cfn-nag 0.5.61 → 0.6.4

data/lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class HtmlRenderer
+  def render(results:)
+    output = '<html><body><table>'
+    results.each do |result|
+      output += '<tr><td><table><tr><td>'
+      output += result[:filename]
+      output += '</td></tr><tr><td>'
+      output += render_policy(result)
+      output += render_role(result)
+      output += '</td></tr></table></td></tr>'
+    end
+    output += '</table></body></html>'
+    output
+  end
+
+  private
+
+  def render_policy(result)
+    output = ''
+    if result[:file_results]['AWS::IAM::Policy'] != {}
+      output += '<ul>'
+      result[:file_results]['AWS::IAM::Policy'].each do |k, v|
+        output += "<li>#{k}=#{v}</li>"
+      end
+      output += '</ul>'
+    end
+    output
+  end
+
+  def render_role(result)
+    output = ''
+    if result[:file_results]['AWS::IAM::Role'] != {}
+      output += '<ul>'
+      result[:file_results]['AWS::IAM::Role'].each do |role_id, policy_map|
+        policy_map.each do |policy_name, metric|
+          output += "<li>#{role_id}/#{policy_name}=#{metric}</li>"
+        end
+      end
+      output += '</ul>'
+    end
+    output
+  end
+end

data/lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require_relative 'statement_metric'
+
+class PolicyDocumentMetric
+  def metric(policy_document)
+    policy_document.statements.reduce(0) do |aggregate, statement|
+      aggregate + StatementMetric.new.metric(statement)
+    end
+  end
+end

data/lib/cfn-nag/iam_complexity_metric/spcm.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/template_discovery'
+require 'cfn-model'
+require_relative 'policy_document_metric'
+
+class SPCM
+  DEFAULT_TEMPLATE_PATTERN = '..*\.json$|..*\.yaml$|..*\.yml$|..*\.template$'
+
+  def aggregate_metrics(input_path:,
+                        parameter_values_path: nil,
+                        condition_values_path: nil,
+                        template_pattern: DEFAULT_TEMPLATE_PATTERN)
+    parameter_values_string = parameter_values_path.nil? ? nil : IO.read(parameter_values_path)
+    condition_values_string = condition_values_path.nil? ? nil : IO.read(condition_values_path)
+
+    templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path,
+                                                         template_pattern: template_pattern)
+    aggregate_results = []
+    templates.each do |template|
+      aggregate_results << {
+        filename: template,
+        file_results: metric(
+          cloudformation_string: IO.read(template),
+          parameter_values_string: parameter_values_string,
+          condition_values_string: condition_values_string
+        )
+      }
+    end
+    aggregate_results
+  end
+
+  def metric(cloudformation_string:, parameter_values_string: nil, condition_values_string: nil)
+    cfn_model = CfnParser.new.parse cloudformation_string,
+                                    parameter_values_string,
+                                    false,
+                                    condition_values_string
+
+    metric_impl(cfn_model)
+  end
+
+  def metric_impl(cfn_model)
+    policy_documents = {
+      'AWS::IAM::Policy' => {},
+      'AWS::IAM::Role' => {}
+    }
+
+    cfn_model.resources_by_type('AWS::IAM::Policy').each do |policy|
+      update_policy_metric(policy_documents, policy)
+    end
+
+    cfn_model.resources_by_type('AWS::IAM::Role').each do |role|
+      role.policy_objects.each do |policy|
+        update_role_policy_metric(policy_documents, role, policy)
+      end
+    end
+
+    policy_documents
+  end
+
+  private
+
+  def update_policy_metric(policy_documents, policy)
+    metric = PolicyDocumentMetric.new.metric(policy.policy_document)
+    policy_documents['AWS::IAM::Policy'][policy.logical_resource_id] = metric
+  end
+
+  def update_role_policy_metric(policy_documents, role, policy)
+    metric = PolicyDocumentMetric.new.metric(policy.policy_document)
+
+    if policy_documents['AWS::IAM::Role'][role.logical_resource_id]
+      policy_documents['AWS::IAM::Role'][role.logical_resource_id][policy.policy_name.to_s] = metric
+    else
+      policy_documents['AWS::IAM::Role'][role.logical_resource_id] = {
+        policy.policy_name.to_s => metric
+      }
+    end
+  end
+end

