cfn-model 0.4.14 → 0.4.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e6d251d26bd76ce4b94e2419cbfd2b3966f00621e0d58a179306658c774236e
-  data.tar.gz: 0d52bd32ef330e7767bcd8cacc7a605233bb63b30ebc7506ec7638488bb0c05a
+  metadata.gz: 4ea0ce4fe023541429f2281bf73a25427e4f7f8e38699d813538c94fd9eb7f99
+  data.tar.gz: ccc58faba8de9f7a2888aa77193416866cfd0cecd1e1e9facb4a84aa221ae42a
 SHA512:
-  metadata.gz: 34eaebd11a7fe8c98472cd2d50f2e51b81c96730ec6057a0fe71fc14f1bba2408a01983349fbb8c91a92bbf93766b1ed655253313e2787c9c4df0bb397cb8b8e
-  data.tar.gz: 0be2f0d6652bec14496af02c71f07c8974cb4ec115c30454404b7a89efe0cbb76b743472305a577aab77354502ab6ad47b19ee231f60a6d87114bb99c0b69754
+  metadata.gz: 6edea6eae9a57f283b7915af1d3d74632990c210a95e403a9a4551eb30fd05be1613a6d8cdb83bcbb683de706150b86776d22c14cbe455b43770e38c79a250c7
+  data.tar.gz: 10dad014790492293112026e502741e81fb575cbd19a9f4735757ad6b9077532c3a8bef0eafbc55af32aa585cd646f7f6ef3f5fac3de83997ffe1e6e9623e574

data/lib/cfn-model/model/cfn_model.rb

@@ -60,10 +60,27 @@ class CfnModel
     end
   end
 
+  def resource_by_id(resource_id)
+    @resources.values.find { |resource| resource.logical_resource_id == resource_id }
+  end
+
   def resources_by_type(resource_type)
     @resources.values.select { |resource| resource.resource_type == resource_type }
   end
 
+  def resource_by_ref(reference, attr = nil)
+    # If reference is a String, look for a matching object as is (best effort)
+    # Although, the caller could just use resource_by_id on this value, since it
+    # would be the logical_resource_id.
+    logical_resource_id = reference if reference.is_a? String
+
+    # Otherwise, obtain logical_resource_id from References class
+    logical_resource_id ||= References.resolve_resource_id reference, attr
+
+    # Search resources for a matching ID
+    resource_by_id logical_resource_id
+  end
+
   def find_security_group_by_group_id(security_group_reference)
     security_group_id = References.resolve_security_group_id(security_group_reference)
     if security_group_id.nil?

data/lib/cfn-model/model/lambda_function.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative 'model_element'
+
+# Explicitly creating this element in order
+# to compute the role ID if not a string
+class AWS::Lambda::Function < ModelElement
+  attr_accessor :role_object
+
+  def initialize(cfn_model)
+    super
+    @role_object = nil
+    @resource_type = 'AWS::Lambda::Function'
+  end
+end

data/lib/cfn-model/model/model_element.rb

@@ -7,6 +7,10 @@ module AWS
 
   end
 
+  module CloudFront
+
+  end
+
   module EC2
 
   end
@@ -27,23 +31,19 @@ module AWS
 
   end
 
-  module S3
-
-  end
-
-  module SNS
+  module Lambda
 
   end
 
-  module SQS
+  module S3
 
   end
 
-  module Lambda
+  module SNS
 
   end
 
-  module CloudFront
+  module SQS
 
   end
 end

data/lib/cfn-model/model/references.rb

@@ -29,33 +29,35 @@ module References
     end
   end
 
+  def self.resolve_resource_id(reference, attr = nil)
+    return nil if reference.is_a? String
+
+    # an imported value can only yield a literal to an external resource vs. referencing something local
+    if !reference['Ref'].nil?
+      reference['Ref']
+    elsif !reference['Fn::GetAtt'].nil?
+      logical_resource_id_from_get_att reference['Fn::GetAtt'], attr
+    else
+      # anything else will be string manipulation functions
+      # which again leads us back to a string which must be an external resource known out of band
+      # so don't/can't link it up
+      return nil
+    end
+  end
+
   def self.is_security_group_id_external(group_id)
     resolve_security_group_id(group_id).nil?
   end
 
