cfn-model 0.0.0

data/lib/cfn-model/parser/cfn_parser.rb

@@ -0,0 +1,126 @@
+require 'yaml'
+require 'cfn-model/validator/cloudformation_validator'
+require 'cfn-model/validator/reference_validator'
+require_relative 'parser_registry'
+require_relative 'parser_error'
+Dir["#{__dir__}/../model/*.rb"].each { |model| require "cfn-model/model/#{File.basename(model, '.rb')}" }
+
+##
+# This class is the heart of the matter.  It will take a CloudFormation template
+# and return a CfnModel object to represent the underlying document in a way
+# that is hopefully more convenient for (cfn-nag rule) developers to work with
+#
+class CfnParser
+  # this will convert any !Ref or !GetAtt into tranditional hash like in json
+  YAML.add_domain_type('', 'Ref') { |type, val| { 'Ref' => val } }
+
+  %w(GetAtt Join Base64 Sub Split Select ImportValue GetAZs FindInMap And Or If Not).each do |function_name|
+    YAML.add_domain_type('', function_name) { |type, val| { "Fn::#{function_name}" => val } }
+  end
+
+  ##
+  # Given raw json/yml CloudFormation template, returns a CfnModel object
+  # or raise ParserErrors if something is amiss with the format
+  def parse(cloudformation_yml)
+    cfn_hash = pre_validate_model cloudformation_yml
+
+    cfn_model = CfnModel.new
+    cfn_model.raw_model = cfn_hash
+
+    # pass 1: wire properties into ModelElement objects
+    transform_hash_into_model_elements cfn_hash, cfn_model
+
+    # pass 2: tie together separate resources only where necessary to make life easier for rule logic
+    post_process_resource_model_elements cfn_model
+
+    cfn_model
+  end
+
+  private
+
+  def post_process_resource_model_elements(cfn_model)
+    cfn_model.resources.each do |_, resource|
+      resource_parser_class = ParserRegistry.instance.registry[resource.class.to_s]
+
+      next if resource_parser_class.nil?
+
+      resource_parser = resource_parser_class.new
+      resource_parser.parse(cfn_model: cfn_model,
+                            resource: resource)
+    end
+  end
+
+  # pass 0: validate basic syntax so we can make some assumptions down stream
+  #         even within the parsing code
+  def transform_hash_into_model_elements(cfn_hash, cfn_model)
+    cfn_hash['Resources'].each do |resource_name, resource|
+      resource_class = class_from_type_name resource['Type']
+
+      resource_object = resource_class.new
+      resource_object.logical_resource_id = resource_name
+      resource_object.resource_type = resource['Type']
+
+      assign_fields_based_upon_properties resource_object, resource
+
+      cfn_model.resources[resource_name] = resource_object
+    end
+    cfn_model
+  end
+
+  def pre_validate_model(cloudformation_yml)
+    errors = CloudFormationValidator.new.validate cloudformation_yml
+    if !errors.nil? && !errors.empty?
+      raise ParserError.new('Basic CloudFormation syntax error', errors)
+    end
+
+    cfn_hash = YAML.load cloudformation_yml
+
+    unresolved_refs = ReferenceValidator.new.unresolved_references(cfn_hash)
+    unless unresolved_refs.empty?
+      raise ParserError.new("Unresolved logical resource ids: #{unresolved_refs.to_a}")
+    end
+    cfn_hash
+  end
+
+  def assign_fields_based_upon_properties(resource_object, resource)
+    unless resource['Properties'].nil?
+      resource['Properties'].each do |property_name, property_value|
+        resource_object.send("#{initial_lower(property_name)}=", property_value)
+      end
+    end
+  end
+
+  def class_from_type_name(type_name)
+    begin
+      resource_class = Object.const_get type_name, inherit=false
+    rescue NameError
+      # puts "Never seen class: #{type_name} so going dynamic"
+      resource_class = generate_resource_class_from_type type_name
+    end
+    resource_class
+  end
+
+  def initial_lower(str)
+    str.slice(0).downcase + str[1..(str.length)]
+  end
+
+  def generate_resource_class_from_type(type_name)
+    resource_class = Class.new(ModelElement)
+
+    module_names = type_name.split('::')
+    if module_names.first == 'Custom'
+      Object.const_set(module_names[1], resource_class)
+    elsif module_names.first == 'AWS'
+      begin
+        module_constant = AWS.const_get(module_names[1])
+      rescue NameError
+        module_constant = Module.new
+        module_constant.const_set(module_names[1], module_constant)
+      end
+      module_constant.const_set(module_names[2], resource_class)
+    else
+      raise "Unknown namespace in resource type: #{module_names.first}"
+    end
+    resource_class
+  end
+end

