cfn-nag 0.0.31 → 0.0.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn_nag.rb +3 -14
- data/lib/custom_rule_loader.rb +52 -0
- data/lib/model/cfn_model.rb +15 -21
- data/lib/model/parser_registry.rb +31 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0ba52e35e95e5c8578b6de099bbfa001b8fd6bb2
|
|
4
|
+
data.tar.gz: e707b8a4f2ba1dfb6df1aa226d249220f212a0c7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 745edfacf8508b1479588d13fa31dc3f8adc5d694406e768960a8dc6327469cd00d5ff7e8c69bdff1cc61d2eaed10a4f08fd5bbcd4100138d4e23fc93183a26e
|
|
7
|
+
data.tar.gz: a5981057d39a088953c11d33726858d0589b7d0ac8e1bf45a3cbbabfbaf4b150d834c146ea9a9608c705fa72787553e738ecc692a79aba5d0739d841c81d163e
|
data/lib/cfn_nag.rb
CHANGED
|
@@ -1,10 +1,8 @@
|
|
|
1
1
|
require_relative 'rule'
|
|
2
|
-
require_relative '
|
|
3
|
-
require_relative 'custom_rules/user_missing_group'
|
|
2
|
+
require_relative 'custom_rule_loader'
|
|
4
3
|
require_relative 'model/cfn_model'
|
|
5
4
|
require_relative 'result_view/simple_stdout_results'
|
|
6
5
|
require_relative 'result_view/json_results'
|
|
7
|
-
require_relative 'custom_rules/unencrypted_s3_put_allowed'
|
|
8
6
|
require 'tempfile'
|
|
9
7
|
|
|
10
8
|
class CfnNag
|
|
@@ -13,11 +11,6 @@ class CfnNag
|
|
|
13
11
|
def initialize
|
|
14
12
|
@warning_registry = []
|
|
15
13
|
@violation_registry = []
|
|
16
|
-
@custom_rule_registry = [
|
|
17
|
-
SecurityGroupMissingEgressRule,
|
|
18
|
-
UserMissingGroupRule,
|
|
19
|
-
UnencryptedS3PutObjectAllowedRule
|
|
20
|
-
]
|
|
21
14
|
end
|
|
22
15
|
|
|
23
16
|
def dump_rules
|
|
@@ -108,7 +101,7 @@ class CfnNag
|
|
|
108
101
|
|
|
109
102
|
generic_json_rules(input_json, rule_directories) unless @stop_processing == true
|
|
110
103
|
|
|
111
|
-
custom_rules input_json unless @stop_processing == true
|
|
104
|
+
@violations += custom_rules input_json unless @stop_processing == true
|
|
112
105
|
|
|
113
106
|
{
|
|
114
107
|
failure_count: Rule::count_failures(@violations),
|
|
@@ -208,10 +201,6 @@ class CfnNag
|
|
|
208
201
|
end
|
|
209
202
|
|
|
210
203
|
def custom_rules(input_json)
|
|
211
|
-
|
|
212
|
-
@custom_rule_registry.each do |rule_class|
|
|
213
|
-
audit_result = rule_class.new.audit(cfn_model)
|
|
214
|
-
@violations << audit_result unless audit_result.nil?
|
|
215
|
-
end
|
|
204
|
+
CustomRuleLoader.new.custom_rules(input_json)
|
|
216
205
|
end
|
|
217
206
|
end
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
require_relative 'model/parser_registry'
|
|
2
|
+
require_relative 'model/cfn_model'
|
|
3
|
+
|
|
4
|
+
class CustomRuleLoader
|
|
5
|
+
|
|
6
|
+
@custom_rule_directory = '/var/lib/cfn_nag_plugins'
|
|
7
|
+
|
|
8
|
+
def self.custom_rule_directory=(directory)
|
|
9
|
+
@custom_rule_directory = directory
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def self.custom_rule_directory
|
|
13
|
+
@custom_rule_directory
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def initialize
|
|
17
|
+
@custom_rule_registry = [
|
|
18
|
+
SecurityGroupMissingEgressRule,
|
|
19
|
+
UserMissingGroupRule,
|
|
20
|
+
UnencryptedS3PutObjectAllowedRule
|
|
21
|
+
]
|
|
22
|
+
@violations = []
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def custom_rules(input_json)
|
|
26
|
+
discover_rules
|
|
27
|
+
@custom_rule_registry.each do |rule_class|
|
|
28
|
+
rule = rule_class.new
|
|
29
|
+
if rule.respond_to? 'custom_parsers'
|
|
30
|
+
rule.custom_parsers.each do |custom_parser|
|
|
31
|
+
ParserRegistry.instance.add_parser custom_parser[0], custom_parser[1]
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
cfn_model = CfnModel.new.parse(input_json)
|
|
36
|
+
audit_result = rule_class.new.audit(cfn_model)
|
|
37
|
+
@violations << audit_result unless audit_result.nil?
