cfn-nag 0.1.3 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/cfn_nag.rb +1 -2
- data/lib/cfn-nag/custom_rule_loader.rb +28 -0
- data/lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb +4 -0
- data/lib/cfn-nag/jmes_path_discovery.rb +17 -0
- data/lib/cfn-nag/jmes_path_evaluator.rb +51 -0
- data/lib/cfn-nag/template_discovery.rb +5 -1
- metadata +19 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 925a1984f9add12d1a4159b79eb3f4f4d5603b3d
|
4
|
+
data.tar.gz: 8730b02031b2b4105725f33702183523908103d2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9dfdee7dd21fad7c6615f80155c5f73fc3106eb82f0af465bf9d1836751d1ee5e7c21281bb2819d431ee2c1602c465a26f7a651654f7158349c43d3848692f48
|
7
|
+
data.tar.gz: d481baab30b72c80062018e3069e008cf5188d0f2f49c8af1ab1c473b24e8ee66aee341a12f9a28b6ca2dea5bb1fb82921f814e871a09163049b9d132f978b0a
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
@@ -37,11 +37,10 @@ class CfnNag
|
|
37
37
|
#
|
38
38
|
def audit_aggregate_across_files(input_path:)
|
39
39
|
templates = TemplateDiscovery.new.discover_templates(input_path)
|
40
|
-
|
41
40
|
aggregate_results = []
|
42
41
|
templates.each do |template|
|
43
42
|
aggregate_results << {
|
44
|
-
filename: template
|
43
|
+
filename: template,
|
45
44
|
file_results: audit(cloudformation_string: IO.read(template))
|
46
45
|
}
|
47
46
|
end
|
@@ -1,6 +1,8 @@
|
|
1
1
|
require 'cfn-model'
|
2
2
|
require 'logging'
|
3
3
|
require_relative 'rule_registry'
|
4
|
+
require 'cfn-nag/jmes_path_evaluator'
|
5
|
+
require 'cfn-nag/jmes_path_discovery'
|
4
6
|
|
5
7
|
##
|
6
8
|
# This object can discover the internal and custom user-provided rules and
|
@@ -21,6 +23,14 @@ class CustomRuleLoader
|
|
21
23
|
type: rule.rule_type,
|
22
24
|
message: rule.rule_text)
|
23
25
|
end
|
26
|
+
|
27
|
+
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
28
|
+
evaluator = JmesPathDiscovery.new rule_registry
|
29
|
+
evaluator.instance_eval do
|
30
|
+
eval IO.read jmespath_file
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
24
34
|
rule_registry
|
25
35
|
end
|
26
36
|
|
@@ -33,6 +43,14 @@ class CustomRuleLoader
|
|
33
43
|
audit_result = rule_class.new.audit(cfn_model)
|
34
44
|
violations << audit_result unless audit_result.nil?
|
35
45
|
end
|
46
|
+
|
47
|
+
discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
|
48
|
+
evaluator = JmesPathEvaluator.new cfn_model
|
49
|
+
evaluator.instance_eval do
|
50
|
+
eval IO.read jmespath_file
|
51
|
+
end
|
52
|
+
violations += evaluator.violations
|
53
|
+
end
|
36
54
|
violations
|
37
55
|
end
|
38
56
|
|
@@ -69,4 +87,14 @@ class CustomRuleLoader
|
|
69
87
|
|
70
88
|
rule_classes
|
71
89
|
end
|
90
|
+
|
91
|
+
def discover_jmespath_filenames(rule_directory)
|
92
|
+
rule_filenames = []
|
93
|
+
unless rule_directory.nil?
