cfn-nag 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f93ef6134730e9cc39c51ef51cb79a77b578ccf7
-  data.tar.gz: afafe1a96594ffec2b1e864112b334ba4789d280
+  metadata.gz: 7833544e3b4320a57b9f59b63ca2d0d84cf1edce
+  data.tar.gz: 4c62a7a3ebd450650943cf9133c77b2567d8a91c
 SHA512:
-  metadata.gz: c4ac8b4947e706f03392110ce40cc15e1158dd8f275a18ef72feae49816e9fe8748a812dbf0fbe90a52b3b63022a6ef202b88b9d94ec3f2217bc9c8a7b62b732
-  data.tar.gz: c7b7ddebc99d3b635b999e0e2011ee91a3fb351f21021d6ca10160c0fb7568fca6ed29a79961de22698dc578b4343bfacc6f5b4891a3b0fee012b7910f5a320c
+  metadata.gz: a21b9bdb4501e68f750fa6749a10d203f54c552312fd80cc011eec1d05cb31cc61a6551cfacdbd8c73c8b4ab03322f8268685adf4f16fb9d2c56ebad8515a26a
+  data.tar.gz: 47ed2d380831246c3d08159c8db668f6d1613eaa9e4563558dd8a342519b13ffd2f551bc1888e88778f6f642487d720ff01607ff706dea95cf2c02c796cd6ac9

data/bin/cfn_nag

@@ -5,8 +5,13 @@ require 'logging'
 
 opts = Trollop::options do
   opt :input_json, 'Cloudformation template to nag on', type: :string, required: true
+  opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
   opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
 end
 
+Trollop::die(:output_format,
+             'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
+
 CfnNag::configure_logging(opts)
-exit CfnNag.new.audit(opts[:input_json])
+exit CfnNag.new.audit(input_json_path: opts[:input_json],
+                      output_format: opts[:output_format])

data/lib/cfn_nag.rb

@@ -2,23 +2,25 @@ require_relative 'rule'
 require_relative 'custom_rules/security_group_missing_egress'
 require_relative 'custom_rules/user_missing_group'
 require_relative 'model/cfn_model'
+require_relative 'result_view/simple_stdout_results'
+require_relative 'result_view/json_results'
 
 class CfnNag
   include Rule
 
-  def audit(input_json_path)
+  def audit(input_json_path:,
+            output_format:'txt')
     fail 'not even legit JSON' unless legal_json?(input_json_path)
 
-    @violation_count = 0
-    @warning_count = 0
+    @violations = []
 
     generic_json_rules input_json_path
 
     custom_rules input_json_path
 
-    puts "Violations count: #{@violation_count}"
-    puts "Warnings count: #{@warning_count}"
-    @violation_count
+    results_renderer(output_format).new.render(@violations)
+
+    Rule::count_failures(@violations)
   end
 
   def self.configure_logging(opts)
@@ -34,6 +36,14 @@ class CfnNag
 
   private
 
+  def results_renderer(output_format)
+    registry = {
+      'txt' => SimpleStdoutResults,
+      'json' => JsonResults
+    }
+    registry[output_format]
+  end
+
   def legal_json?(input_json_path)
     begin
       JSON.parse(IO.read(input_json_path))
@@ -65,7 +75,8 @@ class CfnNag
       UserMissingGroupRule
     ]
     rules.each do |rule_class|
-      @violation_count += rule_class.new.audit(cfn_model)
+      audit_result = rule_class.new.audit(cfn_model)
+      @violations << audit_result unless audit_result.nil?
     end
   end
 end

data/lib/custom_rules/security_group_missing_egress.rb

@@ -1,26 +1,21 @@
-require_relative '../rule'
+require_relative '../violation'
 
 class SecurityGroupMissingEgressRule
-  include Rule
 
   def audit(cfn_model)
-    violation_count = 0
-
     logical_resource_ids = []
-    violating_security_groups = []
     cfn_model.security_groups.each do |security_group|
       if security_group.egress_rules.size == 0
         logical_resource_ids << security_group.logical_resource_id
-        violating_security_groups << security_group
-        violation_count += 1
       end
     end
 
-    if violation_count > 0
-      message message_type: 'violation',
-              message: 'Missing egress rule means all traffic is allowed outbound.  Make this explicit if it is desired configuration',
-              logical_resource_ids: logical_resource_ids
+    if logical_resource_ids.size > 0
+      Violation.new(type: Violation::FAILING_VIOLATION,
+                    message: 'Missing egress rule means all traffic is allowed outbound.  Make this explicit if it is desired configuration',
+                    logical_resource_ids: logical_resource_ids)
+    else
+      nil
     end
-    violation_count
   end
 end

data/lib/custom_rules/user_missing_group.rb

@@ -1,26 +1,21 @@
-require_relative '../rule'
+require_relative '../violation'
 
 class UserMissingGroupRule
-  include Rule
 
   def audit(cfn_model)
-    violation_count = 0
-
     logical_resource_ids = []
-    violating_iam_users = []
     cfn_model.iam_users.each do |iam_user|
       if iam_user.groups.size == 0
         logical_resource_ids << iam_user.logical_resource_id
-        violating_iam_users << iam_user
-        violation_count += 1
       end
     end
 
