cfn-nag 0.0.44 → 0.1.0

data/lib/cfn-nag/rule_dumper.rb

@@ -0,0 +1,23 @@
+require_relative 'custom_rule_loader'
+require_relative 'profile_loader'
+require_relative 'result_view/rules_view'
+
+class CfnNagRuleDumper
+  def initialize(profile_definition: nil,
+                 rule_directory: nil)
+    @rule_directory = rule_directory
+    @profile_definition = profile_definition
+  end
+
+  def dump_rules
+    custom_rule_loader = CustomRuleLoader.new(rule_directory: @rule_directory)
+    rule_registry = custom_rule_loader.rule_definitions
+
+    profile = nil
+    unless @profile_definition.nil?
+      profile = ProfileLoader.new(rule_registry).load(profile_definition: @profile_definition)
+    end
+
+    RulesView.new.emit(rule_registry, profile)
+  end
+end

data/lib/cfn-nag/rule_registry.rb

@@ -0,0 +1,43 @@
+require_relative 'rule_definition'
+
+class RuleRegistry
+  attr_reader :rules
+
+  def initialize
+    @rules = []
+  end
+
+  def definition(id:,
+                 type:,
+                 message:)
+    rule_definition = RuleDefinition.new(id: id,
+                                         type: type,
+                                         message: message)
+    existing_def = by_id id
+
+    if existing_def.nil?
+      add_rule rule_definition
+    else
+      existing_def
+    end
+  end
+
+  def by_id(id)
+    @rules.find { |rule| rule.id == id }
+  end
+
+  def warnings
+    @rules.select { |rule| rule.type == RuleDefinition::WARNING }
+  end
+
+  def failings
+    @rules.select { |rule| rule.type == RuleDefinition::FAILING_VIOLATION }
+  end
+
+  private
+
+  def add_rule(violation_def)
+    @rules << violation_def
+    violation_def
+  end
+end

data/lib/cfn-nag/template_discovery.rb

@@ -0,0 +1,24 @@
+class TemplateDiscovery
+  def discover_templates(input_json_path)
+    if ::File.directory? input_json_path
+      templates = find_templates_in_directory(directory: input_json_path)
+    elsif ::File.file? input_json_path
+      templates = [input_json_path]
+    else
+      fail "#{input_json_path} is not a proper path"
+    end
+    templates
+  end
+
+  private
+
+  def find_templates_in_directory(directory:,
+                                  cfn_extensions: %w(json yaml yml template))
+
+    templates = []
+    cfn_extensions.each do |cfn_extension|
+      templates += Dir[File.join(directory, "**/*.#{cfn_extension}")]
+    end
+    templates
+  end
+end

