RubyGems - cfn-nag - Versions diffs - 0.3.26 → 0.3.29 - Mend

cfn-nag 0.3.26 → 0.3.29

Files changed (69) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b24fe153fb47cce98057d6ce79ace2a1b528da17
-  data.tar.gz: 357c15bf8b3338990769dc3226006080a58b1f81
+  metadata.gz: 7144cb5b2b3d13133235f4005a1fac1de6451b5a
+  data.tar.gz: fa086c99e462871db43246722da212b7125a7128
 SHA512:
-  metadata.gz: 9de7afb6202d1405f8ae58f82f7039a35a0e19dd908f2b9ae2acd2389f9575c78627ac039d7d7af9e1d84f8c436ddd9cc1b43e71a82ab930f13cc3bdbd0db87d
-  data.tar.gz: b39d542c0c04000cf09ee42e7f754c70d14ea2214ae3f4e5d155dc6b580fbb5d2f3865564c9f7e95767ebe1f0136add30f7c745d9b4d8d2e88fd08291cb5a096
+  metadata.gz: 9d4c65a97de5b446e6d40a420feb53abcc24d8816466797e9c26ae38f23c8f640e24bcf35a18aa624e1cd6db687d81a92aa049399ea9f093724e749584989fcf
+  data.tar.gz: be5f36b7874684b163ff7f97f588aa514c2be9e0ce5d86e5155c7df5805f647e802cad07b2cc88f0c42402cb757d7e8568a973b50bbf02a47086869e28409ef3

data/bin/cfn_nag_rules CHANGED Viewed

@@ -3,11 +3,15 @@ require 'trollop'
 require 'cfn-nag'
 require 'rubygems/specification'
-opts = Trollop::options do
+opts = Trollop.options do
   version Gem::Specification.find_by_name('cfn-nag').version
-  opt :rule_directory, 'Extra rule directories', type: :io, required: false, default: nil
-  opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
+  opt :rule_directory, 'Extra rule directories', type: :io,
+                                                 required: false,
+                                                 default: nil
+  opt :profile_path, 'Path to a profile file', type: :io,
+                                               required: false,
+                                               default: nil
 end
 profile_definition = nil

data/bin/cfn_nag_scan CHANGED Viewed

@@ -5,24 +5,39 @@ require 'logging'
 require 'json'
 require 'rubygems/specification'
-opts = Trollop::options do
+opts = Trollop.options do
   version Gem::Specification.find_by_name('cfn-nag').version
-  opt :input_path, 'CloudFormation template to nag on or directory of templates - all *.json, *.yaml, *.yml and *.template recursively', type: :io, required: true
-  opt :output_format, 'Format of results: [txt, json]', type: :string, default: 'txt'
-  opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
-  opt :rule_directory, 'Extra rule directory', type: :io, required: false, default: nil
-  opt :profile_path, 'Path to a profile file', type: :io, required: false, default: nil
-  opt :parameter_values_path, 'Path to a JSON file to pull Parameter values from', type: :io, required: false, default: nil
-  opt :allow_suppression, 'Allow using Metadata to suppress violations', type: :boolean, required: false, default: true
-  opt :print_suppression, 'Emit suppressions to stderr', type: :boolean, required: false, default: false
-  opt :isolate_custom_rule_exceptions, 'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging', type: :boolean, required: false, default: false
+  opt :input_path, 'CloudFormation template to nag on or directory of ' \
+                   'templates - all *.json, *.yaml, *.yml and *.template ' \
+                   'recursively', type: :io, required: true
+  opt :output_format, 'Format of results: [txt, json]',
+      type: :string, default: 'txt'
+  opt :debug, 'Enable debug output',
+      type: :boolean, required: false, default: false
+  opt :rule_directory, 'Extra rule directory',
+      type: :io, required: false, default: nil
+  opt :profile_path, 'Path to a profile file',
+      type: :io, required: false, default: nil
+  opt :parameter_values_path,
+      'Path to a JSON file to pull Parameter values from',
+      type: :io, required: false, default: nil
+  opt :allow_suppression, 'Allow using Metadata to suppress violations',
+      type: :boolean, required: false, default: true
+  opt :print_suppression, 'Emit suppressions to stderr',
+      type: :boolean, required: false, default: false
+  opt :isolate_custom_rule_exceptions,
+      'Isolate custom rule exceptions - just emit the exception without ' \
+      'stack trace and keep chugging',
+      type: :boolean, required: false, default: false
 end
-Trollop::die(:output_format,
-             'Must be txt or json') unless %w(txt json).include?(opts[:output_format])
+unless %w[txt json].include?(opts[:output_format])
+  Trollop.die(:output_format,
+              'Must be txt or json')
+end
-CfnNag::configure_logging(opts)
+CfnNag.configure_logging(opts)
 profile_definition = nil
 unless opts[:profile_path].nil?
@@ -33,8 +48,10 @@ cfn_nag = CfnNag.new(profile_definition: profile_definition,
                      rule_directory: opts[:rule_directory],
                      allow_suppression: opts[:allow_suppression],
                      print_suppression: opts[:print_suppression],
-                     isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions])
+                     isolate_custom_rule_exceptions:
+                     opts[:isolate_custom_rule_exceptions])
-exit cfn_nag.audit_aggregate_across_files_and_render_results(input_path: opts[:input_path],
-                                                             output_format: opts[:output_format],
-                                                             parameter_values_path: opts[:parameter_values_path])
+exit cfn_nag.audit_aggregate_across_files_and_render_results(
+  input_path: opts[:input_path], output_format: opts[:output_format],
+  parameter_values_path: opts[:parameter_values_path]
+)