-    if violation_count > 0
-      message message_type: 'violation',
-              message: 'User is not assigned to a group',
-              logical_resource_ids: logical_resource_ids
+    if logical_resource_ids.size > 0
+      Violation.new(type: Violation::FAILING_VIOLATION,
+                    message: 'User is not assigned to a group',
+                    logical_resource_ids: logical_resource_ids)
+    else
+      nil
     end
-    violation_count
   end
 end

data/lib/result_view/json_results.rb

@@ -0,0 +1,15 @@
+require 'json'
+class JsonResults
+
+  def render(violations)
+    violations_hashes = violations.map do |violation|
+      {
+        type: violation.type,
+        message: violation.message,
+        logical_resource_ids: violation.logical_resource_ids,
+        violating_code: violation.violating_code
+      }
+    end
+    puts JSON.pretty_generate(violations_hashes)
+  end
+end

data/lib/result_view/simple_stdout_results.rb

@@ -0,0 +1,45 @@
+require 'rule'
+
+class SimpleStdoutResults
+
+  def render(violations)
+    violations.each do |violation|
+      message message_type: violation.type,
+              message: violation.message,
+              logical_resource_ids: violation.logical_resource_ids,
+              violating_code: violation.violating_code
+    end
+
+    puts "Violations count: #{Rule::count_warnings(violations)}"
+    puts "Warnings count: #{Rule::count_failures(violations)}"
+  end
+
+  private
+
+  def message(message_type:,
+              message:,
+              logical_resource_ids: nil,
+              violating_code: nil)
+
+    if logical_resource_ids == []
+      logical_resource_ids = nil
+    end
+
+    (1..60).each { print '-' }
+    puts
+    puts "| #{message_type.upcase}"
+    puts '|'
+    puts "| Resources: #{logical_resource_ids}" unless logical_resource_ids.nil?
+    puts '|' unless logical_resource_ids.nil?
+    puts "| #{message}"
+
+    unless violating_code.nil?
+      puts '|'
+      puts indent_multiline_string_with_prefix('|', violating_code.to_s)
+    end
+  end
+
+  def indent_multiline_string_with_prefix(prefix, multiline_string)
+    prefix + ' ' + multiline_string.gsub(/\n/, "\n#{prefix} ")
+  end
+end

data/lib/rule.rb

@@ -1,12 +1,17 @@
 require 'logging'
+require_relative 'violation'
 
 module Rule
-  attr_accessor :input_json_path, :failure_count
+  attr_accessor :input_json_path
 
+  # jq preamble to spit out Resources but as an array of key-value pairs
+  # can be used in jq rule definition but... this is probably reducing replication at the cost of opaqueness
   def resources
     '.Resources|with_entries(.value.LogicalResourceId = .key)[]'
   end
 
+  # jq to filter Cloudformation resources by Type
+  # can be used in jq rule definition but... this is probably reducing replication at the cost of opaqueness
   def resources_by_type(resource)
     "#{resources}| select(.Type == \"#{resource}\")"
   end
@@ -21,12 +26,9 @@ module Rule
     resource_ids = parse_logical_resource_ids(stdout)
     new_warnings = resource_ids.size
     if result == 0 and new_warnings > 0
-      @warning_count ||= 0
-      @warning_count += new_warnings
-
-      message(message_type: 'warning',
-              message: message,
-              logical_resource_ids: resource_ids)
+      add_violation(type: Violation::WARNING,
+                    message: message,
+                    logical_resource_ids: resource_ids)
     end
   end
 
@@ -35,7 +37,7 @@ module Rule
                  fail_if_found: false,
                  fatal: true,
                  message: message,
-                 message_type: 'fatal assertion',
+                 message_type: Violation::FATAL_VIOLATION,
                  raw: true)
   end
 
@@ -44,7 +46,7 @@ module Rule
                  fail_if_found: false,
                  fatal: true,
                  message: message,
-                 message_type: 'fatal assertion')
+                 message_type: Violation::FATAL_VIOLATION)
   end
 
   def raw_fatal_violation(jq:, message:)
@@ -52,7 +54,7 @@ module Rule
                  fail_if_found: true,
                  fatal: true,
                  message: message,
-                 message_type: 'fatal violation',
+                 message_type: Violation::FATAL_VIOLATION,
                  raw: true)
   end
 
@@ -61,46 +63,64 @@ module Rule
                  fail_if_found: true,
                  fatal: true,
                  message: message,
-                 message_type: 'fatal violation')
+                 message_type: Violation::FATAL_VIOLATION)
   end
 
   def violation(jq:, message:)
     failing_rule(jq_expression: jq,
                  fail_if_found: true,
                  message: message,
-                 message_type: 'violation')
+                 message_type: Violation::FAILING_VIOLATION)
   end
 
   def assertion(jq:, message:)
     failing_rule(jq_expression: jq,
                  fail_if_found: false,
                  message: message,
-                 message_type: 'assertion')
+                 message_type: Violation::FAILING_VIOLATION)
   end
 