data/lib/cfn-nag/iam_complexity_metric/statement_metric.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+require_relative 'weights'
+require_relative 'condition_metric'
+require 'set'
+
+class StatementMetric
+  include Weights
+
+  # rubocop:disable Metrics/AbcSize
+  def metric(statement)
+    aggregate = weights[:Base_Statement]
+
+    aggregate += effect_metrics(statement)
+    aggregate += inversion_metrics(statement)
+    aggregate += extra_service_count(statement) * weights[:Extra_Service]
+    aggregate += misaligned_resource_action_count(statement) * weights[:Resource_Action_NotAligned]
+    aggregate += mixed_wildcard(statement) * weights[:Mixed_Wildcard]
+
+    aggregate += ConditionMetric.new.metric(statement) unless statement.condition.nil?
+
+    aggregate
+  end
+  # rubocop:enable Metrics/AbcSize
+
+  private
+
+  def effect_metrics(statement)
+    aggregate = 0
+    aggregate += weights[:Deny] if statement.effect == 'Deny'
+    aggregate += weights[:Allow] if statement.effect == 'Allow'
+    aggregate
+  end
+
+  def inversion_metrics(statement)
+    aggregate = 0
+    aggregate += weights[:NotAction] unless statement.not_actions.empty?
+    aggregate += weights[:NotResource] unless statement.not_resources.empty?
+    aggregate
+  end
+
+  def mixed_wildcard(statement)
+    count = 0
+    count += 1 if action_service_names(statement).include?('*') && action_service_names(statement).size > 1
+    count += 1 if resource_service_names(statement).include?('*') && resource_service_names(statement).size > 1
+    count
+  end
+
+  def misaligned_resource_action_count(statement)
+    return 0 if resource(statement) == ['*'] || action(statement) == ['*']
+
+    resource_service_names = resource(statement).map { |resource_arn| resource_service_name(resource_arn) }
+    action_service_names = action(statement).map { |action| action_service_name(action) }
+
+    (set_without_wildcard(resource_service_names) - set_without_wildcard(action_service_names)).size
+  end
+
+  # rubocop:disable Naming/AccessorMethodName
+  def set_without_wildcard(array)
+    Set.new(array).delete('*')
+  end
+  # rubocop:enable Naming/AccessorMethodName
+
+  def extra_service_count(statement)
+    service_names = Set.new(action_service_names(statement) + resource_service_names(statement)).delete('*')
+    [service_names.size - 1, 0].max
+  end
+
+  def action_service_names(statement)
+    action(statement).map { |action| action_service_name(action) }
+  end
+
+  def resource_service_names(statement)
+    resource(statement).map { |resource_arn| resource_service_name(resource_arn) }
+  end
+
+  def action_service_name(action)
+    return '*' if action == '*'
+
+    return action unless action.is_a?(String)
+
+    action.split(':')[0]
+  end
+
+  def resource_service_name(resource_arn)
+    return '*' if resource_arn == '*'
+
+    return resource_arn unless resource_arn.is_a?(String)
+
+    resource_arn.split(':')[2]
+  end
+
+  def action(statement)
+    return statement.actions unless statement.actions.empty?
+
+    statement.not_actions
+  end
+
+  def resource(statement)
+    return statement.resources unless statement.resources.empty?
+
+    statement.not_resources
+  end
+end

data/lib/cfn-nag/iam_complexity_metric/weights.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Weights
+  def weights
+    {
+      Base_Statement: 1,
+      Allow: 0,
+      Deny: 1,
+      NotAction: 1,
+      NotResource: 1,
+      Mixed_Wildcard: 1,
+
+      Extra_Service: 2,
+      Resource_Action_NotAligned: 1,
+
+      Condition: 2,
+      IfExists: 1,
+      Null: 1,
+      PolicyVariables: 1
+    }
+  end
+end

