cfn-nag 0.0.44 → 0.1.0

data/lib/model/s3_bucket_policy.rb

@@ -1,25 +0,0 @@
-class S3BucketPolicy
-  attr_accessor :logical_resource_id
-
-  attr_reader :statements
-
-  def initialize
-    @statements = []
-  end
-
-  def add_statement(statement_hash)
-    statements << statement_hash
-  end
-
-  def self.condition_includes?(statement, condition_hash)
-    if statement['Condition'].nil?
-      false
-    else
-      if statement['Condition'].is_a? Hash
-        statement['Condition'] == condition_hash
-      else
-        statement['Condition'].include? condition_hash
-      end
-    end
-  end
-end

data/lib/model/s3_bucket_policy_parser.rb

@@ -1,28 +0,0 @@
-require_relative 's3_bucket_policy'
-
-
-class S3BucketPolicyParser
-
-  def parse(resource_name, resource_json)
-    properties = resource_json['Properties']
-    bucket_policy = S3BucketPolicy.new
-
-    bucket_policy.logical_resource_id = resource_name
-
-    unless properties.nil?
-      policy_document = properties['PolicyDocument']
-      unless policy_document.nil?
-        unless policy_document['Statement'].nil?
-          if policy_document['Statement'].is_a? Array
-            policy_document['Statement'].each { |statement | bucket_policy.add_statement(statement)}
-          else
-            bucket_policy.add_statement(policy_document['Statement'])
-          end
-        end
-      end
-    end
-
-    bucket_policy
-  end
-end
-

data/lib/model/security_group_parser.rb

@@ -1,59 +0,0 @@
-require_relative 'cfn_model'
-
-class SecurityGroupParser
-
-  # precondition: properties are actually there... other validator takes care
-  def parse(resource_name, resource_json)
-    properties = resource_json['Properties']
-    security_group = SecurityGroup.new
-
-    parse_ingress_rules(security_group, properties)
-
-    parse_egress_rules(security_group, properties)
-
-    security_group.vpc_id = properties['VpcId']
-    security_group.group_description = properties['GroupDescription']
-    security_group.logical_resource_id = resource_name
-
-    security_group
-  end
-
-  private
-
-  def parse_ingress_rules(security_group, properties)
-    unless properties['SecurityGroupIngress'].nil?
-      if properties['SecurityGroupIngress'].is_a? Array
-        properties['SecurityGroupIngress'].each do |ingress_json|
-          security_group.add_ingress_rule ingress_json
-        end
-      elsif properties['SecurityGroupIngress'].is_a? Hash
-        security_group.add_ingress_rule properties['SecurityGroupIngress']
-      end
-    end
-  end
-
-  def parse_egress_rules(security_group, properties)
-    unless properties['SecurityGroupEgress'].nil?
-      if properties['SecurityGroupEgress'].is_a? Array
-        properties['SecurityGroupEgress'].each do |egress_json|
-          security_group.add_egress_rule egress_json
-        end
-      elsif properties['SecurityGroupEgress'].is_a? Hash
-        security_group.add_egress_rule properties['SecurityGroupEgress']
-      end
-    end
-  end
-
-end
-
-class SecurityGroupXgressParser
-
-  def parse(resource_name, resource_json)
-    xgress = {}
-    xgress['logical_resource_id'] = resource_name
-    resource_json['Properties'].each_pair do |key, value|
-      xgress[key] = value
-    end
-    xgress
-  end
-end