|
|
38
|
+
end
|
|
39
|
+
@violations
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
private
|
|
43
|
+
|
|
44
|
+
def discover_rules(rule_directory: CustomRuleLoader.custom_rule_directory)
|
|
45
|
+
rules = Dir[File.join(rule_directory, '*Rule.rb')].sort
|
|
46
|
+
|
|
47
|
+
rules.each do |rule|
|
|
48
|
+
require(rule)
|
|
49
|
+
@custom_rule_registry << Object.const_get(File.basename(rule, '.rb'))
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
data/lib/model/cfn_model.rb
CHANGED
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
require 'json'
|
|
2
|
-
require_relative '
|
|
3
|
-
require_relative 'iam_user_parser'
|
|
4
|
-
require_relative 's3_bucket_policy_parser'
|
|
2
|
+
require_relative 'parser_registry'
|
|
5
3
|
|
|
6
4
|
# consider a canonical form for template too...
|
|
7
5
|
# always transform optional things into more general forms....
|
|
@@ -9,14 +7,6 @@ require_relative 's3_bucket_policy_parser'
|
|
|
9
7
|
|
|
10
8
|
class CfnModel
|
|
11
9
|
def initialize
|
|
12
|
-
@parser_registry = {
|
|
13
|
-
'AWS::EC2::SecurityGroup' => SecurityGroupParser,
|
|
14
|
-
'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
|
|
15
|
-
'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
|
|
16
|
-
'AWS::IAM::User' => IamUserParser,
|
|
17
|
-
'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
|
|
18
|
-
'AWS::S3::BucketPolicy' => S3BucketPolicyParser
|
|
19
|
-
}
|
|
20
10
|
@dangling_ingress_or_egress_rules = []
|
|
21
11
|
@dangler = Object.new
|
|
22
12
|
end
|
|
@@ -26,6 +16,8 @@ class CfnModel
|
|
|
26
16
|
self
|
|
27
17
|
end
|
|
28
18
|
|
|
19
|
+
|
|
20
|
+
|
|
29
21
|
def security_groups
|
|
30
22
|
fail 'must call parse first' unless @json_hash
|
|
31
23
|
security_groups_hash = resources_by_type('AWS::EC2::SecurityGroup')
|
|
@@ -51,6 +43,17 @@ class CfnModel
|
|
|
51
43
|
bucket_policy_hash.values
|
|
52
44
|
end
|
|
53
45
|
|
|
46
|
+
def resources_by_type(resource_type)
|
|
47
|
+
resources_map = {}
|
|
48
|
+
resources.each do |resource_name, resource|
|
|
49
|
+
if resource['Type'] == resource_type
|
|
50
|
+
resource_parser = ParserRegistry.instance.registry[resource_type].new
|
|
51
|
+
resources_map[resource_name] = resource_parser.parse(resource_name, resource)
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
resources_map
|
|
55
|
+
end
|
|
56
|
+
|
|
54
57
|
private
|
|
55
58
|
|
|
56
59
|
def resolve_user_logical_resource_id(user)
|
|
@@ -120,16 +123,7 @@ class CfnModel
|
|
|
120
123
|
@json_hash['Resources']
|
|
121
124
|
end
|
|
122
125
|
|
|
123
|
-
|
|
124
|
-
resources_map = {}
|
|
125
|
-
resources.each do |resource_name, resource|
|
|
126
|
-
if resource['Type'] == resource_type
|
|
127
|
-
resource_parser = @parser_registry[resource_type].new
|
|
128
|
-
resources_map[resource_name] = resource_parser.parse(resource_name, resource)
|
|
129
|
-
end
|
|
130
|
-
end
|
|
131
|
-
resources_map
|
|
132
|
-
end
|
|
126
|
+
|
|
133
127
|
end
|
|
134
128
|
|
|
135
129
|
class SecurityGroup
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
require_relative 'security_group_parser'
|
|
2
|
+
require_relative 'iam_user_parser'
|
|
3
|
+
require_relative 's3_bucket_policy_parser'
|
|
4
|
+
require_relative 'parser_registry'
|
|
5
|
+
|
|
6
|
+
class ParserRegistry
|
|
7
|
+
attr_reader :registry
|
|
8
|
+
|
|
9
|
+
def initialize
|
|
10
|
+
@registry = {
|
|
11
|
+
'AWS::EC2::SecurityGroup' => SecurityGroupParser,
|
|
12
|
+
'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
|
|
13
|
+
'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
|
|
14
|
+
'AWS::IAM::User' => IamUserParser,
|
|
15
|
+
'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
|
|
16
|
+
'AWS::S3::BucketPolicy' => S3BucketPolicyParser
|
|
17
|
+
}
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def self.instance
|
|
21
|
+
if @instance.nil?
|
|
22
|
+
@instance = ParserRegistry.new
|
|
23
|
+
end
|
|
24
|
+
@instance
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
def add_parser(resource_name, parser)
|
|
28
|
+
@registry[resource_name] = parser
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.32
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- someguy
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-02-
|
|
11
|
+
date: 2017-02-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logging
|
|
@@ -49,6 +49,7 @@ files:
|
|
|
49
49
|
- bin/cfn_nag
|
|
50
50
|
- bin/cfn_nag_rules
|
|
51
51
|
- lib/cfn_nag.rb
|
|
52
|
+
- lib/custom_rule_loader.rb
|
|
52
53
|
- lib/custom_rules/security_group_missing_egress.rb
|
|
53
54
|
- lib/custom_rules/unencrypted_s3_put_allowed.rb
|
|
54
55
|
- lib/custom_rules/user_missing_group.rb
|
|
@@ -68,6 +69,7 @@ files:
|
|
|
68
69
|
- lib/model/action_parser.rb
|
|
69
70
|
- lib/model/cfn_model.rb
|
|
70
71
|
- lib/model/iam_user_parser.rb
|
|
72
|
+
- lib/model/parser_registry.rb
|
|
71
73
|
- lib/model/s3_bucket_policy.rb
|
|
72
74
|
- lib/model/s3_bucket_policy_parser.rb
|
|
73
75
|
- lib/model/security_group_parser.rb
|