data/lib/cfn-nag/metadata.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'cfn-model'
+
+##
+# Mix-in with metadata handling routines for the CustomRuleLoader
+module Metadata
+  # XXX given mangled_metadatas is never used or returned,
+  # STDERR emit can be moved to unless block
+  def validate_cfn_nag_metadata(cfn_model)
+    mangled_metadatas = collect_mangled_metadata(cfn_model)
+    mangled_metadatas.each do |mangled_metadata|
+      logical_resource_id = mangled_metadata.first
+      mangled_rules = mangled_metadata[1]
+
+      STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression rule id: #{mangled_rules}"
+    end
+  end
+
+  def cfn_model_with_suppressed_resources_removed(cfn_model:,
+                                                  rule_id:,
+                                                  allow_suppression:,
+                                                  print_suppression:)
+    return cfn_model unless allow_suppression
+
+    cfn_model = cfn_model.copy
+
+    cfn_model.resources.delete_if do |logical_resource_id, resource|
+      rules_to_suppress = rules_to_suppress resource
+      if rules_to_suppress.nil?
+        false
+      else
+        suppress_resource?(rules_to_suppress, rule_id, logical_resource_id, print_suppression)
+      end
+    end
+    cfn_model
+  end
+
+  private
+
+  def suppress_resource?(rules_to_suppress, rule_id, logical_resource_id, print_suppression)
+    found_suppression_rule = rules_to_suppress.find do |rule_to_suppress|
+      next if rule_to_suppress['id'].nil?
+
+      rule_to_suppress['id'] == rule_id
+    end
+    if found_suppression_rule && print_suppression
+      message = "Suppressing #{rule_id} on #{logical_resource_id} for reason: #{found_suppression_rule['reason']}"
+      STDERR.puts message
+    end
+    !found_suppression_rule.nil?
+  end
+
+  def rules_to_suppress(resource)
+    if resource.metadata &&
+       resource.metadata['cfn_nag'] &&
+       resource.metadata['cfn_nag']['rules_to_suppress']
+
+      resource.metadata['cfn_nag']['rules_to_suppress']
+    end
+  end
+
+  def collect_mangled_metadata(cfn_model)
+    mangled_metadatas = []
+    cfn_model.resources.each do |logical_resource_id, resource|
+      resource_rules_to_suppress = rules_to_suppress resource
+      next if resource_rules_to_suppress.nil?
+
+      mangled_rules = resource_rules_to_suppress.select do |rule_to_suppress|
+        rule_to_suppress['id'].nil?
+      end
+      unless mangled_rules.empty?
+        mangled_metadatas << [logical_resource_id, mangled_rules]
+      end
+    end
+    mangled_metadatas
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.61
+  version: 0.6.4
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-06 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.5.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.0
+        version: 0.5.1
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -156,12 +156,14 @@ executables:
 - cfn_nag
 - cfn_nag_rules
 - cfn_nag_scan
+- spcm_scan
 extensions: []
 extra_rdoc_files: []
 files:
 - bin/cfn_nag
 - bin/cfn_nag_rules
 - bin/cfn_nag_scan
+- bin/spcm_scan
 - lib/cfn-nag.rb
 - lib/cfn-nag/base_rule.rb
 - lib/cfn-nag/blacklist_loader.rb
@@ -295,6 +297,7 @@ files:
 - lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
+- lib/cfn-nag/custom_rules/SPCMRule.rb
 - lib/cfn-nag/custom_rules/SageMakerEndpointConfigKmsKeyIdRule.rb
 - lib/cfn-nag/custom_rules/SageMakerNotebookInstanceKmsKeyIdRule.rb
 - lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb
@@ -327,7 +330,14 @@ files:
 - lib/cfn-nag/custom_rules/password_base_rule.rb
 - lib/cfn-nag/custom_rules/resource_base_rule.rb
 - lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
+- lib/cfn-nag/iam_complexity_metric/condition_metric.rb
+- lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb
+- lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb
+- lib/cfn-nag/iam_complexity_metric/spcm.rb
+- lib/cfn-nag/iam_complexity_metric/statement_metric.rb
+- lib/cfn-nag/iam_complexity_metric/weights.rb
 - lib/cfn-nag/ip_addr.rb
+- lib/cfn-nag/metadata.rb
 - lib/cfn-nag/profile_loader.rb
 - lib/cfn-nag/result_view/colored_stdout_results.rb
 - lib/cfn-nag/result_view/json_results.rb
@@ -371,7 +381,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.3
 signing_key: 
 specification_version: 4
 summary: cfn-nag