RubyGems - cfn-nag - Versions diffs - 0.5.61 → 0.6.4 - Mend

cfn-nag 0.5.61 → 0.6.4

Files changed (54) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9730b5f935f661789abf3aa45239a0f7715c35c95842644aeec25f98a7c3c6ce
-  data.tar.gz: 4a2f9453cc6d9074f4e3ea19b78514fddcd5fc5d8d9269babe8187bebd549482
+  metadata.gz: fb0243f0a2f327d0408fe6524596d7bf9a0ce8214fb217e869a785983dc30b88
+  data.tar.gz: e9bc6213a3beb72d785abb9e58908460771d36b2127d72d0dde421c4c22b5daa
 SHA512:
-  metadata.gz: 6dc61c128936866f2e0bf34e7e442e4a71366fa0f9b9c41fe972142aafffd51f7155e3aec488b5742ae5b019b484245a1fa7c6555979de3b709e68ab30081553
-  data.tar.gz: 54431e5bc771b2ca296dfb94ddcb1202da16d7ced5f1c88c28a00bd2d9d7f3b36600edb6449f210244d6c55a22addfa6a293a6a0dc9ad2c5318eb047d74e03e1
+  metadata.gz: 99a21920685b6a2a6762060c18d7aeef9881a2527e78324f949582a03b4003adba0713c5421a2bd2040e94c78cb969b1230cd6cbf1e624b7e3056050385011c2
+  data.tar.gz: 3ffb6ec0595927f615efa3e653083fc9efa4bd60db1a20f48591205a06c20ebc07efcf7e6c8330aef0eaee9508cadae34becbbf73c8b3d4ffab25d7491579cba

data/bin/spcm_scan ADDED

@@ -0,0 +1,69 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require 'cfn-nag/iam_complexity_metric/spcm'
+require 'cfn-nag/iam_complexity_metric/html_results_renderer'
+require 'optimist'
+require 'json'
+# rubocop:disable Metrics/BlockLength
+opts = Optimist.options do
+  opt :parameter_values_path,
+      'Path to a JSON file to pull Parameter values from',
+      type: :string,
+      required: false,
+      default: nil
+  opt :condition_values_path,
+      'Path to a JSON file to pull Condition values from',
+      type: :string,
+      required: false,
+      default: nil
+  opt :input_path,
+      'CloudFormation template to measure SPCM on or directory of templates.',
+      type: :string,
+      required: true
+  opt :template_pattern,
+      'Within the --input-path, match files to scan against this regular expression',
+      type: :string,
+      required: false,
+      default: '..*\.json|..*\.yaml|..*\.yml|..*\.template'
+  opt :ignore_templates_without_iam,
+      'Within the --input-path ignore files without IAM role/policy resources',
+      type: :boolean,
+      required: false,
+      default: true
+  opt :output_format,
+      'Format of results: [json, html]',
+      type: :string,
+      default: 'json'
+end
+# rubocop:enable Metrics/BlockLength
+def read_conditionally(path)
+  unless path.nil?
+    IO.read(path)
+  end
+end
+parameter_values_string = read_conditionally(opts[:parameter_values_path])
+condition_values_string = read_conditionally(opts[:condition_values_path])
+metrics = SPCM.new.aggregate_metrics(
+  input_path: opts[:input_path],
+  parameter_values_path: parameter_values_string,
+  condition_values_path: condition_values_string,
+  template_pattern: opts[:template_pattern]
+)
+if opts[:ignore_templates_without_iam]
+  metrics = metrics.select do |metric|
+    metric[:file_results]['AWS::IAM::Role'] != {} || metric[:file_results]['AWS::IAM::Policy'] != {}
+  end
+end
+if opts[:output_format] == 'json'
+  puts JSON.generate(metrics)
+else
+  puts HtmlRenderer.new.render(results: metrics)
+end

data/lib/cfn-nag/cfn_nag.rb CHANGED

@@ -87,6 +87,7 @@ class CfnNag
                                       parameter_values_string,
                                       true,
                                       condition_values_string
+      CustomRuleLoader.rule_arguments = @config.rule_arguments
       violations += @config.custom_rule_loader.execute_custom_rules(
         cfn_model,
         @config.custom_rule_loader.rule_definitions

data/lib/cfn-nag/cfn_nag_config.rb CHANGED

@@ -9,7 +9,8 @@ class CfnNagConfig
                  print_suppression: false,
                  isolate_custom_rule_exceptions: false,
                  fail_on_warnings: false,
-                 rule_repository_definitions: [])
+                 rule_repository_definitions: [],
+                 rule_arguments: {})
     @rule_directory = rule_directory
     @custom_rule_loader = CustomRuleLoader.new(
       rule_directory: rule_directory,
@@ -22,9 +23,11 @@ class CfnNagConfig
     @blacklist_definition = blacklist_definition
     @fail_on_warnings = fail_on_warnings
     @rule_repositories = rule_repositories
+    @rule_arguments = rule_arguments
   end
   # rubocop:enable Metrics/ParameterLists
+  attr_reader :rule_arguments
   attr_reader :rule_directory
   attr_reader :custom_rule_loader
   attr_reader :profile_definition