data/lib/cfn-model/parser/ec2_instance_parser.rb

@@ -0,0 +1,10 @@
+class Ec2InstanceParser
+  def parse(cfn_model:, resource:)
+    ec2_instance = resource
+
+    ec2_instance.security_groups = ec2_instance.securityGroupIds.map do |security_group_reference|
+      cfn_model.find_security_group_by_group_id(security_group_reference)
+    end
+    ec2_instance
+  end
+end

data/lib/cfn-model/parser/ec2_network_interface_parser.rb

@@ -0,0 +1,10 @@
+class Ec2NetworkInterfaceParser
+  def parse(cfn_model:, resource:)
+    network_interface = resource
+
+    network_interface.security_groups = network_interface.groupSet.map do |security_group_reference|
+      cfn_model.find_security_group_by_group_id(security_group_reference)
+    end
+    network_interface
+  end
+end

data/lib/cfn-model/parser/iam_group_parser.rb

@@ -0,0 +1,17 @@
+require 'cfn-model/model/iam_role'
+require 'cfn-model/model/policy'
+require_relative 'policy_document_parser'
+
+class IamGroupParser
+  def parse(cfn_model:, resource:)
+    iam_group = resource
+
+    iam_group.policy_objects = iam_group.policies.map do |policy|
+      new_policy = Policy.new
+      new_policy.policyName = policy['PolicyName']
+      new_policy.policyDocument = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy
+    end
+    iam_group
+  end
+end

data/lib/cfn-model/parser/iam_role_parser.rb

@@ -0,0 +1,20 @@
+require 'cfn-model/model/iam_role'
+require 'cfn-model/model/policy'
+require_relative 'policy_document_parser'
+
+class IamRoleParser
+  def parse(cfn_model:, resource:)
+    iam_role = resource
+
+    iam_role.assume_role_policy_document = PolicyDocumentParser.new.parse(iam_role.assumeRolePolicyDocument)
+
+    iam_role.policy_objects = iam_role.policies.map do |policy|
+      new_policy = Policy.new
+      new_policy.policy_name = policy['PolicyName']
+      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy
+    end
+
+    iam_role
+  end
+end

data/lib/cfn-model/parser/iam_user_parser.rb

@@ -0,0 +1,58 @@
+require 'cfn-model/model/policy_document'
+require 'cfn-model/model/policy'
+require_relative 'policy_document_parser'
+
+class IamUserParser
+  def parse(cfn_model:, resource:)
+    iam_user = resource
+
+    iam_user.policy_objects = iam_user.policies.map do |policy|
+      new_policy = Policy.new
+      new_policy.policy_name = policy['PolicyName']
+      new_policy.policy_document = PolicyDocumentParser.new.parse(policy['PolicyDocument'])
+      new_policy
+    end
+
+    iam_user.groups.each { |group_name| iam_user.group_names << group_name }
+
+    user_to_group_additions = cfn_model.resources_by_type 'AWS::IAM::UserToGroupAddition'
+    user_to_group_additions.each do |user_to_group_addition|
+
+      if user_to_group_addition_has_username(user_to_group_addition.users,iam_user)
+        iam_user.group_names << user_to_group_addition.groupName
+
+        # we need to figure out the story on resolving Refs i think for this to be real
+      end
+    end
+  end
+
+  private
+
+  def user_to_group_addition_has_username(addition_user_names, user_to_find)
+    addition_user_names.each do |addition_user_name|
+      if addition_user_name == user_to_find.userName
+        return true
+      end
+
+      if addition_user_name.is_a? Hash
+        if !addition_user_name['Ref'].nil?
+          if addition_user_name['Ref'] == user_to_find.logical_resource_id
+            return true
+          end
+        end
+      end
+    end
+    false
+  end
+
+  # def resolve_user_logical_resource_id(user)
+  #   if not user['Ref'].nil?
+  #     user['Ref']
+  #   elsif not user['Fn::GetAtt'].nil?
+  #     fail 'Arn not legal for user to group addition'
+  #   else
+  #     @dangler
+  #   end
+  # end
+
+end