data/lib/cfn-nag/violation.rb

@@ -0,0 +1,58 @@
+require_relative 'rule_definition'
+
+class Violation < RuleDefinition
+  attr_reader :logical_resource_ids
+
+  def initialize(id:,
+                 type:,
+                 message:,
+                 logical_resource_ids: nil)
+    super id: id,
+          type: type,
+          message: message
+
+    @logical_resource_ids = logical_resource_ids
+  end
+
+  def to_s
+    "#{super.to_s} #{@logical_resource_ids}"
+  end
+
+  def to_h
+    super.to_h.merge({
+      logical_resource_ids: @logical_resource_ids
+    })
+  end
+
+  def self.count_warnings(violations)
+    violations.inject(0) do |count, violation|
+      if violation.type == Violation::WARNING
+        if empty?(violation.logical_resource_ids)
+          count += 1
+        else
+          count += violation.logical_resource_ids.size
+        end
+      end
+      count
+    end
+  end
+
+  def self.count_failures(violations)
+    violations.inject(0) do |count, violation|
+      if violation.type == Violation::FAILING_VIOLATION
+        if empty?(violation.logical_resource_ids)
+          count += 1
+        else
+          count += violation.logical_resource_ids.size
+        end
+      end
+      count
+    end
+  end
+
+  private
+
+  def self.empty?(array)
+    array.nil? || array.size ==0
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.0.44
+  version: 0.1.0
 platform: ruby
 authors:
-- someguy
+- Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-07 00:00:00.000000000 Z
+date: 2017-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging
@@ -38,49 +38,92 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.1.2
+- !ruby/object:Gem::Dependency
+  name: cfn-model
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.0.5
 description: Auditing tool for CloudFormation templates
 email: 
 executables:
 - cfn_nag
 - cfn_nag_rules
+- cfn_nag_scan
 extensions: []
 extra_rdoc_files: []
 files:
 - bin/cfn_nag
 - bin/cfn_nag_rules
-- lib/cfn_nag.rb
-- lib/custom_rule_loader.rb
-- lib/custom_rules/security_group_missing_egress.rb
-- lib/custom_rules/unencrypted_s3_put_allowed.rb
-- lib/custom_rules/user_missing_group.rb
-- lib/json_rules/basic_rules.rb
-- lib/json_rules/cfn_rules.rb
-- lib/json_rules/cidr_rules.rb
-- lib/json_rules/cloudfront_rules.rb
-- lib/json_rules/ebs_rules.rb
-- lib/json_rules/iam_policy_rules.rb
-- lib/json_rules/iam_user_rules.rb
-- lib/json_rules/lambda_rules.rb
-- lib/json_rules/loadbalancer_rules.rb
-- lib/json_rules/port_rules.rb
-- lib/json_rules/s3_bucket_rules.rb
-- lib/json_rules/sns_rules.rb
-- lib/json_rules/sqs_rules.rb
-- lib/model/action_parser.rb
-- lib/model/cfn_model.rb
-- lib/model/iam_user_parser.rb
-- lib/model/parser_registry.rb
-- lib/model/s3_bucket_policy.rb
-- lib/model/s3_bucket_policy_parser.rb
-- lib/model/security_group_parser.rb
-- lib/profile.rb
-- lib/profile_loader.rb
-- lib/result_view/json_results.rb
-- lib/result_view/rules_view.rb
-- lib/result_view/simple_stdout_results.rb
-- lib/rule.rb
-- lib/rule_registry.rb
-- lib/violation.rb
+- bin/cfn_nag_scan
+- lib/cfn-nag.rb
+- lib/cfn-nag/cfn_nag.rb
+- lib/cfn-nag/custom_rule_loader.rb
+- lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
+- lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
+- lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb
+- lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb
+- lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
+- lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb
+- lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb
+- lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb
+- lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb
+- lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb
+- lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb
+- lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb
+- lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
+- lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
+- lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
+- lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
+- lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb
+- lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb
+- lib/cfn-nag/custom_rules/S3BucketPolicyWildcardActionRule.rb
+- lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb
+- lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb
+- lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb
+- lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb
+- lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb
+- lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/SqsQueuePolicyNotActionRule.rb
+- lib/cfn-nag/custom_rules/SqsQueuePolicyNotPrincipalRule.rb
+- lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardActionRule.rb
+- lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/UserHasInlinePolicyRule.rb
+- lib/cfn-nag/custom_rules/UserMissingGroupRule.rb
+- lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
+- lib/cfn-nag/custom_rules/base.rb
+- lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
+- lib/cfn-nag/profile.rb
+- lib/cfn-nag/profile_loader.rb
+- lib/cfn-nag/result_view/json_results.rb
+- lib/cfn-nag/result_view/rules_view.rb
+- lib/cfn-nag/result_view/simple_stdout_results.rb
+- lib/cfn-nag/rule_definition.rb
+- lib/cfn-nag/rule_dumper.rb
+- lib/cfn-nag/rule_registry.rb
+- lib/cfn-nag/template_discovery.rb
+- lib/cfn-nag/violation.rb
 homepage: https://github.com/stelligent/cfn_nag
 licenses:
 - MIT