data/lib/cfn-nag/cfn_nag_executor.rb CHANGED

@@ -11,6 +11,7 @@ class CfnNagExecutor
     @parameter_values_string = nil
     @condition_values_string = nil
     @rule_repository_definitions = []
+    @rule_arguments_string = nil
   end
   def scan(options_type:)
@@ -77,6 +78,12 @@ class CfnNagExecutor
       Optimist.die(:output_format,
                    'Must be colortxt, txt, or json')
     end
+    opts[:rule_arguments]&.each do |rule_argument|
+      unless rule_argument.include?(':')
+        Optimist.die(:rule_arguments, 'Must be of form name:value')
+      end
+    end
   end
   def execute_io_options(opts)
@@ -88,6 +95,8 @@ class CfnNagExecutor
     @condition_values_string = read_conditionally(opts[:condition_values_path])
+    @rule_arguments_string = read_conditionally(opts[:rule_arguments_path])
     opts[:rule_repository]&.each do |rule_repository|
       @rule_repository_definitions << IO.read(rule_repository)
     end
@@ -99,6 +108,17 @@ class CfnNagExecutor
     end
   end
+  def merge_rule_arguments(opts)
+    rule_arguments = {}
+    rule_arguments = JSON.parse(@rule_arguments_string) if @rule_arguments_string
+    opts[:rule_arguments]&.each do |rule_argument|
+      name = rule_argument.split(':')[0]
+      value = rule_argument.split(':')[1]
+      rule_arguments[name] = value
+    end
+    rule_arguments
+  end
   def cfn_nag_config(opts)
     CfnNagConfig.new(
       profile_definition: @profile_definition,
@@ -108,7 +128,8 @@ class CfnNagExecutor
       print_suppression: opts[:print_suppression],
       isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
       fail_on_warnings: opts[:fail_on_warnings],
-      rule_repository_definitions: @rule_repository_definitions
+      rule_repository_definitions: @rule_repository_definitions,
+      rule_arguments: merge_rule_arguments(opts)
     )
   end

data/lib/cfn-nag/cli_options.rb CHANGED

@@ -91,6 +91,15 @@ class Options
           'Path(s) to a rule repository to include in rule discovery',
           type: :strings,
           required: false
+      opt :rule_arguments,
+          'Rule arguments to inject into interested rules',
+          type: :strings,
+          required: false
+      opt :rule_arguments_path,
+          'Path to a rule arguments to inject into interested rules',
+          type: :string,
+          required: false,
+          default: nil
     end
   end
@@ -175,6 +184,15 @@ class Options
           'Path(s)s to rule repository to include in rule discovery',
           type: :strings,
           required: false
+      opt :rule_arguments,
+          'Rule arguments to inject into interested rules',
+          type: :strings,
+          required: false
+      opt :rule_arguments_path,
+          'Path to a rule arguments to inject into interested rules',
+          type: :string,
+          required: false,
+          default: nil
     end
   end
   # rubocop:enable Metrics/BlockLength