data/lib/rule.rb

@@ -1,208 +0,0 @@
-require 'logging'
-require_relative 'violation'
-
-module Rule
-  attr_accessor :input_json
-
-  # jq preamble to spit out Resources but as an array of key-value pairs
-  # can be used in jq rule definition but... this is probably reducing replication at the cost of opaqueness
-  def resources
-    '.Resources|with_entries(.value.LogicalResourceId = .key)[]'
-  end
-
-  # jq to filter CloudFormation resources by Type
-  # can be used in jq rule definition but... this is probably reducing replication at the cost of opaqueness
-  def resources_by_type(resource)
-    "#{resources}| select(.Type == \"#{resource}\")"
-  end
-
-  def warning(id:, jq:, message:)
-    warning_def = @rule_registry.definition(id: id,
-                                            type: Violation::WARNING,
-                                            message: message)
-
-    return if @stop_processing
-
-    Logging.logger['log'].debug jq
-
-    stdout = jq_command(@input_json, jq)
-    result = $?.exitstatus
-    scrape_jq_output_for_error(jq, stdout)
-
-    resource_ids = parse_logical_resource_ids(stdout)
-    new_warnings = resource_ids.size
-    if result == 0 and new_warnings > 0
-      add_violation(id: warning_def.id,
-                    type: Violation::WARNING,
-                    message: message,
-                    logical_resource_ids: resource_ids)
-    end
-  end
-
-  def raw_fatal_assertion(id:, jq:, message:)
-    failing_rule(id: id,
-                 jq_expression: jq,
-                 fail_if_found: false,
-                 fatal: true,
-                 message: message,
-                 raw: true)
-  end
-
-  def fatal_assertion(id:, jq:, message:)
-    failing_rule(id: id,
-                 jq_expression: jq,
-                 fail_if_found: false,
-                 fatal: true,
-                 message: message)
-  end
-
-  def raw_fatal_violation(id:, jq:, message:)
-    failing_rule(id: id,
-                 jq_expression: jq,
-                 fail_if_found: true,
-                 fatal: true,
-                 message: message,
-                 raw: true)
-  end
-
-  def fatal_violation(id:, jq:, message:)
-    failing_rule(id: id,
-                 jq_expression: jq,
-                 fail_if_found: true,
-                 fatal: true,
-                 message: message)
-  end
-
-  def violation(id:, jq:, message:)
-    failing_rule(id: id,
-                 jq_expression: jq,
-                 fail_if_found: true,
-                 message: message)
-  end
-
-  def assertion(id:, jq:, message:)
-    failing_rule(id: id,
-                 jq_expression: jq,
-                 fail_if_found: false,
-                 message: message)
-  end
-
-  def self.empty?(array)
-    array.nil? or array.size ==0
-  end
-
-  def self.count_warnings(violations)
-    violations.inject(0) do |count, violation|
-      if violation.type == Violation::WARNING
-        if empty?(violation.logical_resource_ids)
-          count += 1
-        else
-          count += violation.logical_resource_ids.size
-        end
-      end
-      count
-    end
-  end
-
-  def self.count_failures(violations)
-    violations.inject(0) do |count, violation|
-      if violation.type == Violation::FAILING_VIOLATION
-        if empty?(violation.logical_resource_ids)
-          count += 1
-        else
-          count += violation.logical_resource_ids.size
-        end
-      end
-      count
-    end
-  end
-
-  # this is to record a violation as opposed to "registering" a violation
-  #
-  # not super keen on this looking at it after the fact.... @violations
-  # will have to live in the object this Rule is mixed into i.e. CfnNag
-  def add_violation(id:,
-                    type:,
-                    message:,
-                    logical_resource_ids: nil,
-                    violating_code: nil)
-    violation = Violation.new(id: id,
-                              type: type,
-                              message: message,
-                              logical_resource_ids: logical_resource_ids,
-                              violating_code: violating_code)
-    @violations << violation
-  end
-
-  private
-
-  def parse_logical_resource_ids(stdout)
-    JSON.load(stdout)
-  end
-
-  def scrape_jq_output_for_error(command, stdout)
-    fail "jq rule is likely not correct: #{command}\n\n#{stdout}" if stdout.include? 'jq: error'
-  end
-
-  # fail_if_found: this is false for an assertion, true for a violation.  either way this rule ups the "failure" count
-  #
-  # raw: don't try to parse the output in any way.  the rule is some kind of oddball so just show what matched and up
-  #      failure count by 1
-  #
-  # fatal: if true, any match of the rule causes immediate shutdown to avoid more complicated downstream error checking
-  def failing_rule(id:,
-                   jq_expression:,
-                   fail_if_found:,
-                   message:,
-                   fatal: false,
-                   raw: false)
-
-    fail_def =  @rule_registry.definition(id: id,
-                                          type: Violation::FAILING_VIOLATION,
-                                          message: message)
-
-    return if @stop_processing
-
-    Logging.logger['log'].debug jq_expression
-
-    stdout = jq_command(@input_json, jq_expression)
-    result = $?.exitstatus
-    scrape_jq_output_for_error(jq_expression, stdout)
-    if (fail_if_found and result == 0) or
-       (not fail_if_found and result != 0)
-
-      if raw
-        add_violation(id: fail_def.id,
-                      type: Violation::FAILING_VIOLATION,
-                      message: message,
-                      violating_code: stdout)
-
-        if fatal
-          @stop_processing = true
-        end
-      else
-        resource_ids = parse_logical_resource_ids(stdout)
-
-        if resource_ids.size > 0
-          add_violation(id: fail_def.id,
-                        type: Violation::FAILING_VIOLATION,
-                        message: message,
-                        logical_resource_ids: resource_ids)
-
-          if fatal
-            @stop_processing = true
-          end
-        end
-      end
-    end
-  end
-
-  # the -e will return an exit code
-  def jq_command(input_json, jq_expression)
-    IO.popen(['jq', jq_expression, '-e'], 'r+', {:err=>[:child, :out]}) do |pipe|
-      pipe << input_json
-      pipe.close_write
-      pipe.readlines.join
-    end
-  end
-end