-  def message(message_type:,
-              message:,
-              logical_resource_ids: nil,
-              violating_code: nil)
+  def self.empty?(array)
+    array.nil? or array.size ==0
+  end
 
-    if logical_resource_ids == []
-      logical_resource_ids = nil
+  def self.count_warnings(violations)
+    violations.inject(0) do |count, violation|
+      if violation.type == Violation::WARNING
+        if empty?(violation.logical_resource_ids)
+          count += 1
+        else
+          count += violation.logical_resource_ids.size
+        end
+      end
+      count
     end
+  end
 
-    (1..60).each { print '-' }
-    puts
-    puts "| #{message_type.upcase}"
-    puts '|'
-    puts "| Resources: #{logical_resource_ids}" unless logical_resource_ids.nil?
-    puts '|' unless logical_resource_ids.nil?
-    puts "| #{message}"
-
-    unless violating_code.nil?
-      puts '|'
-      puts indent_multiline_string_with_prefix('|', violating_code.to_s)
+  def self.count_failures(violations)
+    violations.inject(0) do |count, violation|
+      if violation.type == Violation::FAILING_VIOLATION
+        if empty?(violation.logical_resource_ids)
+          count += 1
+        else
+          count += violation.logical_resource_ids.size
+        end
+      end
+      count
     end
   end
 
+  def add_violation(type:,
+                    message:,
+                    logical_resource_ids: nil,
+                    violating_code: nil)
+    violation = Violation.new(type: type,
+                              message: message,
+                              logical_resource_ids: logical_resource_ids,
+                              violating_code: violating_code)
+    @violations << violation
+  end
+
   private
 
   def parse_logical_resource_ids(stdout)
@@ -111,10 +131,12 @@ module Rule
     fail 'json rule is likely not complete' if stdout.match /jq: error/
   end
 
-  def indent_multiline_string_with_prefix(prefix, multiline_string)
-    prefix + ' ' + multiline_string.gsub(/\n/, "\n#{prefix} ")
-  end
-
+  # fail_if_found: this is false for an assertion, true for a violation.  either way this rule ups the "failure" count
+  #
+  # raw: don't try to parse the output in any way.  the rule is some kind of oddball so just show what matched and up
+  #      failure count by 1
+  #
+  # fatal: if true, any match of the rule causes immediate shutdown to avoid more complicated downstream error checking
   def failing_rule(jq_expression:,
                    fail_if_found:,
                    message:,
@@ -128,26 +150,22 @@ module Rule
     scrape_jq_output_for_error(stdout)
     if (fail_if_found and result == 0) or
        (not fail_if_found and result != 0)
-      @violation_count ||= 0
 
       if raw
-        @violation_count += 1
-
-        message(message_type: message_type,
-                message: message,
-                violating_code: stdout)
+        add_violation(type: message_type,
+                      message: message,
+                      violating_code: stdout)
 
         if fatal
           exit 1
         end
       else
         resource_ids = parse_logical_resource_ids(stdout)
-        @violation_count += resource_ids.size
 
         if resource_ids.size > 0
-          message(message_type: message_type,
-                  message: message,
-                  logical_resource_ids: resource_ids)
+          add_violation(type: message_type,
+                        message: message,
+                        logical_resource_ids: resource_ids)
 
           if fatal
             exit 1
@@ -157,6 +175,7 @@ module Rule
     end
   end
 
+  # the -e will return an exit code
   def jq_command(input_json_path, jq_expression)
     command = "cat #{input_json_path} | jq '#{jq_expression}' -e"
 

data/lib/violation.rb

@@ -0,0 +1,22 @@
+
+class Violation
+  WARNING = 'warning'
+  FATAL_VIOLATION = 'fatal violation'
+  FAILING_VIOLATION = 'failing violation'
+
+  attr_reader :type, :message, :logical_resource_ids, :violating_code
+
+  def initialize(type:,
+                 message:,
+                 logical_resource_ids: nil,
+                 violating_code: nil)
+    @type = type
+    @message = message
+    @logical_resource_ids = logical_resource_ids
+    @violating_code = violating_code
+  end
+
+  def to_s
+    puts "#{@type} #{@message} #{@logical_resource_ids} #{@violating_code}"
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - someguy
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-24 00:00:00.000000000 Z
+date: 2016-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging
@@ -57,7 +57,10 @@ files:
 - lib/model/cfn_model.rb
 - lib/model/iam_user_parser.rb
 - lib/model/security_group_parser.rb
+- lib/result_view/json_results.rb
+- lib/result_view/simple_stdout_results.rb
 - lib/rule.rb
+- lib/violation.rb
 homepage: 
 licenses: []
 metadata: {}