data/lib/cfn-nag.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# rubocop:disable Naming/FileName
 require 'cfn-nag/cfn_nag'
 require 'cfn-nag/violation'
-require 'cfn-nag/rule_dumper'
+require 'cfn-nag/rule_dumper'
+# rubocop:enable Naming/FileName

data/lib/cfn-nag/cfn_nag.rb CHANGED Viewed

@@ -27,7 +27,7 @@ class CfnNag
   # Return an aggregate failure count (for exit code usage)
   #
   def audit_aggregate_across_files_and_render_results(input_path:,
-                                                      output_format:'txt',
+                                                      output_format: 'txt',
                                                       parameter_values_path: nil)
     aggregate_results = audit_aggregate_across_files input_path: input_path, parameter_values_path: parameter_values_path
@@ -74,7 +74,6 @@ class CfnNag
                                   type: Violation::FAILING_VIOLATION,
                                   message: parser_error.to_s)
       stop_processing = true
     end
     violations += @custom_rule_loader.execute_custom_rules(cfn_model) unless stop_processing == true
@@ -89,11 +88,11 @@ class CfnNag
   def self.configure_logging(opts)
     logger = Logging.logger['log']
-    if opts[:debug]
-      logger.level = :debug
-    else
-      logger.level = :info
-    end
+    logger.level = if opts[:debug]
+                     :debug
+                   else
+                     :info
+                   end
     logger.add_appenders Logging.appenders.stdout
   end

data/lib/cfn-nag/custom_rule_loader.rb CHANGED Viewed

@@ -40,7 +40,6 @@ class CustomRuleLoader
     rule_registry
   end
   def execute_custom_rules(cfn_model)
     Logging.logger['log'].debug "cfn_model: #{cfn_model}"
@@ -69,7 +68,7 @@ class CustomRuleLoader
       evaluator.instance_eval do
         eval IO.read jmespath_file
       end
-      violations +=  evaluator.violations
+      violations += evaluator.violations
     end
     violations
   end
@@ -138,7 +137,7 @@ class CustomRuleLoader
   def validate_extra_rule_directory(rule_directory)
     unless rule_directory.nil?
-      fail "Not a real directory #{rule_directory}" unless File.directory? rule_directory
+      raise "Not a real directory #{rule_directory}" unless File.directory? rule_directory
     end
   end
@@ -177,4 +176,4 @@ class CustomRuleLoader
     Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
     rule_filenames
   end
-end
+end

data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb CHANGED Viewed

@@ -18,9 +18,8 @@ class CloudFormationAuthenticationRule < BaseRule
     logical_resource_ids = []
     cfn_model.raw_model['Resources'].each do |resource_name, resource|
       unless resource['Metadata'].nil?
-        if !resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
-          logical_resource_ids << resource_name
-        end
+        next if resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
+        logical_resource_ids << resource_name
       end
     end
     logical_resource_ids

data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb CHANGED Viewed

@@ -19,6 +19,6 @@ class CloudFrontDistributionAccessLoggingRule < BaseRule
       distribution.distributionConfig['Logging'].nil?
     end
-    violating_distributions.map { |distribution| distribution.logical_resource_id }
+    violating_distributions.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb CHANGED Viewed