data/lib/cfn_nag.rb

@@ -1,219 +0,0 @@
-require_relative 'rule'
-require_relative 'custom_rule_loader'
-require_relative 'rule_registry'
-require_relative 'profile_loader'
-require_relative 'model/cfn_model'
-require_relative 'result_view/simple_stdout_results'
-require_relative 'result_view/json_results'
-require_relative 'result_view/rules_view'
-require 'tempfile'
-
-class CfnNag
-  include Rule
-
-  def initialize(profile_definition: nil)
-    @warning_registry = []
-    @violation_registry = []
-    @rule_registry = RuleRegistry.new
-    @custom_rule_loader = CustomRuleLoader.new(@rule_registry)
-    @profile_definition = profile_definition
-  end
-
-  def dump_rules(rule_directories: [])
-    validate_extra_rule_directories(rule_directories)
-
-    dummy_cfn = <<-END
-      {
-        "Resources": {
-          "resource1": {
-            "Type" : "AWS::EC2::DHCPOptions",
-            "Properties": {
-              "DomainNameServers" : [ "10.0.0.1" ]
-            }
-          }
-        }
-      }
-    END
-
-    Tempfile.open('tempfile') do |dummy_cfn_template|
-      dummy_cfn_template.write dummy_cfn
-      dummy_cfn_template.rewind
-      audit_file(input_json_path: dummy_cfn_template.path,
-                 rule_directories: rule_directories)
-    end
-
-    profile = nil
-    unless @profile_definition.nil?
-      profile = ProfileLoader.new(@rule_registry).load(profile_definition: @profile_definition)
-    end
-
-    RulesView.new.emit(@rule_registry, profile)
-  end
-
-  def audit(input_json_path:,
-            rule_directories: [],
-            output_format:'txt')
-    validate_extra_rule_directories(rule_directories)
-
-    aggregate_results = audit_results input_json_path: input_json_path,
-                                      output_format: output_format,
-                                      rule_directories: rule_directories.flatten
-
-    aggregate_results.inject(0) { |total_failure_count, results| total_failure_count + results[:file_results][:failure_count] }
-  end
-
-  def audit_results(input_json_path:,
-                    output_format:'txt',
-                    rule_directories: [])
-
-    templates = discover_templates(input_json_path)
-
-    aggregate_results = []
-    templates.each do |template|
-      aggregate_results << {
-          filename: template,
-          file_results: audit_file(input_json_path: template,
-                                   rule_directories: rule_directories)
-      }
-    end
-
-    render_results(aggregate_results: aggregate_results,
-                   output_format: output_format)
-
-    aggregate_results
-  end
-
-  def self.configure_logging(opts)
-    logger = Logging.logger['log']
-    if opts[:debug]
-      logger.level = :debug
-    else
-      logger.level = :info
-    end
-
-    logger.add_appenders Logging.appenders.stdout
-  end
-
-  def audit_template(input_json:,
-                     rule_directories: [])
-    @stop_processing = false
-    @violations = []
-
-    unless legal_json?(input_json)
-      @violations << Violation.new(id: 'FATAL',
-                                   type: Violation::FAILING_VIOLATION,
-                                   message: 'not even legit JSON',
-                                   violating_code: input_json)
-      @stop_processing = true
-    end
-
-    generic_json_rules(input_json, rule_directories) unless @stop_processing == true
-
-    @violations += custom_rules input_json unless @stop_processing == true
-
-    @violations = filter_violations_by_profile @violations unless @stop_processing == true
-
-    {
-      failure_count: Rule::count_failures(@violations),
-      violations: @violations
-    }
-  end
-
-  private
-
-  def filter_violations_by_profile(violations)
-    profile = nil
-    unless @profile_definition.nil?
-      profile = ProfileLoader.new(@rule_registry).load(profile_definition: @profile_definition)
-    end
-
-    violations.reject do |violation|
-      not profile.nil? and not profile.execute_rule?(violation.id)
-    end
-  end
-
-  def validate_extra_rule_directories(rule_directories)
-    rule_directories.flatten.each do |rule_directory|
-      fail "Not a real directory #{rule_directory}" unless File.directory? rule_directory
-    end
-  end
-
-
-  def render_results(aggregate_results:,
-                     output_format:)
-    results_renderer(output_format).new.render(aggregate_results)
-  end
-
-  def audit_file(input_json_path:,
-                 rule_directories:)
-    audit_template(input_json: IO.read(input_json_path),
-                   rule_directories: rule_directories)
-  end
-
-  def discover_templates(input_json_path)
-    if ::File.directory? input_json_path
-      templates = find_templates_in_directory(directory: input_json_path)
-    elsif ::File.file? input_json_path
-      templates = [input_json_path.path]
-    else
-      fail "#{input_json_path} is not a proper path"
-    end
-    templates
-  end
-
-  def find_templates_in_directory(directory:,
-                                  cfn_extensions: %w(json template))
-
-    templates = []
-    cfn_extensions.each do |cfn_extension|
-      templates += Dir[File.join(directory, "**/*.#{cfn_extension}")]
-    end
-    templates
-  end
-
-  def results_renderer(output_format)
-    registry = {
-      'txt' => SimpleStdoutResults,
-      'json' => JsonResults
-    }
-    registry[output_format]
-  end
-
-  def legal_json?(input_json)
-    begin
-      JSON.parse(input_json)
-      true
-    rescue JSON::ParserError
-      return false
-    end
-  end
-
-  def command?(command)
-    not system("#{command} > /dev/null 2>&1").nil?
-  end
-
-  def generic_json_rules(input_json, rule_directories)
-    unless command? 'jq'
-      fail 'jq executable must be available in PATH'
-    end
-    rules = Dir[File.join(__dir__, 'json_rules', '*.rb')].sort
-
-    rules.each do |rule_file|
-      @input_json = input_json
-      eval IO.read(rule_file)
-    end
-
-    rule_directories.each do |rule_directory|
-      rules = Dir[File.join(rule_directory, '*.rb')].sort
-
-      rules.each do |rule_file|
-        @input_json = input_json
-        eval IO.read(rule_file)
-      end
-    end
-  end
-
-  def custom_rules(input_json)
-    @custom_rule_loader.custom_rules(input_json)
-  end
-end