RubyGems - cfn-nag - Versions diffs - 0.3.26 → 0.3.29 - Mend

cfn-nag 0.3.26 → 0.3.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (69) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b24fe153fb47cce98057d6ce79ace2a1b528da17
-  data.tar.gz: 357c15bf8b3338990769dc3226006080a58b1f81
+  metadata.gz: 7144cb5b2b3d13133235f4005a1fac1de6451b5a
+  data.tar.gz: fa086c99e462871db43246722da212b7125a7128
 SHA512:
-  metadata.gz: 9de7afb6202d1405f8ae58f82f7039a35a0e19dd908f2b9ae2acd2389f9575c78627ac039d7d7af9e1d84f8c436ddd9cc1b43e71a82ab930f13cc3bdbd0db87d
-  data.tar.gz: b39d542c0c04000cf09ee42e7f754c70d14ea2214ae3f4e5d155dc6b580fbb5d2f3865564c9f7e95767ebe1f0136add30f7c745d9b4d8d2e88fd08291cb5a096
+  metadata.gz: 9d4c65a97de5b446e6d40a420feb53abcc24d8816466797e9c26ae38f23c8f640e24bcf35a18aa624e1cd6db687d81a92aa049399ea9f093724e749584989fcf
+  data.tar.gz: be5f36b7874684b163ff7f97f588aa514c2be9e0ce5d86e5155c7df5805f647e802cad07b2cc88f0c42402cb757d7e8568a973b50bbf02a47086869e28409ef3

data/bin/cfn_nag_rules CHANGED Viewed

@@ -3,11 +3,15 @@ require 'trollop'
 require 'cfn-nag'
 require 'rubygems/specification'
-opts = Trollop::options do
+opts = Trollop.options do
   version Gem::Specification.find_by_name('cfn-nag').version
-  opt :rule_directory, 'Extra rule directories', type: :io, required: false, default: nil
-  opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
+  opt :rule_directory, 'Extra rule directories', type: :io,
+                                                 required: false,
+                                                 default: nil
+  opt :profile_path, 'Path to a profile file', type: :io,
+                                               required: false,
+                                               default: nil
 end
 profile_definition = nil

data/bin/cfn_nag_scan CHANGED Viewed

@@ -5,24 +5,39 @@ require 'logging'
 require 'json'
 require 'rubygems/specification'
-opts = Trollop::options do
+opts = Trollop.options do
   version Gem::Specification.find_by_name('cfn-nag').version
-  opt :input_path, 'CloudFormation template to nag on or directory of templates - all *.json, *.yaml, *.yml and *.template recursively', type: :io, required: true
-  opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
-  opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
-  opt :rule_directory, 'Extra rule directory', type: :io, required: false, default: nil
-  opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
-  opt :parameter_values_path, 'Path to a JSON file to pull Parameter values from', type: :io, required: false, default: nil
-  opt :allow_suppression, 'Allow using Metadata to suppress violations', type: :boolean, required: false, default: true
-  opt :print_suppression, 'Emit suppressions to stderr', type: :boolean, required: false, default: false
-  opt :isolate_custom_rule_exceptions, 'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging', type: :boolean, required: false, default: false
+  opt :input_path, 'CloudFormation template to nag on or directory of ' \
+                   'templates - all *.json, *.yaml, *.yml and *.template ' \
+                   'recursively', type: :io, required: true
+  opt :output_format, 'Format of results: [txt, json]',
+      type: :string, default: 'txt'
+  opt :debug, 'Enable debug output',
+      type: :boolean, required: false, default: false
+  opt :rule_directory, 'Extra rule directory',
+      type: :io, required: false, default: nil
+  opt :profile_path, 'Path to a profile file',
+      type: :io, required: false, default: nil
+  opt :parameter_values_path,
+      'Path to a JSON file to pull Parameter values from',
+      type: :io, required: false, default: nil
+  opt :allow_suppression, 'Allow using Metadata to suppress violations',
+      type: :boolean, required: false, default: true
+  opt :print_suppression, 'Emit suppressions to stderr',
+      type: :boolean, required: false, default: false
+  opt :isolate_custom_rule_exceptions,
+      'Isolate custom rule exceptions - just emit the exception without ' \
+      'stack trace and keep chugging',
+      type: :boolean, required: false, default: false
 end
-Trollop::die(:output_format,
-             'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
+unless %w[txt json].include?(opts[:output_format])
+  Trollop.die(:output_format,
+              'Must be txt or json')
+end
-CfnNag::configure_logging(opts)
+CfnNag.configure_logging(opts)
 profile_definition = nil
 unless opts[:profile_path].nil?
@@ -33,8 +48,10 @@ cfn_nag = CfnNag.new(profile_definition: profile_definition,
                      rule_directory: opts[:rule_directory],
                      allow_suppression: opts[:allow_suppression],
                      print_suppression: opts[:print_suppression],
-                     isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions])
+                     isolate_custom_rule_exceptions:
+                     opts[:isolate_custom_rule_exceptions])
-exit cfn_nag.audit_aggregate_across_files_and_render_results(input_path: opts[:input_path],
-                                                             output_format: opts[:output_format],
-                                                             parameter_values_path: opts[:parameter_values_path])
+exit cfn_nag.audit_aggregate_across_files_and_render_results(
+  input_path: opts[:input_path], output_format: opts[:output_format],
+  parameter_values_path: opts[:parameter_values_path]
+)