@@ -19,6 +19,6 @@ class EbsVolumeHasSseRule < BaseRule
       volume.encrypted.nil? || volume.encrypted.to_s.downcase == 'false'
     end
-    violating_volumes.map { |violating_user| violating_user.logical_resource_id }
+    violating_volumes.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb CHANGED Viewed

@@ -19,6 +19,6 @@ class ElasticLoadBalancerAccessLoggingRule < BaseRule
       elb.accessLoggingPolicy.nil? || elb.accessLoggingPolicy['Enabled'] != true
     end
-    violating_elbs.map { |violating_user| violating_user.logical_resource_id }
+    violating_elbs.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyNotActionRule < BaseRule
   def rule_text
     'IAM managed policy should not allow Allow+NotAction'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyNotActionRule < BaseRule
       !policy.policy_document.allows_not_action.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyNotResourceRule < BaseRule
   def rule_text
     'IAM managed policy should not allow Allow+NotResource'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyNotResourceRule < BaseRule
       !policy.policy_document.allows_not_resource.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyWildcardActionRule < BaseRule
   def rule_text
     'IAM managed policy should not allow * action'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyWildcardActionRule < BaseRule
       !policy.policy_document.wildcard_allowed_actions.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
-end
+end

data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamManagedPolicyWildcardResourceRule < BaseRule
   def rule_text
     'IAM managed policy should not allow * resource'
   end
@@ -20,6 +19,6 @@ class IamManagedPolicyWildcardResourceRule < BaseRule
       !policy.policy_document.wildcard_allowed_resources.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyNotActionRule < BaseRule
   def rule_text
     'IAM policy should not allow Allow+NotAction'
   end
@@ -20,6 +19,6 @@ class IamPolicyNotActionRule < BaseRule
       !policy.policy_document.allows_not_action.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyNotResourceRule < BaseRule
   def rule_text
     'IAM policy should not allow Allow+NotResource'
   end
@@ -20,6 +19,6 @@ class IamPolicyNotResourceRule < BaseRule
       !policy.policy_document.allows_not_resource.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyWildcardActionRule < BaseRule
   def rule_text
     'IAM policy should not allow * action'
   end
@@ -20,6 +19,6 @@ class IamPolicyWildcardActionRule < BaseRule
       !policy.policy_document.wildcard_allowed_actions.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
-end
+end

data/lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamPolicyWildcardResourceRule < BaseRule
   def rule_text
     'IAM policy should not allow * resource'
   end
@@ -20,6 +19,6 @@ class IamPolicyWildcardResourceRule < BaseRule
       !policy.policy_document.wildcard_allowed_resources.empty?
     end
-    violating_policies.map { |policy| policy.logical_resource_id }
+    violating_policies.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotAction'
   end
@@ -23,6 +22,6 @@ class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
       !violating_policies.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotActionOnTrustPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotAction on trust permissions'
   end
@@ -20,6 +19,6 @@ class IamRoleNotActionOnTrustPolicyRule < BaseRule
       !role.assume_role_policy_document.allows_not_action.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotPrincipal in its trust policy'
   end
@@ -20,6 +19,6 @@ class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
       !role.assume_role_policy_document.allows_not_principal.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow Allow+NotResource'
   end
@@ -23,6 +22,6 @@ class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
       !violating_policies.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow * action on its permissions policy'
   end
@@ -23,6 +22,6 @@ class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
       !violating_policies.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id }
+    violating_roles.map(&:logical_resource_id)
   end
-end
+end

data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb CHANGED Viewed

@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
 require_relative 'base'
 class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
   def rule_text
     'IAM role should not allow * action on its trust policy'
   end
@@ -20,8 +19,6 @@ class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
       !role.assume_role_policy_document.wildcard_allowed_actions.empty?
     end
-    violating_roles.map { |role| role.logical_resource_id}
+    violating_roles.map(&:logical_resource_id)
   end
 end