-  ##
-  # Return nil if
   def self.resolve_security_group_id(group_id)
-    return nil if group_id.is_a? String
-
-    # an imported value can only yield a literal to an external sg vs. referencing something local
-    if !group_id['Ref'].nil?
-      group_id['Ref']
-    elsif !group_id['Fn::GetAtt'].nil?
-      logical_resource_id_from_get_att group_id['Fn::GetAtt']
-    else # !group_id['Fn::ImportValue'].nil?
-      # anything else will be string manipulation functions
-      # which again leads us back to a string which must be an external security group known out of band
-      # so don't/can't link it up to a security group
-      return nil
-    end
+    resolve_resource_id group_id, 'GroupId'
   end
 
   private
 
-  def self.logical_resource_id_from_get_att(attribute_spec)
+  def self.logical_resource_id_from_get_att(attribute_spec, attr_to_retrieve=nil)
     if attribute_spec.is_a? Array
-      if attribute_spec[1] == 'GroupId'
+      if !attr_to_retrieve || attribute_spec[1] == attr_to_retrieve
         return attribute_spec.first
       else
         # this could be a reference to a nested stack output so treat it as external
@@ -63,7 +65,7 @@ module References
         return nil
       end
     elsif attribute_spec.is_a? String
-      if attribute_spec.split('.')[1] == 'GroupId'
+      if !attr_to_retrieve || attribute_spec.split('.')[1] == attr_to_retrieve
         return attribute_spec.split('.').first
       else
         # this could be a reference to a nested stack output so treat it as external
@@ -72,4 +74,4 @@ module References
       end
     end
   end
-end
+end

data/lib/cfn-model/model/statement.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require 'cfn-model/util/wildcard_patterns'
 require_relative 'principal'
 
 class Statement
@@ -27,6 +28,25 @@ class Statement
     @resources.select { |resource| resource.to_s == '*' }
   end
 
+  # allows_action?
+  #   Checks if policy document allows the given action
+  #
+  #   arg action (str): Action string to check
+  #   arg wildcard (bool): Whether to apply 'wildcard_patterns' to action
+  #
+  #   return: boolean
+  def allows_action?(action, wildcard=true)
+    if wildcard
+      patterns = wildcard_patterns(action.split(':')[1]).map! { |x| action.split(':')[0] + ':' + x } + ['*']
+    else
+      patterns = [action]
+    end
+
+    matching_actions = @actions.select { |statement_action| patterns.include? statement_action }
+
+    !matching_actions.empty? && @effect == 'Allow'
+  end
+
   def ==(another_statement)
     @effect == another_statement.effect &&
       @actions == another_statement.actions &&

data/lib/cfn-model/parser/lambda_function_parser.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# Compute the role_id for parsed Lambda function
+class LambdaFunctionParser
+  def parse(cfn_model:, resource:)
+    lambda_function = resource
+
+    lambda_function.role_object = cfn_model.resource_by_ref(lambda_function.role, 'Arn')
+
+    lambda_function
+  end
+end

data/lib/cfn-model/parser/parser_registry.rb

@@ -18,6 +18,7 @@ class ParserRegistry
       'AWS::IAM::Policy' => WithPolicyDocumentParser,
       'AWS::IAM::ManagedPolicy' => WithPolicyDocumentParser,
       'AWS::KMS::Key' => KmsKeyParser,
+      'AWS::Lambda::Function' => LambdaFunctionParser,
       'AWS::S3::BucketPolicy' => WithPolicyDocumentParser,
       'AWS::SNS::TopicPolicy' => WithPolicyDocumentParser,
       'AWS::SQS::QueuePolicy' => WithPolicyDocumentParser