data/lib/rule_registry.rb

@@ -1,45 +0,0 @@
-require_relative 'violation'
-
-class RuleRegistry
-
-  attr_reader :rules
-
-  def initialize
-    @rules = []
-  end
-
-  def definition(id:,
-                 type:,
-                 message:)
-    violation_def = Violation.new(id: id,
-                                  type: type,
-                                  message: message)
-    existing_def = @rules.find { |definition| definition == violation_def }
-
-    if existing_def.nil?
-      add_rule violation_def
-    else
-      existing_def
-    end
-  end
-
-  # FATAL applies to multiple rules
-  def by_id(id)
-    @rules.select { |rule| rule.id == id }
-  end
-
-  def warnings
-    @rules.select { |rule| rule.type == Violation::WARNING }
-  end
-
-  def failings
-    @rules.select { |rule| rule.type == Violation::FAILING_VIOLATION }
-  end
-
-  private
-
-  def add_rule(violation_def)
-    @rules << violation_def
-    violation_def
-  end
-end

data/lib/violation.rb

@@ -1,41 +0,0 @@
-require 'json'
-
-class Violation
-  WARNING = 'WARN'
-  FAILING_VIOLATION = 'FAIL'
-
-  attr_reader :id, :type, :message, :logical_resource_ids, :violating_code
-
-  def initialize(id:,
-                 type:,
-                 message:,
-                 logical_resource_ids: nil,
-                 violating_code: nil)
-    @id = id
-    @type = type
-    @message = message
-    @logical_resource_ids = logical_resource_ids
-    @violating_code = violating_code
-
-    fail if @type.nil?
-    fail if @message.nil?
-  end
-
-  def to_s
-    puts "#{@id} #{@type} #{@message} #{@logical_resource_ids} #{@violating_code}"
-  end
-
-  def to_h
-    {
-      id: @id,
-      type: @type,
-      message: @message,
-      logical_resource_ids: @logical_resource_ids,
-      violating_code: @violating_code
-    }
-  end
-
-  def ==(other_violation)
-    other_violation.class == self.class && other_violation.to_h == to_h
-  end
-end