cfn-nag 0.3.22 → 0.3.23

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 268084f6ab092c47a31679530e79f8f45edcf18f
-  data.tar.gz: 38d0c66ec02ff5c990a5dddeda13ab7a87af9bb0
+  metadata.gz: 6dbc83f4e332ec0dc78d062c7cb61de979a9ab0a
+  data.tar.gz: a7b949b88a2d4d89ae1fb89de204cfb04ba56a27
 SHA512:
-  metadata.gz: f24b0b3a8bd1b8b0f6116ddf5cdb1764ec5655f81111ff76858bd0fe2512e32f68221ab651f6e4082d0daf15940f297bac8f47f1f615cdd6719175d55e8543e5
-  data.tar.gz: 71716b9f5be85c99a8c24e50006ccc115e278da43c246709258ce646bfc06eb616ae64e17e9a6d59aa8ff7aed322b782501084e73dce6773881bb597a1a0cc8f
+  metadata.gz: 264209cc00d7fac44802652981ed5815643c67a46da322a7617a45a03be6dc079e44ba87515bf95f1544abf07eb4c366b4755ffeb2859e519d643caeee231065
+  data.tar.gz: b33e31569da12196a3be074b83c83744e0a0527ed050580532ca83fb6f74882ed0ad240f7630965c3aeace8b52a4cb1d378d9ae385566395d44d67a05d581dde

data/bin/cfn_nag

@@ -14,6 +14,7 @@ opts = Trollop::options do
   opt :print_suppression, 'Emit suppressions to stderr', type: :boolean, required: false, default: false
   opt :rule_directory, 'Extra rule directory', type: :io, required: false, default: nil
   opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
+  opt :parameter_values_path, 'Path to a JSON file to pull Parameter values from', type: :io, required: false, default: nil
   opt :isolate_custom_rule_exceptions, 'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging', type: :boolean, required: false, default: false
 end
 
@@ -24,6 +25,11 @@ unless opts[:profile_path].nil?
   profile_definition = IO.read(opts[:profile_path])
 end
 
+parameter_values_string = nil
+unless opts[:parameter_values_path].nil?
+  parameter_values_string = IO.read(opts[:parameter_values_path])
+end
+
 cfn_nag = CfnNag.new(profile_definition: profile_definition,
                      rule_directory: opts[:rule_directory],
                      allow_suppression: opts[:allow_suppression],
@@ -33,7 +39,7 @@ cfn_nag = CfnNag.new(profile_definition: profile_definition,
 # trollop appears to pop args off of ARGV
 # ARGF concatenates which we don't want
 if ARGV.size == 0
-  results = cfn_nag.audit(cloudformation_string: STDIN.read)
+  results = cfn_nag.audit(cloudformation_string: STDIN.read, parameter_values_string: parameter_values_string)
 
   results[:violations] = results[:violations].map { |violation| violation.to_h }
   puts JSON.pretty_generate(results)
@@ -41,7 +47,7 @@ if ARGV.size == 0
 else
   total_failure_count = 0
   ARGV.each do |file_name|
-    results = cfn_nag.audit(cloudformation_string: IO.read(file_name))
+    results = cfn_nag.audit(cloudformation_string: IO.read(file_name), parameter_values_string: parameter_values_string)
 
     total_failure_count += results[:failure_count]
     results[:violations] = results[:violations].map { |violation| violation.to_h }

data/bin/cfn_nag_scan

@@ -13,6 +13,7 @@ opts = Trollop::options do
   opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
   opt :rule_directory, 'Extra rule directory', type: :io, required: false, default: nil
   opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
+  opt :parameter_values_path, 'Path to a JSON file to pull Parameter values from', type: :io, required: false, default: nil
   opt :allow_suppression, 'Allow using Metadata to suppress violations', type: :boolean, required: false, default: true
   opt :print_suppression, 'Emit suppressions to stderr', type: :boolean, required: false, default: false
   opt :isolate_custom_rule_exceptions, 'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging', type: :boolean, required: false, default: false
@@ -35,4 +36,5 @@ cfn_nag = CfnNag.new(profile_definition: profile_definition,
                      isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions])
 