data/lib/cfn-model/parser/load_balancer_parser.rb

@@ -0,0 +1,10 @@
+class LoadBalancerParser
+  def parse(cfn_model:, resource:)
+    load_balancer = resource
+
+    load_balancer.security_groups = load_balancer.securityGroups.map do |security_group_reference|
+      cfn_model.find_security_group_by_group_id(security_group_reference)
+    end
+    load_balancer
+  end
+end

data/lib/cfn-model/parser/load_balancer_v2_parser.rb

@@ -0,0 +1,15 @@
+class LoadBalancerV2Parser
+  def parse(cfn_model:, resource:)
+    load_balancer = resource
+
+    #could be a List<Subnet::Id>
+    # if load_balancer.subnets.size < 2
+    #   raise ParserError.new("Load Balancer must have at least two subnets: #{load_balancer.logical_resource_id}")
+    # end
+
+    load_balancer.security_groups = load_balancer.securityGroups.map do |security_group_reference|
+      cfn_model.find_security_group_by_group_id(security_group_reference)
+    end
+    load_balancer
+  end
+end

data/lib/cfn-model/parser/parser_error.rb

@@ -0,0 +1,13 @@
+class ParserError < RuntimeError
+  attr_accessor :errors
+
+  def initialize(message, validation_errors=nil)
+    super(message)
+    @message = message
+    @errors = validation_errors
+  end
+
+  def to_s
+    "#{@message}#{@errors.nil? ? '' : ':'}#{@errors.to_s}"
+  end
+end

data/lib/cfn-model/parser/parser_registry.rb

@@ -0,0 +1,34 @@
+Dir["#{__dir__}/*_parser.rb"].each { |model| require "cfn-model/parser/#{File.basename(model, '.rb')}" }
+
+class ParserRegistry
+  attr_reader :registry
+
+  def initialize
+    @registry = {
+      'AWS::EC2::SecurityGroup' => SecurityGroupParser,
+      'AWS::EC2::NetworkInterface' => Ec2NetworkInterfaceParser,
+      'AWS::EC2::Instance' => Ec2InstanceParser,
+      'AWS::ElasticLoadBalancing::LoadBalancer' => LoadBalancerParser,
+      'AWS::ElasticLoadBalancingV2::LoadBalancer' => LoadBalancerV2Parser,
+      'AWS::IAM::Group' => IamGroupParser,
+      'AWS::IAM::User' => IamUserParser,
+      'AWS::IAM::Role' => IamRoleParser,
+      'AWS::IAM::Policy' => WithPolicyDocumentParser,
+      'AWS::IAM::ManagedPolicy' => WithPolicyDocumentParser,
+      'AWS::S3::BucketPolicy' => WithPolicyDocumentParser,
+      'AWS::SNS::TopicPolicy' => WithPolicyDocumentParser,
+      'AWS::SQS::QueuePolicy' => WithPolicyDocumentParser
+    }
+  end
+
+  def self.instance
+    if @instance.nil?
+      @instance = ParserRegistry.new
+    end
+    @instance
+  end
+
+  # def add_parser(resource_name, parser)
+  #   @registry[resource_name] = parser
+  # end
+end

data/lib/cfn-model/parser/policy_document_parser.rb

@@ -0,0 +1,44 @@
+require 'cfn-model/model/iam_policy'
+require 'cfn-model/model/policy_document'
+
+class PolicyDocumentParser
+  def parse(raw_policy_document)
+    policy_document = PolicyDocument.new
+
+    policy_document.version = raw_policy_document['Version']
+
+    policy_document.statements = streamline_array(raw_policy_document['Statement']) do |statement|
+      parse_statement statement
+    end
+
+    policy_document
+  end
+
+  private
+
+  def parse_statement(raw_statement)
+    statement = Statement.new
+    statement.effect = raw_statement['Effect']
+    statement.sid = raw_statement['Sid']
+    statement.condition = raw_statement['Condition']
+    statement.actions = streamline_array(raw_statement['Action'])
+    statement.not_actions = streamline_array(raw_statement['NotAction'])
+    statement.resources = streamline_array(raw_statement['Resource'])
+    statement.not_resources = streamline_array(raw_statement['NotResource'])
+    statement.principal = raw_statement['Principal']
+    statement.not_principal = raw_statement['NotPrincipal']
+    statement
+  end
+
+  def streamline_array(one_or_more)
+    return [] if one_or_more.nil?
+
+    if one_or_more.is_a?(String) || one_or_more.is_a?(Hash)
+      [block_given? ? yield(one_or_more) : one_or_more]
+    elsif one_or_more.is_a? Array
+      one_or_more.map { |one| block_given? ? yield(one) : one }
+    else
+      raise "unexpected object in streamline_array: #{one_or_more} #{one_or_more.class}"
+    end
+  end
+end

data/lib/cfn-model/parser/security_group_parser.rb

@@ -0,0 +1,83 @@
+require_relative 'parser_error'
+require 'cfn-model/model/security_group_egress'
+require 'cfn-model/model/security_group_ingress'
+require 'cfn-model/model/references'
+
+class SecurityGroupParser
+
+  def parse(cfn_model:, resource:)
+     security_group = resource
+
+     objectify_egress security_group
+
+     objectify_ingress security_group
+
+     wire_ingress_rules_to_security_group(cfn_model: cfn_model, security_group: security_group)
+     wire_egress_rules_to_security_group(cfn_model: cfn_model, security_group: security_group)
+     security_group
+  end
+
+  private
+
+  def objectify_ingress(security_group)
+    if security_group.securityGroupIngress.is_a? Hash
+      security_group.securityGroupIngress = [security_group.securityGroupIngress]
+    end
+
+    security_group.ingresses = security_group.securityGroupIngress.map do |ingress|
+      ingress_object = AWS::EC2::SecurityGroupIngress.new
+      ingress.each do |k,v|
+        ingress_object.send("#{initialLower(k)}=", v)
+      end
+      #ingress_object.valid?
+      ingress_object
+    end
+  end
+
+  def objectify_egress(security_group)
+    if security_group.securityGroupEgress.is_a? Hash
+      security_group.securityGroupEgress = [security_group.securityGroupEgress]
+    end
+
+    security_group.egresses = security_group.securityGroupEgress.map do |egress|
+      egress_object = AWS::EC2::SecurityGroupEgress.new
+      egress.each do |k,v|
+        egress_object.send("#{initialLower(k)}=", v)
+      end
+      #egress_object.valid?
+      egress_object
+    end
+  end
+
+  def initialLower(str)
+    str.slice(0).downcase + str[1..(str.length)]
+  end
+
+  def wire_ingress_rules_to_security_group(cfn_model:, security_group:)
+    ingress_rules = cfn_model.resources_by_type 'AWS::EC2::SecurityGroupIngress'
+    ingress_rules.each do |security_group_ingress|
+      group_id = References.resolve_security_group_id(security_group_ingress.groupId)
+
+      # standalone ingress rules are legal - referencing an external security group
+      next if group_id.nil?
+
+      if security_group.logical_resource_id == group_id
+        security_group.ingresses << security_group_ingress
+      end
+    end
+  end
+
+  def wire_egress_rules_to_security_group(cfn_model:, security_group:)
+    egress_rules = cfn_model.resources_by_type 'AWS::EC2::SecurityGroupEgress'
+    egress_rules.each do |security_group_egress|
+      group_id = References.resolve_security_group_id(security_group_egress.groupId)
+
+      # standalone ingress rules are legal - referencing an external security group
+      next if group_id.nil?
+
+      if security_group.logical_resource_id == group_id
+        security_group.egresses << security_group_egress
+      end
+    end
+  end
+end