data/lib/cfn-nag.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# rubocop:disable Naming/FileName
 require 'cfn-nag/cfn_nag'
 require 'cfn-nag/violation'
-require 'cfn-nag/rule_dumper'
+require 'cfn-nag/rule_dumper'
+# rubocop:enable Naming/FileName

data/lib/cfn-nag/cfn_nag.rb CHANGED Viewed

@@ -27,7 +27,7 @@ class CfnNag
   # Return an aggregate failure count (for exit code usage)
   #
   def audit_aggregate_across_files_and_render_results(input_path:,
-                                                      output_format:'txt',
+                                                      output_format: 'txt',
                                                       parameter_values_path: nil)
     aggregate_results = audit_aggregate_across_files input_path: input_path, parameter_values_path: parameter_values_path
@@ -74,7 +74,6 @@ class CfnNag
                                   type: Violation::FAILING_VIOLATION,
                                   message: parser_error.to_s)
       stop_processing = true
     end
     violations += @custom_rule_loader.execute_custom_rules(cfn_model) unless stop_processing == true
@@ -89,11 +88,11 @@ class CfnNag
   def self.configure_logging(opts)
     logger = Logging.logger['log']
-    if opts[:debug]
-      logger.level = :debug
-    else
-      logger.level = :info
-    end
+    logger.level = if opts[:debug]
+                     :debug
+                   else
+                     :info
+                   end
     logger.add_appenders Logging.appenders.stdout
   end

data/lib/cfn-nag/custom_rule_loader.rb CHANGED Viewed

@@ -40,7 +40,6 @@ class CustomRuleLoader
     rule_registry
   end
   def execute_custom_rules(cfn_model)
     Logging.logger['log'].debug "cfn_model: #{cfn_model}"
@@ -69,7 +68,7 @@ class CustomRuleLoader
       evaluator.instance_eval do
         eval IO.read jmespath_file
       end
-      violations +=  evaluator.violations
+      violations += evaluator.violations
     end
     violations
   end
@@ -138,7 +137,7 @@ class CustomRuleLoader
   def validate_extra_rule_directory(rule_directory)
     unless rule_directory.nil?
-      fail "Not a real directory #{rule_directory}" unless File.directory? rule_directory
+      raise "Not a real directory #{rule_directory}" unless File.directory? rule_directory
     end
   end
@@ -177,4 +176,4 @@ class CustomRuleLoader
     Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
     rule_filenames
   end
-end
+end

data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb CHANGED Viewed

@@ -18,9 +18,8 @@ class CloudFormationAuthenticationRule < BaseRule
     logical_resource_ids = []
     cfn_model.raw_model['Resources'].each do |resource_name, resource|
       unless resource['Metadata'].nil?
-        if !resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
-          logical_resource_ids << resource_name
-        end
+        next if resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
+        logical_resource_ids << resource_name
       end
     end
     logical_resource_ids

data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb CHANGED Viewed

@@ -19,6 +19,6 @@ class CloudFrontDistributionAccessLoggingRule < BaseRule
       distribution.distributionConfig['Logging'].nil?
     end
-    violating_distributions.map { |distribution| distribution.logical_resource_id }
+    violating_distributions.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb CHANGED Viewed

