cfn-nag 0.0.31 → 0.0.32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn_nag.rb +3 -14
- data/lib/custom_rule_loader.rb +52 -0
- data/lib/model/cfn_model.rb +15 -21
- data/lib/model/parser_registry.rb +31 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0ba52e35e95e5c8578b6de099bbfa001b8fd6bb2
|
4
|
+
data.tar.gz: e707b8a4f2ba1dfb6df1aa226d249220f212a0c7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 745edfacf8508b1479588d13fa31dc3f8adc5d694406e768960a8dc6327469cd00d5ff7e8c69bdff1cc61d2eaed10a4f08fd5bbcd4100138d4e23fc93183a26e
|
7
|
+
data.tar.gz: a5981057d39a088953c11d33726858d0589b7d0ac8e1bf45a3cbbabfbaf4b150d834c146ea9a9608c705fa72787553e738ecc692a79aba5d0739d841c81d163e
|
data/lib/cfn_nag.rb
CHANGED
@@ -1,10 +1,8 @@
|
|
1
1
|
require_relative 'rule'
|
2
|
-
require_relative '
|
3
|
-
require_relative 'custom_rules/user_missing_group'
|
2
|
+
require_relative 'custom_rule_loader'
|
4
3
|
require_relative 'model/cfn_model'
|
5
4
|
require_relative 'result_view/simple_stdout_results'
|
6
5
|
require_relative 'result_view/json_results'
|
7
|
-
require_relative 'custom_rules/unencrypted_s3_put_allowed'
|
8
6
|
require 'tempfile'
|
9
7
|
|
10
8
|
class CfnNag
|
@@ -13,11 +11,6 @@ class CfnNag
|
|
13
11
|
def initialize
|
14
12
|
@warning_registry = []
|
15
13
|
@violation_registry = []
|
16
|
-
@custom_rule_registry = [
|
17
|
-
SecurityGroupMissingEgressRule,
|
18
|
-
UserMissingGroupRule,
|
19
|
-
UnencryptedS3PutObjectAllowedRule
|
20
|
-
]
|
21
14
|
end
|
22
15
|
|
23
16
|
def dump_rules
|
@@ -108,7 +101,7 @@ class CfnNag
|
|
108
101
|
|
109
102
|
generic_json_rules(input_json, rule_directories) unless @stop_processing == true
|
110
103
|
|
111
|
-
custom_rules input_json unless @stop_processing == true
|
104
|
+
@violations += custom_rules input_json unless @stop_processing == true
|
112
105
|
|
113
106
|
{
|
114
107
|
failure_count: Rule::count_failures(@violations),
|
@@ -208,10 +201,6 @@ class CfnNag
|
|
208
201
|
end
|
209
202
|
|
210
203
|
def custom_rules(input_json)
|
211
|
-
|
212
|
-
@custom_rule_registry.each do |rule_class|
|
213
|
-
audit_result = rule_class.new.audit(cfn_model)
|
214
|
-
@violations << audit_result unless audit_result.nil?
|
215
|
-
end
|
204
|
+
CustomRuleLoader.new.custom_rules(input_json)
|
216
205
|
end
|
217
206
|
end
|
@@ -0,0 +1,52 @@
|
|
1
|
+
require_relative 'model/parser_registry'
|
2
|
+
require_relative 'model/cfn_model'
|
3
|
+
|
4
|
+
class CustomRuleLoader
|
5
|
+
|
6
|
+
@custom_rule_directory = '/var/lib/cfn_nag_plugins'
|
7
|
+
|
8
|
+
def self.custom_rule_directory=(directory)
|
9
|
+
@custom_rule_directory = directory
|
10
|
+
end
|
11
|
+
|
12
|
+
def self.custom_rule_directory
|
13
|
+
@custom_rule_directory
|
14
|
+
end
|
15
|
+
|
16
|
+
def initialize
|
17
|
+
@custom_rule_registry = [
|
18
|
+
SecurityGroupMissingEgressRule,
|
19
|
+
UserMissingGroupRule,
|
20
|
+
UnencryptedS3PutObjectAllowedRule
|
21
|
+
]
|
22
|
+
@violations = []
|
23
|
+
end
|
24
|
+
|
25
|
+
def custom_rules(input_json)
|
26
|
+
discover_rules
|
27
|
+
@custom_rule_registry.each do |rule_class|
|
28
|
+
rule = rule_class.new
|
29
|
+
if rule.respond_to? 'custom_parsers'
|
30
|
+
rule.custom_parsers.each do |custom_parser|
|
31
|
+
ParserRegistry.instance.add_parser custom_parser[0], custom_parser[1]
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
cfn_model = CfnModel.new.parse(input_json)
|
36
|
+
audit_result = rule_class.new.audit(cfn_model)
|
37
|
+
@violations << audit_result unless audit_result.nil?
