cfn-nag 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6cdc8b73b4baf895f2d537d883bd9860b23897e1
-  data.tar.gz: bcf2fb70a5938d3829ffd0478dbf416c54c7c736
+  metadata.gz: 925a1984f9add12d1a4159b79eb3f4f4d5603b3d
+  data.tar.gz: 8730b02031b2b4105725f33702183523908103d2
 SHA512:
-  metadata.gz: 5a2a7112e5e5c33d685b0ee313e10a8465115456704857ba98c19c17985b552e78eae18527c5a22d9905f523aef46c912f83e5f786a333d5ab150d9ad1c4f20f
-  data.tar.gz: a0c38143f8ee7c95fd7438b3f0e2b4538d90640596d6987bb4ef63f1d84688b432b4d8af8117083082874433ec75c7d971e107a7c7e6d28e25fbac97b77eeb2a
+  metadata.gz: 9dfdee7dd21fad7c6615f80155c5f73fc3106eb82f0af465bf9d1836751d1ee5e7c21281bb2819d431ee2c1602c465a26f7a651654f7158349c43d3848692f48
+  data.tar.gz: d481baab30b72c80062018e3069e008cf5188d0f2f49c8af1ab1c473b24e8ee66aee341a12f9a28b6ca2dea5bb1fb82921f814e871a09163049b9d132f978b0a

data/lib/cfn-nag/cfn_nag.rb

@@ -37,11 +37,10 @@ class CfnNag
   #
   def audit_aggregate_across_files(input_path:)
     templates = TemplateDiscovery.new.discover_templates(input_path)
-
     aggregate_results = []
     templates.each do |template|
       aggregate_results << {
-        filename: template.path,
+        filename: template,
         file_results: audit(cloudformation_string: IO.read(template))
       }
     end

data/lib/cfn-nag/custom_rule_loader.rb

@@ -1,6 +1,8 @@
 require 'cfn-model'
 require 'logging'
 require_relative 'rule_registry'
+require 'cfn-nag/jmes_path_evaluator'
+require 'cfn-nag/jmes_path_discovery'
 
 ##
 # This object can discover the internal and custom user-provided rules and
@@ -21,6 +23,14 @@ class CustomRuleLoader
                                type: rule.rule_type,
                                message: rule.rule_text)
     end
+
+    discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
+      evaluator = JmesPathDiscovery.new rule_registry
+      evaluator.instance_eval do
+        eval IO.read jmespath_file
+      end
+    end
+
     rule_registry
   end
 
@@ -33,6 +43,14 @@ class CustomRuleLoader
       audit_result = rule_class.new.audit(cfn_model)
       violations << audit_result unless audit_result.nil?
     end
+
+    discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
+      evaluator = JmesPathEvaluator.new cfn_model
+      evaluator.instance_eval do
+        eval IO.read jmespath_file
+      end
+      violations +=  evaluator.violations
+    end
     violations
   end
 
@@ -69,4 +87,14 @@ class CustomRuleLoader
 
     rule_classes
   end
+
+  def discover_jmespath_filenames(rule_directory)
+    rule_filenames = []
+    unless rule_directory.nil?
+      rule_filenames += Dir[File.join(rule_directory, '*jmespath.rb')].sort
+    end
+    rule_filenames += Dir[File.join(__dir__, 'custom_rules', '*jmespath.rb')].sort
+    Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
+    rule_filenames
+  end
 end

data/lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb

@@ -0,0 +1,4 @@
+
+# failure(id: 'F8888',
+#         jmespath: "Resources.*|[?Type == 'AWS::EC2::Volume' && (Properties.Encrypted == `false` || Properties.Encrypted == `null`)].id",
+#         message: 'Found a naughty EBS volume')

data/lib/cfn-nag/jmes_path_discovery.rb

@@ -0,0 +1,17 @@
+class JmesPathDiscovery
+  def initialize(rule_registry)
+    @rule_registry = rule_registry
+  end
+
+  def warning(id:, jmespath:, message:)
+    @rule_registry.definition(id: id,
+                              type: Violation::WARNING,
+                              message: message)
+  end
+
+  def failure(id:, jmespath:, message:)
+    @rule_registry.definition(id: id,
+                              type: Violation::FAILING_VIOLATION,
+                              message: message)
+  end
+end

data/lib/cfn-nag/jmes_path_evaluator.rb

@@ -0,0 +1,51 @@
+require 'jmespath'
+require 'logging'
+
+class JmesPathEvaluator
+  def initialize(cfn_model)
+    @cfn_model = cfn_model
+    @warnings = []
+    @failures = []
+  end
+
+  def warning(id:, jmespath:, message:)
+    violation id: id,
+              jmespath: jmespath,
+              message: message,
+              violation_type: Violation::WARNING
+  end
+
+  def failure(id:, jmespath:, message:)
+    violation id: id,
+              jmespath: jmespath,
+              message: message,
+              violation_type: Violation::FAILING_VIOLATION
+  end
+
+  def violations
+    @warnings + @failures
+  end
+
+  private
+
+  def violation(id:, jmespath:, message:, violation_type:)
+    Logging.logger['log'].debug jmespath
+
+    logical_resource_ids = JMESPath.search(jmespath,
+                                           flatten(@cfn_model.raw_model))
+
+    unless logical_resource_ids.empty?
+      @warnings << Violation.new(id: id,
+                                 type: violation_type,
+                                 message: message,
+                                 logical_resource_ids: logical_resource_ids)
+    end
+  end
+
+  def flatten(hash)
+    hash['Resources'].each do |logical_resource_id, resource|
+      resource['id'] = logical_resource_id
+    end
+    hash
+  end
+end

data/lib/cfn-nag/template_discovery.rb

@@ -3,7 +3,11 @@ class TemplateDiscovery
     if ::File.directory? input_json_path
       templates = find_templates_in_directory(directory: input_json_path)
     elsif ::File.file? input_json_path
-      templates = [File.new(input_json_path)]
+      if input_json_path.is_a? File
+        templates = [input_json_path.path]
+      else
+        templates = [input_json_path]
+      end
     else
       fail "#{input_json_path} is not a proper path"
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-14 00:00:00.000000000 Z
+date: 2017-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging
@@ -52,6 +52,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.0.6
+- !ruby/object:Gem::Dependency
+  name: jmespath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.1
 description: Auditing tool for CloudFormation templates
 email: 
 executables:
@@ -113,7 +127,10 @@ files:
 - lib/cfn-nag/custom_rules/UserMissingGroupRule.rb
 - lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
 - lib/cfn-nag/custom_rules/base.rb
+- lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb
 - lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
+- lib/cfn-nag/jmes_path_discovery.rb
+- lib/cfn-nag/jmes_path_evaluator.rb
 - lib/cfn-nag/profile.rb
 - lib/cfn-nag/profile_loader.rb
 - lib/cfn-nag/result_view/json_results.rb