data/lib/cfn-nag/custom_rule_loader.rb CHANGED

@@ -7,12 +7,22 @@ require_relative 'rule_repos/file_based_rule_repo'
 require_relative 'rule_repos/gem_based_rule_repo'
 require_relative 'rule_repos/s3_based_rule_repo'
 require_relative 'rule_repository_loader'
+require_relative 'metadata'
 ##
 # This object can discover the internal and custom user-provided rules and
 # apply these rules to a CfnModel object
 #
 class CustomRuleLoader
+  include Metadata
+  # k,v for injection into rules that can respond to k
+  @rule_arguments = {}
+  class << self
+    attr_accessor :rule_arguments
+  end
   def initialize(rule_directory: nil,
                  allow_suppression: true,
                  print_suppression: false,
@@ -58,6 +68,14 @@ class CustomRuleLoader
   private
+  def inject_rule_arguments_into_rule(rule)
+    self.class.rule_arguments.each do |rule_argument_name, rule_argument_value|
+      if rule.respond_to?("#{rule_argument_name}=".to_sym)
+        rule.send "#{rule_argument_name}=".to_sym, rule_argument_value
+      end
+    end
+  end
   # rubocop:disable Style/RedundantBegin
   def filter_rule_classes(cfn_model, violations, rules_registry)
     rules_registry.rule_classes.each do |rule_class|
@@ -65,9 +83,12 @@ class CustomRuleLoader
         filtered_cfn_model = cfn_model_with_suppressed_resources_removed(
           cfn_model: cfn_model,
           rule_id: rule_class.new.rule_id,
-          allow_suppression: @allow_suppression
+          allow_suppression: @allow_suppression,
+          print_suppression: @print_suppression
         )
-        audit_result = rule_class.new.audit(filtered_cfn_model)
+        rule = rule_class.new
+        inject_rule_arguments_into_rule(rule)
+        audit_result = rule.audit(filtered_cfn_model)
         violations << audit_result unless audit_result.nil?
       rescue ScriptError, StandardError => rule_error
         raise rule_error unless @isolate_custom_rule_exceptions
@@ -77,74 +98,4 @@ class CustomRuleLoader
     end
   end
   # rubocop:enable Style/RedundantBegin
-  def rules_to_suppress(resource)
-    if resource.metadata &&
-       resource.metadata['cfn_nag'] &&
-       resource.metadata['cfn_nag']['rules_to_suppress']
-      resource.metadata['cfn_nag']['rules_to_suppress']
-    end
-  end
-  def collect_mangled_metadata(cfn_model)
-    mangled_metadatas = []
-    cfn_model.resources.each do |logical_resource_id, resource|
-      resource_rules_to_suppress = rules_to_suppress resource
-      next if resource_rules_to_suppress.nil?
-      mangled_rules = resource_rules_to_suppress.select do |rule_to_suppress|
-        rule_to_suppress['id'].nil?
-      end
-      unless mangled_rules.empty?
-        mangled_metadatas << [logical_resource_id, mangled_rules]
-      end
-    end
-    mangled_metadatas
-  end
-  # XXX given mangled_metadatas is never used or returned,
-  # STDERR emit can be moved to unless block
-  def validate_cfn_nag_metadata(cfn_model)
-    mangled_metadatas = collect_mangled_metadata(cfn_model)
-    mangled_metadatas.each do |mangled_metadata|
-      logical_resource_id = mangled_metadata.first
-      mangled_rules = mangled_metadata[1]
-      STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression " \
-                  "rule id: #{mangled_rules}"
-    end
-  end
-  def suppress_resource?(rules_to_suppress, rule_id, logical_resource_id)
-    found_suppression_rule = rules_to_suppress.find do |rule_to_suppress|
-      next if rule_to_suppress['id'].nil?
-      rule_to_suppress['id'] == rule_id
-    end
-    if found_suppression_rule && @print_suppression
-      message = "Suppressing #{rule_id} on #{logical_resource_id} for " \
-                "reason: #{found_suppression_rule['reason']}"
-      STDERR.puts message
-    end
-    !found_suppression_rule.nil?
-  end
-  def cfn_model_with_suppressed_resources_removed(cfn_model:,
-                                                  rule_id:,
-                                                  allow_suppression:)
-    return cfn_model unless allow_suppression
-    cfn_model = cfn_model.copy
-    cfn_model.resources.delete_if do |logical_resource_id, resource|
-      rules_to_suppress = rules_to_suppress resource
-      if rules_to_suppress.nil?
-        false
-      else
-        suppress_resource?(rules_to_suppress, rule_id, logical_resource_id)
-      end
-    end
-    cfn_model
-  end
 end

data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb CHANGED

@@ -5,8 +5,8 @@ require_relative 'sub_property_with_list_password_base_rule'
 class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
   def rule_text
-    'AmazonMQ Broker Users Password must not be a plaintext ' \
-    'string or a Ref to a NoEcho Parameter with a Default value.'
+    'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyAppAccessTokenRule < PasswordBaseRule
   def rule_text
     'Amplify App AccessToken must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
   def rule_text
     'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyAppOauthTokenRule < PasswordBaseRule
   def rule_text
     'Amplify App OauthToken must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
   def rule_text
     'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
-    'string or a Ref to a NoEcho Parameter with a Default value.' \
+    'string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb CHANGED

@@ -18,7 +18,7 @@ class ApiGatewayV2AccessLoggingRule < BaseRule
   def audit_impl(cfn_model)
     violating_deployments = cfn_model.resources_by_type('AWS::ApiGatewayV2::Stage').select do |deployment|
-      deployment.accessLogSetting.nil?
+      deployment.accessLogSettings.nil?
     end
     violating_deployments.map(&:logical_resource_id)

data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb CHANGED

@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
 class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
   def rule_text
     'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
-    'must not be a plaintext string or a Ref to a NoEcho Parameter ' \
-    'with a Default value.'
+    'must not be a plaintext string or a Ref to a Parameter ' \
+    'with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
   def rule_text
     'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
-    'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+    'a plaintext string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
   def rule_text
     'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class DMSEndpointPasswordRule < PasswordBaseRule
   def rule_text
     'DMS Endpoint password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb CHANGED

@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
 class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
   def rule_text
     'Directory Service Microsoft AD password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type