_match_set_id, value: '', description: '') +aws_waf_byte_match_set_name = attribute(aws_waf_byte_match_set_name, value: '', description: '') -control 'aws_waf_byte_match_set-1.0' do +title 'Ensure the byte match set have the correct properties.' + +control 'aws-waf-byte-match-set-1.0' do impact 1.0 - title 'Test the properties of a WAF BYte Match Set.' - describe aws_waf_byte_match_set(byte_match_set_id: byte_match_set_ids) do + + describe aws_waf_byte_match_set(byte_match_set_id: aws_waf_byte_match_set_id) do it { should exist } + end + + describe aws_waf_byte_match_set(byte_match_set_id: aws_waf_byte_match_set_id) do + its('byte_match_set_id') { should eq aws_waf_byte_match_set_id } its('name') { should eq aws_waf_byte_match_set_name } - its('byte_match_set_id') { should eq byte_match_set_ids } + + its('byte_match_tuples_field_to_matches') { should_not be_empty } + its('byte_match_tuples_field_to_match_types') { should include 'HEADER' } + its('byte_match_tuples_field_to_match_data') { should include 'referer' } + its('byte_match_tuples_target_strings') { should include 'badrefer1' } + its('byte_match_tuples_text_transformations') { should include 'NONE' } + its('byte_match_tuples_positional_constraints') { should include 'CONTAINS' } end end diff --git a/test/integration/verify/controls/aws_waf_byte_match_sets.rb b/test/integration/verify/controls/aws_waf_byte_match_sets.rb index a7bdee5a5..9672fcced 100644 --- a/test/integration/verify/controls/aws_waf_byte_match_sets.rb +++ b/test/integration/verify/controls/aws_waf_byte_match_sets.rb @@ -1,13 +1,18 @@ -aws_waf_byte_match_set_name = attribute(:aws_waf_byte_match_set_name, value: '') -byte_match_set_ids = attribute(:byte_match_set_ids, value: '') +aws_waf_byte_match_set_id = attribute(aws_waf_byte_match_set_id, value: '', description: '') +aws_waf_byte_match_set_name = attribute(aws_waf_byte_match_set_name, value: '', description: '') -control 'aws_waf_byte_match_sets-1.0' do +title 'Ensure the byte match sets have the correct properties.' + +control 'aws-waf-byte-match-sets-1.0' do impact 1.0 - title 'Test the properties of all the WAF Byte Match Sets.' + describe aws_waf_byte_match_sets do it { should exist } + end + + describe aws_waf_byte_match_sets do + its('byte_match_set_ids') { should include aws_waf_byte_match_set_id } its('names') { should include aws_waf_byte_match_set_name } - its('byte_match_set_ids') { should include byte_match_set_ids } end end From b4e3fa5bccffb81d303222e66a1d917914c07a10 Mon Sep 17 00:00:00 2001 From: Soumyodeep Karmakar <63713087+soumyo13@users.noreply.github.com> Date: Tue, 14 Dec 2021 15:36:28 +0530 Subject: [PATCH 11/12] Update test/unit/resources/aws_waf_byte_match_sets_test.rb --- test/unit/resources/aws_waf_byte_match_sets_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/unit/resources/aws_waf_byte_match_sets_test.rb b/test/unit/resources/aws_waf_byte_match_sets_test.rb index 85815fac3..edbe127a3 100644 --- a/test/unit/resources/aws_waf_byte_match_sets_test.rb +++ b/test/unit/resources/aws_waf_byte_match_sets_test.rb @@ -29,7 +29,7 @@ def test_byte_match_set_exists assert @resp.exist? end - def test_rule_ids + def test_byte_match_set_ids assert_equal(@resp.byte_match_set_ids, ['byte_match_set_id']) end end \ No newline at end of file From 753183a24ce601473e479b1cf65fdd920a926d09 Mon Sep 17 00:00:00 2001 From: Ian Maddaus Date: Wed, 15 Dec 2021 19:09:07 -0500 Subject: [PATCH 12/12] Docs edits Signed-off-by: Ian Maddaus --- docs/resources/aws_waf_byte_match_set.md | 36 +++++++++++------------ docs/resources/aws_waf_byte_match_sets.md | 12 ++++---- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/docs/resources/aws_waf_byte_match_set.md b/docs/resources/aws_waf_byte_match_set.md index 9e4e9d369..51d22eef4 100644 --- a/docs/resources/aws_waf_byte_match_set.md +++ b/docs/resources/aws_waf_byte_match_set.md @@ -5,11 +5,11 @@ platform: aws # aws_waf_byte_match_set -Use the `aws_waf_byte_match_set` InSpec audit resource to test the properties of the singular resource of AWS WAF ByteMatchSet. +Use the `aws_waf_byte_match_set` Chef InSpec audit resource to test the properties of a single AWS (Web Application Firewall) WAF byte match set. ## Syntax -Ensure that byte match set exists. +Ensure that a byte match set exists. describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do it { should exist } @@ -19,23 +19,23 @@ Ensure that byte match set exists. `aws_waf_byte_match_set` _(required)_ -The unique identifier for the ByteMatchSet. +The unique identifier for the byte match set. -For additional information, see the [AWS documentation on AWS WAF ByteMatchSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). +For additional information, see the [AWS documentation on the `AWS::WAF::ByteMatchSet` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). ## Properties -| Property | Description | Fields | -| --- | --- | --- | -| byte_match_set_id | The unique identifier for the ByteMatchSet. | byte_match_set_id | -| name | The name of the ByteMatchSet. | name | -| byte_match_tuples | Specifies the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. | byte_match_tuples | -| byte_match_tuples_field_to_matches | The part of a web request that you want AWS WAF to search, such as a specified header or a query string. | byte_match_tuples (field_to_match) | -| byte_match_tuples_field_to_match_types | The part of the web request that you want AWS WAF to search for a specified string. | byte_match_tuples (field_to_match (type)) | -| byte_match_tuples_field_to_match_data | When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. | byte_match_tuples (field_to_match ((data)) | -| byte_match_tuples_target_strings | The value that you want AWS WAF to search for. | byte_match_tuples (target_string) | -| byte_match_tuples_text_transformations | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. | byte_match_tuples (text_transformation) | -| byte_match_tuples_positional_constraints | Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want AWS WAF to search. | byte_match_tuples (positional_constraint) | +| Property | Description | +| --- | --- | +| byte_match_set_id | The unique identifier for the byte match set. | +| name | The name of the byte match set. | +| byte_match_tuples | Specifies the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. | +| byte_match_tuples_field_to_matches | The part of a web request that you want AWS WAF to search, such as a specified header or a query string. | +| byte_match_tuples_field_to_match_types | The part of the web request that you want AWS WAF to search for a specified string. | +| byte_match_tuples_field_to_match_data | When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. | +| byte_match_tuples_target_strings | The value that you want AWS WAF to search for. | +| byte_match_tuples_text_transformations | Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. | +| byte_match_tuples_positional_constraints | Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want AWS WAF to search. | ## Examples @@ -45,7 +45,7 @@ For additional information, see the [AWS documentation on AWS WAF ByteMatchSet]( its('byte_match_set_id') { should eq 'BYTE_MATCH_SET_ID' } end -### Ensure a byte match set name is available.. +### Ensure a byte match set name is available. describe aws_waf_byte_match_set(byte_match_set_id: 'BYTE_MATCH_SET_ID') do its('name') { should eq 'BYTE_MATCH_SET_NAME' } @@ -59,7 +59,7 @@ For additional information, see the [AWS documentation on AWS WAF ByteMatchSet]( ## Matchers -This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). +This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). The controls will pass if the `get` method returns at least one result. @@ -87,4 +87,4 @@ Use `should` to check if the entity is available. ## AWS Permissions -Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `WAF:Client:GetByteMatchSetResponse` action with `Effect` set to `Allow`. \ No newline at end of file +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `WAF:Client:GetByteMatchSetResponse` action with `Effect` set to `Allow`. diff --git a/docs/resources/aws_waf_byte_match_sets.md b/docs/resources/aws_waf_byte_match_sets.md index d9b731903..07af28daf 100644 --- a/docs/resources/aws_waf_byte_match_sets.md +++ b/docs/resources/aws_waf_byte_match_sets.md @@ -5,11 +5,11 @@ platform: aws # aws_waf_byte_match_sets -Use the `aws_waf_byte_match_sets` InSpec audit resource to test the properties of the plural resource of AWS WAF ByteMatchSet. +Use the `aws_waf_byte_match_sets` Chef InSpec audit resource to test the properties of multiple AWS (Web Application Firewall) WAF byte match sets. ## Syntax -### Ensure that byte match set exists. +### Ensure that a byte match set exists. describe aws_waf_byte_match_sets do it { should exist } @@ -19,7 +19,7 @@ Use the `aws_waf_byte_match_sets` InSpec audit resource to test the properties o This resource does not expect any parameters. -For additional information, see the [AWS documentation on AWS WAF ByteMatchSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). +For additional information, see the [AWS documentation on the `AWS::WAF::ByteMatchSet` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-bytematchset.html). ## Properties @@ -36,7 +36,7 @@ For additional information, see the [AWS documentation on AWS WAF ByteMatchSet]( its('byte_match_set_ids') { should include 'BYTE_MATCH_SET_ID' } end -### Ensure a byte match set name is available.. +### Ensure a byte match set name is available. describe aws_waf_byte_match_sets do its('names') { should include 'BYTE_MATCH_SET_NAME' } @@ -44,7 +44,7 @@ For additional information, see the [AWS documentation on AWS WAF ByteMatchSet]( ## Matchers -This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). +This Chef InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/). The controls will pass if the `list` method returns at least one result. @@ -64,4 +64,4 @@ Use `should_not` to test the entity does not exist. ## AWS Permissions -Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `WAF:Client:ListByteMatchSetsResponse` action with `Effect` set to `Allow`. \ No newline at end of file +Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `WAF:Client:ListByteMatchSetsResponse` action with `Effect` set to `Allow`.