cfn-nag 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6cdc8b73b4baf895f2d537d883bd9860b23897e1
4
- data.tar.gz: bcf2fb70a5938d3829ffd0478dbf416c54c7c736
3
+ metadata.gz: 925a1984f9add12d1a4159b79eb3f4f4d5603b3d
4
+ data.tar.gz: 8730b02031b2b4105725f33702183523908103d2
5
5
  SHA512:
6
- metadata.gz: 5a2a7112e5e5c33d685b0ee313e10a8465115456704857ba98c19c17985b552e78eae18527c5a22d9905f523aef46c912f83e5f786a333d5ab150d9ad1c4f20f
7
- data.tar.gz: a0c38143f8ee7c95fd7438b3f0e2b4538d90640596d6987bb4ef63f1d84688b432b4d8af8117083082874433ec75c7d971e107a7c7e6d28e25fbac97b77eeb2a
6
+ metadata.gz: 9dfdee7dd21fad7c6615f80155c5f73fc3106eb82f0af465bf9d1836751d1ee5e7c21281bb2819d431ee2c1602c465a26f7a651654f7158349c43d3848692f48
7
+ data.tar.gz: d481baab30b72c80062018e3069e008cf5188d0f2f49c8af1ab1c473b24e8ee66aee341a12f9a28b6ca2dea5bb1fb82921f814e871a09163049b9d132f978b0a
@@ -37,11 +37,10 @@ class CfnNag
37
37
  #
38
38
  def audit_aggregate_across_files(input_path:)
39
39
  templates = TemplateDiscovery.new.discover_templates(input_path)
40
-
41
40
  aggregate_results = []
42
41
  templates.each do |template|
43
42
  aggregate_results << {
44
- filename: template.path,
43
+ filename: template,
45
44
  file_results: audit(cloudformation_string: IO.read(template))
46
45
  }
47
46
  end
@@ -1,6 +1,8 @@
1
1
  require 'cfn-model'
2
2
  require 'logging'
3
3
  require_relative 'rule_registry'
4
+ require 'cfn-nag/jmes_path_evaluator'
5
+ require 'cfn-nag/jmes_path_discovery'
4
6
 
5
7
  ##
6
8
  # This object can discover the internal and custom user-provided rules and
@@ -21,6 +23,14 @@ class CustomRuleLoader
21
23
  type: rule.rule_type,
22
24
  message: rule.rule_text)
23
25
  end
26
+
27
+ discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
28
+ evaluator = JmesPathDiscovery.new rule_registry
29
+ evaluator.instance_eval do
30
+ eval IO.read jmespath_file
31
+ end
32
+ end
33
+
24
34
  rule_registry
25
35
  end
26
36
 
@@ -33,6 +43,14 @@ class CustomRuleLoader
33
43
  audit_result = rule_class.new.audit(cfn_model)
34
44
  violations << audit_result unless audit_result.nil?
35
45
  end
46
+
47
+ discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
48
+ evaluator = JmesPathEvaluator.new cfn_model
49
+ evaluator.instance_eval do
50
+ eval IO.read jmespath_file
51
+ end
52
+ violations += evaluator.violations
53
+ end
36
54
  violations
37
55
  end
38
56
 
