cfn-nag 0.1.3 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/cfn_nag.rb +1 -2
- data/lib/cfn-nag/custom_rule_loader.rb +28 -0
- data/lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb +4 -0
- data/lib/cfn-nag/jmes_path_discovery.rb +17 -0
- data/lib/cfn-nag/jmes_path_evaluator.rb +51 -0
- data/lib/cfn-nag/template_discovery.rb +5 -1
- metadata +19 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 925a1984f9add12d1a4159b79eb3f4f4d5603b3d
|
4
|
+
data.tar.gz: 8730b02031b2b4105725f33702183523908103d2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9dfdee7dd21fad7c6615f80155c5f73fc3106eb82f0af465bf9d1836751d1ee5e7c21281bb2819d431ee2c1602c465a26f7a651654f7158349c43d3848692f48
|
7
|
+
data.tar.gz: d481baab30b72c80062018e3069e008cf5188d0f2f49c8af1ab1c473b24e8ee66aee341a12f9a28b6ca2dea5bb1fb82921f814e871a09163049b9d132f978b0a
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
@@ -37,11 +37,10 @@ class CfnNag
|
|
37
37
|
#
|
38
38
|
def audit_aggregate_across_files(input_path:)
|
39
39
|
templates = TemplateDiscovery.new.discover_templates(input_path)
|
40
|
-
|
41
40
|
aggregate_results = []
|
42
41
|
templates.each do |template|
|
43
42
|
aggregate_results << {
|
44
|
-
filename: template
|
43
|
+
filename: template,
|
45
44
|
file_results: audit(cloudformation_string: IO.read(template))
|
46
45
|
}
|
47
46
|
end
|
@@ -1,6 +1,8 @@
|
|
1
1
|
require 'cfn-model'
|
2
2
|
require 'logging'
|
3
3
|
require_relative 'rule_registry'
|
4
|
+
require 'cfn-nag/jmes_path_evaluator'
|
5
|
+
require 'cfn-nag/jmes_path_discovery'
|
4
6
|
|
5
7
|
##
|
6
8
|
# This object can discover the internal and custom user-provided rules and
|
@@ -21,6 +23,14 @@ class CustomRuleLoader
|
|
21
23
|
type: rule.rule_type,
|
22
24
|
message: rule.rule_text)
|
23
25
|
end
|
26
|
+
|
27
|
+
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
28
|
+
evaluator = JmesPathDiscovery.new rule_registry
|
29
|
+
evaluator.instance_eval do
|
30
|
+
eval IO.read jmespath_file
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
24
34
|
rule_registry
|
25
35
|
end
|
26
36
|
|
@@ -33,6 +43,14 @@ class CustomRuleLoader
|
|
33
43
|
audit_result = rule_class.new.audit(cfn_model)
|
34
44
|
violations << audit_result unless audit_result.nil?
|
35
45
|
end
|
46
|
+
|
47
|
+
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
48
|
+
evaluator = JmesPathEvaluator.new cfn_model
|
49
|
+
evaluator.instance_eval do
|
50
|
+
eval IO.read jmespath_file
|
51
|
+
end
|
52
|
+
violations += evaluator.violations
|
53
|
+
end
|
36
54
|
violations
|
37
55
|
end
|
38
56
|
|
@@ -69,4 +87,14 @@ class CustomRuleLoader
|
|
69
87
|
|
70
88
|
rule_classes
|
71
89
|
end
|
90
|
+
|
91
|
+
def discover_jmespath_filenames(rule_directory)
|
92
|
+
rule_filenames = []
|
93
|
+
unless rule_directory.nil?