 exit cfn_nag.audit_aggregate_across_files_and_render_results(input_path: opts[:input_path],
-                                                             output_format: opts[:output_format])
+                                                             output_format: opts[:output_format],
+                                                             parameter_values_path: opts[:parameter_values_path])

data/lib/cfn-nag/cfn_nag.rb

@@ -27,8 +27,9 @@ class CfnNag
   # Return an aggregate failure count (for exit code usage)
   #
   def audit_aggregate_across_files_and_render_results(input_path:,
-                                                      output_format:'txt')
-    aggregate_results = audit_aggregate_across_files input_path: input_path
+                                                      output_format:'txt',
+                                                      parameter_values_path: nil)
+    aggregate_results = audit_aggregate_across_files input_path: input_path, parameter_values_path: parameter_values_path
 
     render_results(aggregate_results: aggregate_results,
                    output_format: output_format)
@@ -41,13 +42,15 @@ class CfnNag
   ##
   # Given a file or directory path, return aggregate results
   #
-  def audit_aggregate_across_files(input_path:)
+  def audit_aggregate_across_files(input_path:, parameter_values_path: nil)
+    parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
     templates = TemplateDiscovery.new.discover_templates(input_path)
     aggregate_results = []
     templates.each do |template|
       aggregate_results << {
         filename: template,
-        file_results: audit(cloudformation_string: IO.read(template))
+        file_results: audit(cloudformation_string: IO.read(template),
+                            parameter_values_string: parameter_values_string)
       }
     end
     aggregate_results
@@ -56,14 +59,16 @@ class CfnNag
   ##
   # Given cloudformation json/yml, run all the rules against it
   #
+  # Optionally include JSON with Parameters key to substitute into cfn_model.parameters
+  #
   # Return a hash with failure count
   #
-  def audit(cloudformation_string:)
+  def audit(cloudformation_string:, parameter_values_string: nil)
     stop_processing = false
     violations = []
 
     begin
-      cfn_model = CfnParser.new.parse cloudformation_string
+      cfn_model = CfnParser.new.parse cloudformation_string, parameter_values_string
     rescue Psych::SyntaxError, ParserError => parser_error
       violations << Violation.new(id: 'FATAL',
                                   type: Violation::FAILING_VIOLATION,

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb

@@ -0,0 +1,61 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class RDSInstanceMasterUserPasswordRule < BaseRule
+
+  def rule_text
+    'RDS instance master user password must be Ref to NoEcho Parameter'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F23'
+  end
+
+  # one word of warning... if somebody applies parameter values via JSON.... this will compare that....
+  # probably shouldn't be doing that though - if it's NoEcho there's a good reason
+  # bother checking synthesized_value? that would be the indicator.....
+  def audit_impl(cfn_model)
+    violating_rdsinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance').select do |instance|
+      if instance.masterUserPassword.nil?
+        false
+      else
+        !references_no_echo_parameter_without_default?(cfn_model, instance.masterUserPassword)
+      end
+    end
+
+     violating_rdsinstances.map { |instance| instance.logical_resource_id }
+  end
+
+  private
+
+  def to_boolean(string)
+    if string.to_s.downcase == 'true'
+      true
+    else
+      false
+    end
+  end
+
+  def references_no_echo_parameter_without_default?(cfn_model, master_user_password)
+    # i feel like i've written this mess somewhere before
+    if master_user_password.is_a? Hash
+      if master_user_password.has_key? 'Ref'
+        if cfn_model.parameters.has_key? master_user_password['Ref']
+          parameter = cfn_model.parameters[master_user_password['Ref']]
+
+          return to_boolean(parameter.noEcho) && parameter.default.nil?
+        else
+          return false
+        end
+      else
+        return false
+      end
+    end
+    # String or anything weird will fall through here
+    false
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.3.22
+  version: 0.3.23
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-03-15 00:00:00.000000000 Z
+date: 2018-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.1.19
+        version: 0.1.20
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.1.19
+        version: 0.1.20
 - !ruby/object:Gem::Dependency
   name: jmespath
   requirement: !ruby/object:Gem::Requirement
@@ -118,6 +118,7 @@ files:
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
+- lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb
 - lib/cfn-nag/custom_rules/RDSInstancePubliclyAccessibleRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb