Password usage properties for aws_iam_users (#213)

Signed-off-by: Rony Xavier <rx294@nyu.edu>
inspec · Feb 1, 2018 · 7d53056 · 7d53056
1 parent 2cddbdf
commit 7d53056
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 3 deletions.
diff --git a/docs/resources/aws_iam_users.md b/docs/resources/aws_iam_users.md
@@ -48,6 +48,33 @@ The following examples show how to use this InSpec audit resource.
       it { should_not exist }
     end
 
+### Test that all users that have a console password should have used it at-least once
+
+    console_users_with_unused_password = aws_iam_users
+                                         .where(has_console_password?: true)
+                                         .where(password_never_used?: false)
+
+    describe console_users_with_unused_password do
+      it { should_not exist }
+    end
+
+### Test that atleast one user exists with console password and used it atleast once
+
+    console_users_with_used_password = aws_iam_users
+                                       .where(has_console_password?: true)
+                                       .where(password_ever_used?: false)
+
+    describe console_users_with_used_password do
+      it { should exist }
+    end
+
+
+### Test that users with used passwords longer that 90 days should not exists
+
+    describe aws_iam_users.where { password_last_used_days_ago > 90 } do
+      it { should_not exist }
+    end
+
 <br>
 
 ## Matchers

diff --git a/libraries/aws_iam_users.rb b/libraries/aws_iam_users.rb
@@ -11,7 +11,6 @@ class AwsIamUsers < Inspec.resource(1)
     describe aws_iam_users.where(has_mfa_enabled?: false) do
       it { should_not exist }
     end
-
     describe aws_iam_users.where(has_console_password?: true) do
       it { should exist }
     end
@@ -23,6 +22,9 @@ class AwsIamUsers < Inspec.resource(1)
         .add(:exists?) { |x| !x.entries.empty? }
         .add(:has_mfa_enabled?, field: :has_mfa_enabled)
         .add(:has_console_password?, field: :has_console_password)
+        .add(:password_ever_used?, field: :password_ever_used?)
+        .add(:password_never_used?, field: :password_never_used?)
+        .add(:password_last_used_days_ago, field: :password_last_used_days_ago)
         .add(:username, field: :user_name)
   filter.connect(self, :collect_user_details)
 
@@ -51,6 +53,11 @@ def collect_user_details
         user[:has_mfa_enabled] = false
       end
       user[:has_mfa_enabled?] = user[:has_mfa_enabled]
+      password_last_used = user[:password_last_used]
+      user[:password_ever_used?] = !password_last_used.nil?
+      user[:password_never_used?] = password_last_used.nil?
+      next unless user[:password_ever_used?]
+      user[:password_last_used_days_ago] = ((Time.now - password_last_used) / (24*60*60)).to_i
     end
     users
   end

diff --git a/test/unit/resources/aws_iam_users_test.rb b/test/unit/resources/aws_iam_users_test.rb
@@ -60,6 +60,40 @@ def test_users_criteria_has_console_password?
     assert_includes users.entries.map{ |u| u[:user_name] }, 'carol'
     refute_includes users.entries.map{ |u| u[:user_name] }, 'alice'
   end
+
+  #------------------------------------------#
+  #           password_ever_used?
+  #------------------------------------------#
+  def test_users_criteria_password_ever_used?
+    AwsIamUsers::Backend.select(Maiusb::Basic)
+    users = AwsIamUsers.new.where { password_ever_used? }
+    assert(2, users.entries.count)
+    assert_includes users.entries.map{ |u| u[:user_name] }, 'carol'
+    refute_includes users.entries.map{ |u| u[:user_name] }, 'alice'
+  end
+
+  #------------------------------------------#
+  #           password_never_used?
+  #------------------------------------------#
+  def test_users_criteria_password_never_used?
+    AwsIamUsers::Backend.select(Maiusb::Basic)
+    users = AwsIamUsers.new.where { password_never_used? }
+    assert(1, users.entries.count)
+    assert_includes users.entries.map{ |u| u[:user_name] }, 'alice'
+    refute_includes users.entries.map{ |u| u[:user_name] }, 'carol'
+  end
+
+  #------------------------------------------#
+  #        password_last_used_days_ago
+  #------------------------------------------#
+  def test_users_criteria_has_password_last_used_days_ago_10
+    AwsIamUsers::Backend.select(Maiusb::Basic)
+    users = AwsIamUsers.new.where(password_last_used_days_ago: 10)
+    puts users
+    assert(1, users.entries.count)
+    assert_includes users.entries.map{ |u| u[:user_name] }, 'bob'
+    refute_includes users.entries.map{ |u| u[:user_name] }, 'alice'
+  end
 end
 
 #=============================================================================#
@@ -107,12 +141,12 @@ def list_users
           OpenStruct.new({
             user_name: 'bob',
             create_date: DateTime.parse('2017-11-06T16:19:30Z'),
-            password_last_used: DateTime.parse('2017-11-06T19:19:30Z'),
+            password_last_used: Time.now - 10*24*60*60,
             }),
           OpenStruct.new({
             user_name: 'carol',
             create_date: DateTime.parse('2017-10-10T16:19:30Z'),
-            password_last_used: DateTime.parse('2017-10-28T19:19:30Z'),
+            password_last_used: Time.now - 91*24*60*60,
           }),
         ]
       })