@@ -69,4 +87,14 @@ class CustomRuleLoader
69
87
 
70
88
  rule_classes
71
89
  end
90
+
91
+ def discover_jmespath_filenames(rule_directory)
92
+ rule_filenames = []
93
+ unless rule_directory.nil?
94
+ rule_filenames += Dir[File.join(rule_directory, '*jmespath.rb')].sort
95
+ end
96
+ rule_filenames += Dir[File.join(__dir__, 'custom_rules', '*jmespath.rb')].sort
97
+ Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
98
+ rule_filenames
99
+ end
72
100
  end
@@ -0,0 +1,4 @@
1
+
2
+ # failure(id: 'F8888',
3
+ # jmespath: "Resources.*|[?Type == 'AWS::EC2::Volume' && (Properties.Encrypted == `false` || Properties.Encrypted == `null`)].id",
4
+ # message: 'Found a naughty EBS volume')
@@ -0,0 +1,17 @@
1
+ class JmesPathDiscovery
2
+ def initialize(rule_registry)
3
+ @rule_registry = rule_registry
4
+ end
5
+
6
+ def warning(id:, jmespath:, message:)
7
+ @rule_registry.definition(id: id,
8
+ type: Violation::WARNING,
9
+ message: message)
10
+ end
11
+
12
+ def failure(id:, jmespath:, message:)
13
+ @rule_registry.definition(id: id,
14
+ type: Violation::FAILING_VIOLATION,
15
+ message: message)
16
+ end
17
+ end
@@ -0,0 +1,51 @@
1
+ require 'jmespath'
2
+ require 'logging'
3
+
4
+ class JmesPathEvaluator
5
+ def initialize(cfn_model)
6
+ @cfn_model = cfn_model
7
+ @warnings = []
8
+ @failures = []
9
+ end
10
+
11
+ def warning(id:, jmespath:, message:)
12
+ violation id: id,
13
+ jmespath: jmespath,
14
+ message: message,
15
+ violation_type: Violation::WARNING
16
+ end
17
+
18
+ def failure(id:, jmespath:, message:)
19
+ violation id: id,
20
+ jmespath: jmespath,
21
+ message: message,
22
+ violation_type: Violation::FAILING_VIOLATION
23
+ end
24
+
25
+ def violations
26
+ @warnings + @failures
27
+ end
28
+
29
+ private
30
+
31
+ def violation(id:, jmespath:, message:, violation_type:)
32
+ Logging.logger['log'].debug jmespath
33
+
34
+ logical_resource_ids = JMESPath.search(jmespath,
35
+ flatten(@cfn_model.raw_model))
36
+
37
+ unless logical_resource_ids.empty?
38
+ @warnings << Violation.new(id: id,
39
+ type: violation_type,
40
+ message: message,
41
+ logical_resource_ids: logical_resource_ids)
42
+ end
43
+ end
44
+
45
+ def flatten(hash)
46
+ hash['Resources'].each do |logical_resource_id, resource|
47
+ resource['id'] = logical_resource_id
48
+ end
49
+ hash
50
+ end
51
+ end
@@ -3,7 +3,11 @@ class TemplateDiscovery
3
3
  if ::File.directory? input_json_path
4
4
  templates = find_templates_in_directory(directory: input_json_path)
5
5
  elsif ::File.file? input_json_path
6
- templates = [File.new(input_json_path)]
6
+ if input_json_path.is_a? File
7
+ templates = [input_json_path.path]
8
+ else
9
+ templates = [input_json_path]
10
+ end
7
11
  else
8
12
  fail "#{input_json_path} is not a proper path"
9
13
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.3
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-07-14 00:00:00.000000000 Z
11
+ date: 2017-07-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logging
@@ -52,6 +52,20 @@ dependencies:
52
52
  - - '='
53
53
  - !ruby/object:Gem::Version
54
54
  version: 0.0.6
55
+ - !ruby/object:Gem::Dependency
56
+ name: jmespath
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - '='
60
+ - !ruby/object:Gem::Version
61
+ version: 1.3.1
62
+ type: :runtime
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - '='
67
+ - !ruby/object:Gem::Version
68
+ version: 1.3.1
55
69
  description: Auditing tool for CloudFormation templates
56
70
  email:
57
71
  executables:
@@ -113,7 +127,10 @@ files:
113
127
  - lib/cfn-nag/custom_rules/UserMissingGroupRule.rb
114
128
  - lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
115
129
  - lib/cfn-nag/custom_rules/base.rb
130
+ - lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb
116
131
  - lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
132
+ - lib/cfn-nag/jmes_path_discovery.rb
133
+ - lib/cfn-nag/jmes_path_evaluator.rb
117
134
  - lib/cfn-nag/profile.rb
118
135
  - lib/cfn-nag/profile_loader.rb
119
136
  - lib/cfn-nag/result_view/json_results.rb