|
94
|
+
rule_filenames += Dir[File.join(rule_directory, '*jmespath.rb')].sort
|
95
|
+
end
|
96
|
+
rule_filenames += Dir[File.join(__dir__, 'custom_rules', '*jmespath.rb')].sort
|
97
|
+
Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
|
98
|
+
rule_filenames
|
99
|
+
end
|
72
100
|
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
class JmesPathDiscovery
|
2
|
+
def initialize(rule_registry)
|
3
|
+
@rule_registry = rule_registry
|
4
|
+
end
|
5
|
+
|
6
|
+
def warning(id:, jmespath:, message:)
|
7
|
+
@rule_registry.definition(id: id,
|
8
|
+
type: Violation::WARNING,
|
9
|
+
message: message)
|
10
|
+
end
|
11
|
+
|
12
|
+
def failure(id:, jmespath:, message:)
|
13
|
+
@rule_registry.definition(id: id,
|
14
|
+
type: Violation::FAILING_VIOLATION,
|
15
|
+
message: message)
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,51 @@
|
|
1
|
+
require 'jmespath'
|
2
|
+
require 'logging'
|
3
|
+
|
4
|
+
class JmesPathEvaluator
|
5
|
+
def initialize(cfn_model)
|
6
|
+
@cfn_model = cfn_model
|
7
|
+
@warnings = []
|
8
|
+
@failures = []
|
9
|
+
end
|
10
|
+
|
11
|
+
def warning(id:, jmespath:, message:)
|
12
|
+
violation id: id,
|
13
|
+
jmespath: jmespath,
|
14
|
+
message: message,
|
15
|
+
violation_type: Violation::WARNING
|
16
|
+
end
|
17
|
+
|
18
|
+
def failure(id:, jmespath:, message:)
|
19
|
+
violation id: id,
|
20
|
+
jmespath: jmespath,
|
21
|
+
message: message,
|
22
|
+
violation_type: Violation::FAILING_VIOLATION
|
23
|
+
end
|
24
|
+
|
25
|
+
def violations
|
26
|
+
@warnings + @failures
|
27
|
+
end
|
28
|
+
|
29
|
+
private
|
30
|
+
|
31
|
+
def violation(id:, jmespath:, message:, violation_type:)
|
32
|
+
Logging.logger['log'].debug jmespath
|
33
|
+
|
34
|
+
logical_resource_ids = JMESPath.search(jmespath,
|
35
|
+
flatten(@cfn_model.raw_model))
|
36
|
+
|
37
|
+
unless logical_resource_ids.empty?
|
38
|
+
@warnings << Violation.new(id: id,
|
39
|
+
type: violation_type,
|
40
|
+
message: message,
|
41
|
+
logical_resource_ids: logical_resource_ids)
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
def flatten(hash)
|
46
|
+
hash['Resources'].each do |logical_resource_id, resource|
|
47
|
+
resource['id'] = logical_resource_id
|
48
|
+
end
|
49
|
+
hash
|
50
|
+
end
|
51
|
+
end
|
@@ -3,7 +3,11 @@ class TemplateDiscovery
|
|
3
3
|
if ::File.directory? input_json_path
|
4
4
|
templates = find_templates_in_directory(directory: input_json_path)
|
5
5
|
elsif ::File.file? input_json_path
|
6
|
-
|
6
|
+
if input_json_path.is_a? File
|
7
|
+
templates = [input_json_path.path]
|
8
|
+
else
|
9
|
+
templates = [input_json_path]
|
10
|
+
end
|
7
11
|
else
|
8
12
|
fail "#{input_json_path} is not a proper path"
|
9
13
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-07-
|
11
|
+
date: 2017-07-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logging
|
@@ -52,6 +52,20 @@ dependencies:
|
|
52
52
|
- - '='
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: 0.0.6
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: jmespath
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - '='
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: 1.3.1
|
62
|
+
type: :runtime
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - '='
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: 1.3.1
|
55
69
|
description: Auditing tool for CloudFormation templates
|
56
70
|
email:
|
57
71
|
executables:
|
@@ -113,7 +127,10 @@ files:
|
|
113
127
|
- lib/cfn-nag/custom_rules/UserMissingGroupRule.rb
|
114
128
|
- lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
|
115
129
|
- lib/cfn-nag/custom_rules/base.rb
|
130
|
+
- lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb
|
116
131
|
- lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
|
132
|
+
- lib/cfn-nag/jmes_path_discovery.rb
|
133
|
+
- lib/cfn-nag/jmes_path_evaluator.rb
|
117
134
|
- lib/cfn-nag/profile.rb
|
118
135
|
- lib/cfn-nag/profile_loader.rb
|
119
136
|
- lib/cfn-nag/result_view/json_results.rb
|