|
38
|
+
end
|
39
|
+
@violations
|
40
|
+
end
|
41
|
+
|
42
|
+
private
|
43
|
+
|
44
|
+
def discover_rules(rule_directory: CustomRuleLoader.custom_rule_directory)
|
45
|
+
rules = Dir[File.join(rule_directory, '*Rule.rb')].sort
|
46
|
+
|
47
|
+
rules.each do |rule|
|
48
|
+
require(rule)
|
49
|
+
@custom_rule_registry << Object.const_get(File.basename(rule, '.rb'))
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
data/lib/model/cfn_model.rb
CHANGED
@@ -1,7 +1,5 @@
|
|
1
1
|
require 'json'
|
2
|
-
require_relative '
|
3
|
-
require_relative 'iam_user_parser'
|
4
|
-
require_relative 's3_bucket_policy_parser'
|
2
|
+
require_relative 'parser_registry'
|
5
3
|
|
6
4
|
# consider a canonical form for template too...
|
7
5
|
# always transform optional things into more general forms....
|
@@ -9,14 +7,6 @@ require_relative 's3_bucket_policy_parser'
|
|
9
7
|
|
10
8
|
class CfnModel
|
11
9
|
def initialize
|
12
|
-
@parser_registry = {
|
13
|
-
'AWS::EC2::SecurityGroup' => SecurityGroupParser,
|
14
|
-
'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
|
15
|
-
'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
|
16
|
-
'AWS::IAM::User' => IamUserParser,
|
17
|
-
'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
|
18
|
-
'AWS::S3::BucketPolicy' => S3BucketPolicyParser
|
19
|
-
}
|
20
10
|
@dangling_ingress_or_egress_rules = []
|
21
11
|
@dangler = Object.new
|
22
12
|
end
|
@@ -26,6 +16,8 @@ class CfnModel
|
|
26
16
|
self
|
27
17
|
end
|
28
18
|
|
19
|
+
|
20
|
+
|
29
21
|
def security_groups
|
30
22
|
fail 'must call parse first' unless @json_hash
|
31
23
|
security_groups_hash = resources_by_type('AWS::EC2::SecurityGroup')
|
@@ -51,6 +43,17 @@ class CfnModel
|
|
51
43
|
bucket_policy_hash.values
|
52
44
|
end
|
53
45
|
|
46
|
+
def resources_by_type(resource_type)
|
47
|
+
resources_map = {}
|
48
|
+
resources.each do |resource_name, resource|
|
49
|
+
if resource['Type'] == resource_type
|
50
|
+
resource_parser = ParserRegistry.instance.registry[resource_type].new
|
51
|
+
resources_map[resource_name] = resource_parser.parse(resource_name, resource)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
resources_map
|
55
|
+
end
|
56
|
+
|
54
57
|
private
|
55
58
|
|
56
59
|
def resolve_user_logical_resource_id(user)
|
@@ -120,16 +123,7 @@ class CfnModel
|
|
120
123
|
@json_hash['Resources']
|
121
124
|
end
|
122
125
|
|
123
|
-
|
124
|
-
resources_map = {}
|
125
|
-
resources.each do |resource_name, resource|
|
126
|
-
if resource['Type'] == resource_type
|
127
|
-
resource_parser = @parser_registry[resource_type].new
|
128
|
-
resources_map[resource_name] = resource_parser.parse(resource_name, resource)
|
129
|
-
end
|
130
|
-
end
|
131
|
-
resources_map
|
132
|
-
end
|
126
|
+
|
133
127
|
end
|
134
128
|
|
135
129
|
class SecurityGroup
|
@@ -0,0 +1,31 @@
|
|
1
|
+
require_relative 'security_group_parser'
|
2
|
+
require_relative 'iam_user_parser'
|
3
|
+
require_relative 's3_bucket_policy_parser'
|
4
|
+
require_relative 'parser_registry'
|
5
|
+
|
6
|
+
class ParserRegistry
|
7
|
+
attr_reader :registry
|
8
|
+
|
9
|
+
def initialize
|
10
|
+
@registry = {
|
11
|
+
'AWS::EC2::SecurityGroup' => SecurityGroupParser,
|
12
|
+
'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
|
13
|
+
'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
|
14
|
+
'AWS::IAM::User' => IamUserParser,
|
15
|
+
'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
|
16
|
+
'AWS::S3::BucketPolicy' => S3BucketPolicyParser
|
17
|
+
}
|
18
|
+
end
|
19
|
+
|
20
|
+
def self.instance
|
21
|
+
if @instance.nil?
|
22
|
+
@instance = ParserRegistry.new
|
23
|
+
end
|
24
|
+
@instance
|
25
|
+
end
|
26
|
+
|
27
|
+
def add_parser(resource_name, parser)
|
28
|
+
@registry[resource_name] = parser
|
29
|
+
end
|
30
|
+
|
31
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.32
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- someguy
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-02-
|
11
|
+
date: 2017-02-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logging
|
@@ -49,6 +49,7 @@ files:
|
|
49
49
|
- bin/cfn_nag
|
50
50
|
- bin/cfn_nag_rules
|
51
51
|
- lib/cfn_nag.rb
|
52
|
+
- lib/custom_rule_loader.rb
|
52
53
|
- lib/custom_rules/security_group_missing_egress.rb
|
53
54
|
- lib/custom_rules/unencrypted_s3_put_allowed.rb
|
54
55
|
- lib/custom_rules/user_missing_group.rb
|
@@ -68,6 +69,7 @@ files:
|
|
68
69
|
- lib/model/action_parser.rb
|
69
70
|
- lib/model/cfn_model.rb
|
70
71
|
- lib/model/iam_user_parser.rb
|
72
|
+
- lib/model/parser_registry.rb
|
71
73
|
- lib/model/s3_bucket_policy.rb
|
72
74
|
- lib/model/s3_bucket_policy_parser.rb
|
73
75
|
- lib/model/security_group_parser.rb
|