RubyGems - cfn-nag - Versions diffs - 0.1.3 → 0.1.4 - Mend

cfn-nag 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/cfn_nag.rb +1 -2
data/lib/cfn-nag/custom_rule_loader.rb +28 -0
data/lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb +4 -0
data/lib/cfn-nag/jmes_path_discovery.rb +17 -0
data/lib/cfn-nag/jmes_path_evaluator.rb +51 -0
data/lib/cfn-nag/template_discovery.rb +5 -1
metadata +19 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6cdc8b73b4baf895f2d537d883bd9860b23897e1
-  data.tar.gz: bcf2fb70a5938d3829ffd0478dbf416c54c7c736
+  metadata.gz: 925a1984f9add12d1a4159b79eb3f4f4d5603b3d
+  data.tar.gz: 8730b02031b2b4105725f33702183523908103d2
 SHA512:
-  metadata.gz: 5a2a7112e5e5c33d685b0ee313e10a8465115456704857ba98c19c17985b552e78eae18527c5a22d9905f523aef46c912f83e5f786a333d5ab150d9ad1c4f20f
-  data.tar.gz: a0c38143f8ee7c95fd7438b3f0e2b4538d90640596d6987bb4ef63f1d84688b432b4d8af8117083082874433ec75c7d971e107a7c7e6d28e25fbac97b77eeb2a
+  metadata.gz: 9dfdee7dd21fad7c6615f80155c5f73fc3106eb82f0af465bf9d1836751d1ee5e7c21281bb2819d431ee2c1602c465a26f7a651654f7158349c43d3848692f48
+  data.tar.gz: d481baab30b72c80062018e3069e008cf5188d0f2f49c8af1ab1c473b24e8ee66aee341a12f9a28b6ca2dea5bb1fb82921f814e871a09163049b9d132f978b0a

data/lib/cfn-nag/cfn_nag.rb CHANGED

@@ -37,11 +37,10 @@ class CfnNag
   #
   def audit_aggregate_across_files(input_path:)
     templates = TemplateDiscovery.new.discover_templates(input_path)
     aggregate_results = []
     templates.each do |template|
       aggregate_results << {
-        filename: template.path,
+        filename: template,
         file_results: audit(cloudformation_string: IO.read(template))
       }
     end

data/lib/cfn-nag/custom_rule_loader.rb CHANGED

@@ -1,6 +1,8 @@
 require 'cfn-model'
 require 'logging'
 require_relative 'rule_registry'
+require 'cfn-nag/jmes_path_evaluator'
+require 'cfn-nag/jmes_path_discovery'
 ##
 # This object can discover the internal and custom user-provided rules and
@@ -21,6 +23,14 @@ class CustomRuleLoader
                                type: rule.rule_type,
                                message: rule.rule_text)
     end
+    discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
+      evaluator = JmesPathDiscovery.new rule_registry
+      evaluator.instance_eval do
+        eval IO.read jmespath_file
+      end
+    end
     rule_registry
   end
@@ -33,6 +43,14 @@ class CustomRuleLoader
       audit_result = rule_class.new.audit(cfn_model)
       violations << audit_result unless audit_result.nil?
     end
+    discover_jmespath_filenames(@rule_directory).each do |jmespath_file|
+      evaluator = JmesPathEvaluator.new cfn_model
+      evaluator.instance_eval do
+        eval IO.read jmespath_file
+      end
+      violations +=  evaluator.violations
+    end
     violations
   end
@@ -69,4 +87,14 @@ class CustomRuleLoader
     rule_classes
   end
+  def discover_jmespath_filenames(rule_directory)
+    rule_filenames = []
+    unless rule_directory.nil?
+      rule_filenames += Dir[File.join(rule_directory, '*jmespath.rb')].sort
+    end
+    rule_filenames += Dir[File.join(__dir__, 'custom_rules', '*jmespath.rb')].sort
+    Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
+    rule_filenames
+  end
 end

data/lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb ADDED

@@ -0,0 +1,4 @@
+# failure(id: 'F8888',
+#         jmespath: "Resources.*|[?Type == 'AWS::EC2::Volume' && (Properties.Encrypted == `false` || Properties.Encrypted == `null`)].id",
+#         message: 'Found a naughty EBS volume')

data/lib/cfn-nag/jmes_path_discovery.rb ADDED

@@ -0,0 +1,17 @@
+class JmesPathDiscovery
+  def initialize(rule_registry)
+    @rule_registry = rule_registry
+  end
+  def warning(id:, jmespath:, message:)
+    @rule_registry.definition(id: id,
+                              type: Violation::WARNING,
+                              message: message)
+  end
+  def failure(id:, jmespath:, message:)
+    @rule_registry.definition(id: id,
+                              type: Violation::FAILING_VIOLATION,
+                              message: message)
+  end
+end

data/lib/cfn-nag/jmes_path_evaluator.rb ADDED

@@ -0,0 +1,51 @@
+require 'jmespath'
+require 'logging'
+class JmesPathEvaluator
+  def initialize(cfn_model)
+    @cfn_model = cfn_model
+    @warnings = []
+    @failures = []
+  end
+  def warning(id:, jmespath:, message:)
+    violation id: id,
+              jmespath: jmespath,
+              message: message,
+              violation_type: Violation::WARNING
+  end
+  def failure(id:, jmespath:, message:)
+    violation id: id,
+              jmespath: jmespath,
+              message: message,
+              violation_type: Violation::FAILING_VIOLATION
+  end
+  def violations
+    @warnings + @failures
+  end
+  private
+  def violation(id:, jmespath:, message:, violation_type:)
+    Logging.logger['log'].debug jmespath
+    logical_resource_ids = JMESPath.search(jmespath,
+                                           flatten(@cfn_model.raw_model))
+    unless logical_resource_ids.empty?
+      @warnings << Violation.new(id: id,
+                                 type: violation_type,
+                                 message: message,
+                                 logical_resource_ids: logical_resource_ids)
+    end
+  end
+  def flatten(hash)
+    hash['Resources'].each do |logical_resource_id, resource|
+      resource['id'] = logical_resource_id
+    end
+    hash
+  end
+end

data/lib/cfn-nag/template_discovery.rb CHANGED

@@ -3,7 +3,11 @@ class TemplateDiscovery
     if ::File.directory? input_json_path
       templates = find_templates_in_directory(directory: input_json_path)
     elsif ::File.file? input_json_path
-      templates = [File.new(input_json_path)]
+      if input_json_path.is_a? File
+        templates = [input_json_path.path]
+      else
+        templates = [input_json_path]
+      end
     else
       fail "#{input_json_path} is not a proper path"
     end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-07-14 00:00:00.000000000 Z
+date: 2017-07-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging
@@ -52,6 +52,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 0.0.6
+- !ruby/object:Gem::Dependency
+  name: jmespath
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.1
 description: Auditing tool for CloudFormation templates
 email:
 executables:
@@ -113,7 +127,10 @@ files:
 - lib/cfn-nag/custom_rules/UserMissingGroupRule.rb
 - lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
 - lib/cfn-nag/custom_rules/base.rb
+- lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb
 - lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
+- lib/cfn-nag/jmes_path_discovery.rb
+- lib/cfn-nag/jmes_path_evaluator.rb
 - lib/cfn-nag/profile.rb
 - lib/cfn-nag/profile_loader.rb
 - lib/cfn-nag/result_view/json_results.rb