@@ -19,6 +19,6 @@ class EbsVolumeHasSseRule < BaseRule
       volume.encrypted.nil? || volume.encrypted.to_s.downcase == 'false'
     end
-    violating_volumes.map { |violating_user| violating_user.logical_resource_id }
+    violating_volumes.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb CHANGED Viewed

@@ -19,6 +19,6 @@ class ElasticLoadBalancerAccessLoggingRule < BaseRule
       elb.accessLoggingPolicy.nil? || elb.accessLoggingPolicy['Enabled'] != true
     end
-    violating_elbs.map { |violating_user| violating_user.logical_resource_id }
+    violating_elbs.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyNotActionRule < BaseRule
   def rule_text
     'IAM managed policy should not allow Allow+NotAction'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyNotActionRule < BaseRule
       !policy.policy_document.allows_not_action.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyNotResourceRule < BaseRule
   def rule_text
     'IAM managed policy should not allow Allow+NotResource'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyNotResourceRule < BaseRule
       !policy.policy_document.allows_not_resource.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyWildcardActionRule < BaseRule
   def rule_text
     'IAM managed policy should not allow * action'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyWildcardActionRule < BaseRule
       !policy.policy_document.wildcard_allowed_actions.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
-end
+end

data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyWildcardResourceRule < BaseRule
   def rule_text
     'IAM managed policy should not allow * resource'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyWildcardResourceRule < BaseRule
       !policy.policy_document.wildcard_allowed_resources.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyNotActionRule < BaseRule
   def rule_text
     'IAM policy should not allow Allow+NotAction'
   end
@@ -20,6 +19,6 @@ class IamPolicyNotActionRule < BaseRule
       !policy.policy_document.allows_not_action.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyNotResourceRule < BaseRule
   def rule_text
     'IAM policy should not allow Allow+NotResource'
   end
@@ -20,6 +19,6 @@ class IamPolicyNotResourceRule < BaseRule
       !policy.policy_document.allows_not_resource.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyWildcardActionRule < BaseRule
   def rule_text
     'IAM policy should not allow * action'
   end
@@ -20,6 +19,6 @@ class IamPolicyWildcardActionRule < BaseRule
       !policy.policy_document.wildcard_allowed_actions.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
-end
+end

data/lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyWildcardResourceRule < BaseRule
   def rule_text
     'IAM policy should not allow * resource'
   end
@@ -20,6 +19,6 @@ class IamPolicyWildcardResourceRule < BaseRule
       !policy.policy_document.wildcard_allowed_resources.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotAction'
   end
@@ -23,6 +22,6 @@ class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
       !violating_policies.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotActionOnTrustPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotAction on trust permissions'
   end
@@ -20,6 +19,6 @@ class IamRoleNotActionOnTrustPolicyRule < BaseRule
       !role.assume_role_policy_document.allows_not_action.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotPrincipal in its trust policy'
   end
@@ -20,6 +19,6 @@ class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
       !role.assume_role_policy_document.allows_not_principal.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotResource'
   end
@@ -23,6 +22,6 @@ class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
       !violating_policies.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow * action on its permissions policy'
   end
@@ -23,6 +22,6 @@ class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
       !violating_policies.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
-end
+end

data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow * action on its trust policy'
   end
@@ -20,8 +19,6 @@ class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
       !role.assume_role_policy_document.wildcard_allowed_actions.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id}
+    violating_roles.map(&:logical_resource_id)
   end
 end