From 2a3a703c29aedc579c40735ed4b7d0b92332a224 Mon Sep 17 00:00:00 2001
From: Tatsuya Hoshino <tatsuya7.hoshino7@gmail.com>
Date: Mon, 11 Feb 2019 15:54:17 +0900
Subject: [PATCH] Add have_server_side_encryption matcher to s3_bucket

This changes add have_server_side_encryption matcher to s3_bucket.
This matcher is used as follows to test whether server side encryption enabled or not.

```
describe s3_bucket('my-bucket') do
  it { should have_server_side_encryption(algorithm: 'aws:kms') }
end
```
---
 doc/_resource_types/s3_bucket.md |  9 +++++++++
 doc/resource_types.md            | 12 +++++++++++-
 lib/awspec/helper/finder/s3.rb   |  7 +++++++
 lib/awspec/stub/s3_bucket.rb     | 12 ++++++++++++
 lib/awspec/type/s3_bucket.rb     |  8 ++++++++
 spec/type/s3_bucket_spec.rb      |  2 ++
 6 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/doc/_resource_types/s3_bucket.md b/doc/_resource_types/s3_bucket.md
index 46249eeaf..b2ad5f65f 100644
--- a/doc/_resource_types/s3_bucket.md
+++ b/doc/_resource_types/s3_bucket.md
@@ -130,6 +130,15 @@ describe s3_bucket('my-bucket') do
 end
 ```
 
+### have_server_side_encryption
+
+```
+describe s3_bucket('my-bucket') do
+  it { should have_server_side_encryption(algorithm: "AES256") }
+  it { should have_server_side_encryption(algorithm: "aws:kms") }
+end
+```
+
 ### advanced
 
 `s3_bucket` can use `Aws::S3::Bucket` resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Bucket.html).
diff --git a/doc/resource_types.md b/doc/resource_types.md
index 7e7c59f30..9b4d59a31 100644
--- a/doc/resource_types.md
+++ b/doc/resource_types.md
@@ -2551,7 +2551,7 @@ end
 ```
 
 
-### its(:vpc_id), its(:db_instance_identifier), its(:db_instance_class), its(:engine), its(:db_instance_status), its(:master_username), its(:db_name), its(:endpoint), its(:allocated_storage), its(:instance_create_time), its(:preferred_backup_window), its(:backup_retention_period), its(:db_security_groups), its(:availability_zone), its(:preferred_maintenance_window), its(:pending_modified_values), its(:latest_restorable_time), its(:multi_az), its(:engine_version), its(:auto_minor_version_upgrade), its(:read_replica_source_db_instance_identifier), its(:read_replica_db_instance_identifiers), its(:read_replica_db_cluster_identifiers), its(:license_model), its(:iops), its(:character_set_name), its(:secondary_availability_zone), its(:publicly_accessible), its(:status_infos), its(:storage_type), its(:tde_credential_arn), its(:db_instance_port), its(:db_cluster_identifier), its(:storage_encrypted), its(:kms_key_id), its(:dbi_resource_id), its(:ca_certificate_identifier), its(:domain_memberships), its(:copy_tags_to_snapshot), its(:monitoring_interval), its(:enhanced_monitoring_resource_arn), its(:monitoring_role_arn), its(:promotion_tier), its(:db_instance_arn), its(:timezone), its(:iam_database_authentication_enabled), its(:performance_insights_enabled), its(:performance_insights_kms_key_id), its(:performance_insights_retention_period), its(:enabled_cloudwatch_logs_exports), its(:processor_features), its(:deletion_protection), its(:listener_endpoint)
+### its(:vpc_id), its(:db_instance_identifier), its(:db_instance_class), its(:engine), its(:db_instance_status), its(:master_username), its(:db_name), its(:endpoint), its(:allocated_storage), its(:instance_create_time), its(:preferred_backup_window), its(:backup_retention_period), its(:db_security_groups), its(:availability_zone), its(:preferred_maintenance_window), its(:pending_modified_values), its(:latest_restorable_time), its(:multi_az), its(:engine_version), its(:auto_minor_version_upgrade), its(:read_replica_source_db_instance_identifier), its(:read_replica_db_instance_identifiers), its(:read_replica_db_cluster_identifiers), its(:license_model), its(:iops), its(:character_set_name), its(:secondary_availability_zone), its(:publicly_accessible), its(:status_infos), its(:storage_type), its(:tde_credential_arn), its(:db_instance_port), its(:db_cluster_identifier), its(:storage_encrypted), its(:kms_key_id), its(:dbi_resource_id), its(:ca_certificate_identifier), its(:domain_memberships), its(:copy_tags_to_snapshot), its(:monitoring_interval), its(:enhanced_monitoring_resource_arn), its(:monitoring_role_arn), its(:promotion_tier), its(:db_instance_arn), its(:timezone), its(:iam_database_authentication_enabled), its(:performance_insights_enabled), its(:performance_insights_kms_key_id), its(:performance_insights_retention_period), its(:enabled_cloudwatch_logs_exports), its(:processor_features), its(:deletion_protection), its(:associated_roles), its(:listener_endpoint)
 ### :unlock: Advanced use
 