data/lib/cfn-model/schema/AWS_Lambda_Function.yml

@@ -0,0 +1,27 @@
+---
+type: map
+mapping:
+  Type:
+    type: str
+    required: yes
+    pattern: /AWS::Lambda::Function/
+  Properties:
+    type: map
+    required: yes
+    mapping:
+      Code:
+        type: any
+        required: yes
+      Handler:
+        type: any
+        required: yes
+      Role:
+        type: any
+        required: yes
+      Runtime:
+        type: any
+        required: yes
+      =:
+        type: any
+  =:
+    type: any

data/lib/cfn-model/util/wildcard_patterns.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# Create array of wildcard patterns for a given input string
+
+def wildcard_patterns(input, pattern_types: %w[front back both])
+  input_string = input.to_s
+  results = [input_string]
+  pattern_types.each do |pattern_type|
+    case pattern_type
+    when 'front'
+      results += wildcard_front(input_string)
+    when 'back'
+      results += wildcard_back(input_string)
+    when 'both'
+      results += wildcard_front_back(input_string)
+    else
+      raise "no pattern of type: #{pattern_type}. Use one or more of: front, back, both"
+    end
+  end
+  results + ['*']
+end
+
+private
+
+def wildcard_back(input_string, results = [], prepend = '')
+  return results if input_string.empty?
+
+  results << "#{prepend}#{input_string}*"
+  wildcard_back(input_string.chop, results, prepend)
+end
+
+def wildcard_front(input_string, results = [])
+  return results if input_string.empty?
+
+  results << "*#{input_string}"
+  wildcard_front(input_string[1..-1], results)
+end
+
+def wildcard_front_back(input_string, results = [])
+  return results if input_string.empty?
+
+  results += wildcard_back(input_string, [], '*')
+  wildcard_front_back(input_string[1..-1], results)
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-model
 version: !ruby/object:Gem::Version
-  version: 0.4.14
+  version: 0.4.15
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-14 00:00:00.000000000 Z
+date: 2020-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -71,6 +71,7 @@ files:
 - lib/cfn-model/model/iam_role.rb
 - lib/cfn-model/model/iam_user.rb
 - lib/cfn-model/model/kms_key.rb
+- lib/cfn-model/model/lambda_function.rb
 - lib/cfn-model/model/lambda_principal.rb
 - lib/cfn-model/model/load_balancer.rb
 - lib/cfn-model/model/model_element.rb
@@ -94,6 +95,7 @@ files:
 - lib/cfn-model/parser/iam_role_parser.rb
 - lib/cfn-model/parser/iam_user_parser.rb
 - lib/cfn-model/parser/kms_key_parser.rb
+- lib/cfn-model/parser/lambda_function_parser.rb
 - lib/cfn-model/parser/load_balancer_parser.rb
 - lib/cfn-model/parser/load_balancer_v2_parser.rb
 - lib/cfn-model/parser/parameter_substitution.rb
@@ -121,12 +123,14 @@ files:
 - lib/cfn-model/schema/AWS_IAM_User.yml
 - lib/cfn-model/schema/AWS_IAM_UserToGroupAddition.yml
 - lib/cfn-model/schema/AWS_KMS_Key.yml
+- lib/cfn-model/schema/AWS_Lambda_Function.yml
 - lib/cfn-model/schema/AWS_Lambda_Permission.yml
 - lib/cfn-model/schema/AWS_S3_BucketPolicy.yml
 - lib/cfn-model/schema/AWS_SNS_TopicPolicy.yml
 - lib/cfn-model/schema/AWS_SQS_QueuePolicy.yml
 - lib/cfn-model/schema/schema.yml.erb
 - lib/cfn-model/transforms/serverless.rb
+- lib/cfn-model/util/wildcard_patterns.rb
 - lib/cfn-model/validator/cloudformation_validator.rb
 - lib/cfn-model/validator/reference_validator.rb
 - lib/cfn-model/validator/resource_type_validator.rb