data/lib/cfn-model/parser/with_policy_document_parser.rb

@@ -0,0 +1,10 @@
+require 'cfn-model/model/iam_policy'
+require 'cfn-model/model/policy_document'
+require_relative 'policy_document_parser'
+
+class WithPolicyDocumentParser
+  def parse(cfn_model:, resource:)
+    resource.policy_document = PolicyDocumentParser.new.parse(resource.policyDocument)
+    resource
+  end
+end

data/lib/cfn-model/schema/AWS_CloudFront_Distribution.yml

@@ -0,0 +1,42 @@
+---
+type: map
+mapping:
+  Type:
+    type: str
+    required: yes
+    pattern: /AWS::CloudFront::Distribution/
+  Properties:
+    type: map
+    required: yes
+    mapping:
+      DistributionConfig:
+        type:   map
+        required: yes
+        mapping:
+          Aliases:
+            type:   seq
+            required: no
+            sequence:
+              - type:   any
+          CacheBehaviors:
+            type:   seq
+            required: no
+            sequence:
+              - type:   any
+          DefaultCacheBehavior:
+            type: any
+            required: yes
+          Enabled:
+            type: any
+            required: yes
+          Origins:
+            type:   seq
+            required: yes
+            sequence:
+              - type:   any
+          =:
+            type: any
+      =:
+        type: any
+  =:
+    type: any

data/lib/cfn-model/schema/AWS_EC2_Instance.yml

@@ -0,0 +1,146 @@
+---
+type: map
+mapping:
+  Type:
+    type: str
+    required: yes
+    pattern: /AWS::EC2::Instance/
+  Properties:
+    type: map
+    required: yes
+    mapping:
+      BlockDeviceMappings:
+        type: seq
+        required: no
+        sequence:
+          - type: map
+            mapping:
+              DeviceName:
+                type: any
+                required: yes
+              =:
+                type: any
+      ImageId:
+        type: any
+        required: yes
+      Ipv6Addresses:
+        type:   seq
+        required: no
+        sequence:
+          - type: map
+            mapping:
+              Ipv6Address:
+                type: any
+                required: yes
+              =:
+                type: any
+      NetworkInterfaces:
+        type:   seq
+        required: no
+        sequence:
+          - type: map
+            mapping:
+              DeviceIndex:
+                type: any
+                required: yes
+              GroupSet:
+                type:   seq
+                required: no
+                sequence:
+                  - type:   any
+              Ipv6Addresses:
+                type:   seq
+                required: no
+                sequence:
+                  - type: map
+                    mapping:
+                      Ipv6Address:
+                        type: any
+                        required: yes
+                      =:
+                        type: any
+              PrivateIpAddresses:
+                type: seq
+                required: no
+                sequence:
+                  - type: map
+                    mapping:
+                      PrivateIpAddress:
+                        type: any
+                        required: yes
+                      Primary:
+                        type: any
+                        required: yes
+                      =:
+                        type: any
+              =:
+                type: any
+
+      # sigh this could be List<AWS::EC2::SecurityGroup::Id> so can't enfore seq
+      SecurityGroupIds:
+        type:   any
+        required: no
+
+      # sigh this could be List<AWS::EC2::SecurityGroup::GroupName> so can't enfore seq
+      SecurityGroups:
+        type:   any
+        required: no
+
+      SsmAssociations:
+        type:   seq
+        required: no
+        sequence:
+          - type: map
+            mapping:
+              AssociationParameters:
+                type:   seq
+                required: no
+                sequence:
+                  - type: map
+                    mapping:
+                      Key:
+                        type: any
+                        required: yes
+                      Value:
+                        type: seq
+                        required: yes
+                        sequence:
+                          - type: any
+                      =:
+                        type: any
+              DocumentName:
+                required: yes
+                type: any
+
+      Tags:
+        type:   seq
+        required: no
+        sequence:
+          - type: map
+            mapping:
+              Key:
+                type: any
+                required: yes
+              Value:
+                type: any
+                required: yes
+              =:
+                type: any
+      Volumes:
+        type:   seq
+        required: no
+        sequence:
+          - type: map
+            mapping:
+              Device:
+                type: any
+                required: yes
+              VolumeId:
+                type: any
+                required: yes
+              =:
+                type: any
+      =:
+        type: any
+  =:
+    type: any