 `rds` can use `Aws::RDS::DBInstance` resource (see http://docs.aws.amazon.com/sdkforruby/api/Aws/RDS/DBInstance.html).
@@ -2929,6 +2929,16 @@ end
 ```
 
 
+### have_server_side_encryption
+
+```
+describe s3_bucket('my-bucket') do
+  it { should have_server_side_encryption(algorithm: "AES256") }
+  it { should have_server_side_encryption(algorithm: "aws:kms") }
+end
+```
+
+
 ### have_tag
 
 ```ruby
diff --git a/lib/awspec/helper/finder/s3.rb b/lib/awspec/helper/finder/s3.rb
index b90fa235a..453653cdb 100644
--- a/lib/awspec/helper/finder/s3.rb
+++ b/lib/awspec/helper/finder/s3.rb
@@ -56,6 +56,13 @@ def find_bucket_lifecycle_configuration(id)
         nil
       end
 
+      def find_bucket_server_side_encryption(id)
+        res = s3_client.get_bucket_encryption(bucket: id)
+        res.server_side_encryption_configuration
+      rescue Aws::S3::Errors::ServiceError
+        nil
+      end
+
       def select_all_buckets
         s3_client.list_buckets.buckets
       end
diff --git a/lib/awspec/stub/s3_bucket.rb b/lib/awspec/stub/s3_bucket.rb
index ba9a4d352..813ed747b 100644
--- a/lib/awspec/stub/s3_bucket.rb
+++ b/lib/awspec/stub/s3_bucket.rb
@@ -118,6 +118,18 @@
           }
         }
       ]
+    },
+    get_bucket_encryption: {
+      server_side_encryption_configuration: {
+        rules: [
+          {
+            apply_server_side_encryption_by_default: {
+              sse_algorithm: 'aws:kms',
+              kms_master_key_id: '[FILTERED]'
+            }
+          }
+        ]
+      }
     }
   }
 }
diff --git a/lib/awspec/type/s3_bucket.rb b/lib/awspec/type/s3_bucket.rb
index c994b16db..6bd74faf5 100644
--- a/lib/awspec/type/s3_bucket.rb
+++ b/lib/awspec/type/s3_bucket.rb
@@ -109,6 +109,14 @@ def has_mfa_delete_enabled?
       bv ? (bv.mfa_delete == 'Enabled') : false
     end
 
+    def has_server_side_encryption?(algorithm:)
+      configuration = find_bucket_server_side_encryption(id)
+      return false unless configuration
+
+      sse_algorithm = configuration.rules[0].apply_server_side_encryption_by_default.sse_algorithm
+      sse_algorithm ? (sse_algorithm == algorithm) : false
+    end
+
     private
 
     def cors_rules
diff --git a/spec/type/s3_bucket_spec.rb b/spec/type/s3_bucket_spec.rb
index be3c97315..d74456440 100644
--- a/spec/type/s3_bucket_spec.rb
+++ b/spec/type/s3_bucket_spec.rb
@@ -56,6 +56,8 @@
 
   it { should have_mfa_delete_enabled }
 
+  it { should have_server_side_encryption(algorithm: 'aws:kms') }
+
   context 'nested attribute call' do
     its(:resource) { should be_an_instance_of(Awspec::ResourceReader) }
     its('resource.name') { should eq 'my-bucket' }