cfn-nag 0.0.31 → 0.0.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 56dbe4fbd39baa55a57bf08c76b3ded48d248259
4
- data.tar.gz: 8453582e991ff40398cc05a0ebee7ef64d5b4291
3
+ metadata.gz: 0ba52e35e95e5c8578b6de099bbfa001b8fd6bb2
4
+ data.tar.gz: e707b8a4f2ba1dfb6df1aa226d249220f212a0c7
5
5
  SHA512:
6
- metadata.gz: ee486be9d272ed90df3f5137358ecf33c719cec14b21acf2f9a9b6669d94ca9f7f227d0bc3916a8a02e368a519c7d07fa2582f529841e088318ba91f235013fd
7
- data.tar.gz: d7394d24c0735afc252ffcd59e8d6dfa3419dc358c0dda691d1cfd6e061e01e1eec575e980967fda4418098c7a70ea734a5fac9a00f90acbd157bee26702f410
6
+ metadata.gz: 745edfacf8508b1479588d13fa31dc3f8adc5d694406e768960a8dc6327469cd00d5ff7e8c69bdff1cc61d2eaed10a4f08fd5bbcd4100138d4e23fc93183a26e
7
+ data.tar.gz: a5981057d39a088953c11d33726858d0589b7d0ac8e1bf45a3cbbabfbaf4b150d834c146ea9a9608c705fa72787553e738ecc692a79aba5d0739d841c81d163e
data/lib/cfn_nag.rb CHANGED
@@ -1,10 +1,8 @@
1
1
  require_relative 'rule'
2
- require_relative 'custom_rules/security_group_missing_egress'
3
- require_relative 'custom_rules/user_missing_group'
2
+ require_relative 'custom_rule_loader'
4
3
  require_relative 'model/cfn_model'
5
4
  require_relative 'result_view/simple_stdout_results'
6
5
  require_relative 'result_view/json_results'
7
- require_relative 'custom_rules/unencrypted_s3_put_allowed'
8
6
  require 'tempfile'
9
7
 
10
8
  class CfnNag
@@ -13,11 +11,6 @@ class CfnNag
13
11
  def initialize
14
12
  @warning_registry = []
15
13
  @violation_registry = []
16
- @custom_rule_registry = [
17
- SecurityGroupMissingEgressRule,
18
- UserMissingGroupRule,
19
- UnencryptedS3PutObjectAllowedRule
20
- ]
21
14
  end
22
15
 
23
16
  def dump_rules
@@ -108,7 +101,7 @@ class CfnNag
108
101
 
109
102
  generic_json_rules(input_json, rule_directories) unless @stop_processing == true
110
103
 
111
- custom_rules input_json unless @stop_processing == true
104
+ @violations += custom_rules input_json unless @stop_processing == true
112
105
 
113
106
  {
114
107
  failure_count: Rule::count_failures(@violations),
@@ -208,10 +201,6 @@ class CfnNag
208
201
  end
209
202
 
210
203
  def custom_rules(input_json)
211
- cfn_model = CfnModel.new.parse(input_json)
212
- @custom_rule_registry.each do |rule_class|
213
- audit_result = rule_class.new.audit(cfn_model)
214
- @violations << audit_result unless audit_result.nil?
215
- end
204
+ CustomRuleLoader.new.custom_rules(input_json)
216
205
  end
217
206
  end
@@ -0,0 +1,52 @@
1
+ require_relative 'model/parser_registry'
2
+ require_relative 'model/cfn_model'
3
+
4
+ class CustomRuleLoader
5
+
6
+ @custom_rule_directory = '/var/lib/cfn_nag_plugins'
7
+
8
+ def self.custom_rule_directory=(directory)
9
+ @custom_rule_directory = directory
10
+ end
11
+
12
+ def self.custom_rule_directory
13
+ @custom_rule_directory
14
+ end
15
+
16
+ def initialize
17
+ @custom_rule_registry = [
18
+ SecurityGroupMissingEgressRule,
19
+ UserMissingGroupRule,
20
+ UnencryptedS3PutObjectAllowedRule
21
+ ]
22
+ @violations = []
23
+ end
24
+
25
+ def custom_rules(input_json)
26
+ discover_rules
27
+ @custom_rule_registry.each do |rule_class|
28
+ rule = rule_class.new
29
+ if rule.respond_to? 'custom_parsers'
30
+ rule.custom_parsers.each do |custom_parser|
31
+ ParserRegistry.instance.add_parser custom_parser[0], custom_parser[1]
32
+ end
33
+ end
34
+
35
+ cfn_model = CfnModel.new.parse(input_json)
36
+ audit_result = rule_class.new.audit(cfn_model)
37
+ @violations << audit_result unless audit_result.nil?
38
+ end
39
+ @violations
40
+ end
41
+
42
+ private
43
+
44
+ def discover_rules(rule_directory: CustomRuleLoader.custom_rule_directory)
45
+ rules = Dir[File.join(rule_directory, '*Rule.rb')].sort
46
+
47
+ rules.each do |rule|
48
+ require(rule)
49
+ @custom_rule_registry << Object.const_get(File.basename(rule, '.rb'))
50
+ end
51
+ end
52
+ end
@@ -1,7 +1,5 @@
1
1
  require 'json'
2
- require_relative 'security_group_parser'
3
- require_relative 'iam_user_parser'
4
- require_relative 's3_bucket_policy_parser'
2
+ require_relative 'parser_registry'
5
3
 