|
94
|
+
rule_filenames += Dir[File.join(rule_directory, '*jmespath.rb')].sort
|
95
|
+
end
|
96
|
+
rule_filenames += Dir[File.join(__dir__, 'custom_rules', '*jmespath.rb')].sort
|
97
|
+
Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
|
98
|
+
rule_filenames
|
99
|
+
end
|
72
100
|
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
class JmesPathDiscovery
|
2
|
+
def initialize(rule_registry)
|
3
|
+
@rule_registry = rule_registry
|
4
|
+
end
|
5
|
+
|
6
|
+
def warning(id:, jmespath:, message:)
|
7
|
+
@rule_registry.definition(id: id,
|
8
|
+
type: Violation::WARNING,
|
9
|
+
message: message)
|
10
|
+
end
|
11
|
+
|
12
|
+
def failure(id:, jmespath:, message:)
|
13
|
+
@rule_registry.definition(id: id,
|
14
|
+
type: Violation::FAILING_VIOLATION,
|
15
|
+
message: message)
|
16
|
+
end
|
17
|
+
end
|
@@ -0,0 +1,51 @@
|
|
1
|
+
require 'jmespath'
|
2
|
+
require 'logging'
|
3
|
+
|
4
|
+
class JmesPathEvaluator
|
5
|
+
def initialize(cfn_model)
|
6
|
+
@cfn_model = cfn_model
|
7
|
+
@warnings = []
|
8
|
+
@failures = []
|
9
|
+
end
|
10
|
+
|
11
|
+
def warning(id:, jmespath:, message:)
|
12
|
+
violation id: id,
|
13
|
+
jmespath: jmespath,
|
14
|
+
message: message,
|
15
|
+
violation_type: Violation::WARNING
|
16
|
+
end
|
17
|
+
|
18
|
+
def failure(id:, jmespath:, message:)
|
19
|
+
violation id: id,
|
20
|
+
jmespath: jmespath,
|
21
|
+
message: message,
|
22
|
+
violation_type: Violation::FAILING_VIOLATION
|
23
|
+
end
|
24
|
+
|
25
|
+
def violations
|
26
|
+
@warnings + @failures
|
27
|
+
end
|
28
|
+
|
29
|
+
private
|
30
|
+
|
31
|
+
def violation(id:, jmespath:, message:, violation_type:)
|
32
|
+
Logging.logger['log'].debug jmespath
|
33
|
+
|
34
|
+
logical_resource_ids = JMESPath.search(jmespath,
|
35
|
+
flatten(@cfn_model.raw_model))
|
36
|
+
|
37
|
+
unless logical_resource_ids.empty?
|
38
|
+
@warnings << Violation.new(id: id,
|
39
|
+
type: violation_type,
|
40
|
+
message: message,
|
41
|
+
logical_resource_ids: logical_resource_ids)
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
def flatten(hash)
|
46
|
+
hash['Resources'].each do |logical_resource_id, resource|
|
47
|
+
resource['id'] = logical_resource_id
|
48
|
+
end
|
49
|
+
hash
|
50
|
+
end
|
51
|
+
end
|
@@ -3,7 +3,11 @@ class TemplateDiscovery
|
|
3
3
|
if ::File.directory? input_json_path
|
4
4
|
templates = find_templates_in_directory(directory: input_json_path)
|
5
5
|
elsif ::File.file? input_json_path
|
6
|
-
|
6
|
+
if input_json_path.is_a? File
|
7
|
+
templates = [input_json_path.path]
|
8
|
+
else
|
9
|
+
templates = [input_json_path]
|
10
|
+
end
|
7
11
|
else
|
8
12
|
fail "#{input_json_path} is not a proper path"
|
9
13
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-07-
|
11
|
+
date: 2017-07-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logging
|
@@ -52,6 +52,20 @@ dependencies:
|
|
52
52
|
- - '='
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: 0.0.6
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: jmespath
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - '='
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: 1.3.1
|
62
|
+
type: :runtime
|
63
|
+
prerelease: false
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
65
|
+
requirements:
|
66
|
+
- - '='
|
67
|
+
- !ruby/object:Gem::Version
|
68
|
+
version: 1.3.1
|
55
69
|
description: Auditing tool for CloudFormation templates
|
56
70
|
email:
|
57
71
|
executables:
|
@@ -113,7 +127,10 @@ files:
|
|
113
127
|
- lib/cfn-nag/custom_rules/UserMissingGroupRule.rb
|
114
128
|
- lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
|
115
129
|
- lib/cfn-nag/custom_rules/base.rb
|
130
|
+
- lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb
|
116
131
|
- lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
|
132
|
+
- lib/cfn-nag/jmes_path_discovery.rb
|
133
|
+
- lib/cfn-nag/jmes_path_evaluator.rb
|
117
134
|
- lib/cfn-nag/profile.rb
|
118
135
|
- lib/cfn-nag/profile_loader.rb
|
119
136
|
- lib/cfn-nag/result_view/json_results.rb
|