6
4
  # consider a canonical form for template too...
7
5
  # always transform optional things into more general forms....
@@ -9,14 +7,6 @@ require_relative 's3_bucket_policy_parser'
9
7
 
10
8
  class CfnModel
11
9
  def initialize
12
- @parser_registry = {
13
- 'AWS::EC2::SecurityGroup' => SecurityGroupParser,
14
- 'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
15
- 'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
16
- 'AWS::IAM::User' => IamUserParser,
17
- 'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
18
- 'AWS::S3::BucketPolicy' => S3BucketPolicyParser
19
- }
20
10
  @dangling_ingress_or_egress_rules = []
21
11
  @dangler = Object.new
22
12
  end
@@ -26,6 +16,8 @@ class CfnModel
26
16
  self
27
17
  end
28
18
 
19
+
20
+
29
21
  def security_groups
30
22
  fail 'must call parse first' unless @json_hash
31
23
  security_groups_hash = resources_by_type('AWS::EC2::SecurityGroup')
@@ -51,6 +43,17 @@ class CfnModel
51
43
  bucket_policy_hash.values
52
44
  end
53
45
 
46
+ def resources_by_type(resource_type)
47
+ resources_map = {}
48
+ resources.each do |resource_name, resource|
49
+ if resource['Type'] == resource_type
50
+ resource_parser = ParserRegistry.instance.registry[resource_type].new
51
+ resources_map[resource_name] = resource_parser.parse(resource_name, resource)
52
+ end
53
+ end
54
+ resources_map
55
+ end
56
+
54
57
  private
55
58
 
56
59
  def resolve_user_logical_resource_id(user)
@@ -120,16 +123,7 @@ class CfnModel
120
123
  @json_hash['Resources']
121
124
  end
122
125
 
123
- def resources_by_type(resource_type)
124
- resources_map = {}
125
- resources.each do |resource_name, resource|
126
- if resource['Type'] == resource_type
127
- resource_parser = @parser_registry[resource_type].new
128
- resources_map[resource_name] = resource_parser.parse(resource_name, resource)
129
- end
130
- end
131
- resources_map
132
- end
126
+
133
127
  end
134
128
 
135
129
  class SecurityGroup
@@ -0,0 +1,31 @@
1
+ require_relative 'security_group_parser'
2
+ require_relative 'iam_user_parser'
3
+ require_relative 's3_bucket_policy_parser'
4
+ require_relative 'parser_registry'
5
+
6
+ class ParserRegistry
7
+ attr_reader :registry
8
+
9
+ def initialize
10
+ @registry = {
11
+ 'AWS::EC2::SecurityGroup' => SecurityGroupParser,
12
+ 'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
13
+ 'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
14
+ 'AWS::IAM::User' => IamUserParser,
15
+ 'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
16
+ 'AWS::S3::BucketPolicy' => S3BucketPolicyParser
17
+ }
18
+ end
19
+
20
+ def self.instance
21
+ if @instance.nil?
22
+ @instance = ParserRegistry.new
23
+ end
24
+ @instance
25
+ end
26
+
27
+ def add_parser(resource_name, parser)
28
+ @registry[resource_name] = parser
29
+ end
30
+
31
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.31
4
+ version: 0.0.32
5
5
  platform: ruby
6
6
  authors:
7
7
  - someguy
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-02-07 00:00:00.000000000 Z
11
+ date: 2017-02-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logging
@@ -49,6 +49,7 @@ files:
49
49
  - bin/cfn_nag
50
50
  - bin/cfn_nag_rules
51
51
  - lib/cfn_nag.rb
52
+ - lib/custom_rule_loader.rb
52
53
  - lib/custom_rules/security_group_missing_egress.rb
53
54
  - lib/custom_rules/unencrypted_s3_put_allowed.rb
54
55
  - lib/custom_rules/user_missing_group.rb
@@ -68,6 +69,7 @@ files:
68
69
  - lib/model/action_parser.rb
69
70
  - lib/model/cfn_model.rb
70
71
  - lib/model/iam_user_parser.rb
72
+ - lib/model/parser_registry.rb
71
73
  - lib/model/s3_bucket_policy.rb
72
74
  - lib/model/s3_bucket_policy_parser.rb
73
75
  - lib/model/security_group_parser.rb