cfn-nag 0.3.39 → 0.3.40
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6c5f5526f00bdcb756ccda1d679afe742fa2ea77a5858eb86fb5d1b8216a89b8
|
|
4
|
+
data.tar.gz: 307512c7fe5ea5de57323c68e7aeab2646026c4d2411c41e5f6b9da9f066b243
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 38392d3069353e411ad7a4bff68113f0420ccf1ad2ae6ae3288d3510214114e3d339bf9110a267a5e41d74ea612d5b0900fe7c1d69c554b3cffafa15a8b959ec
|
|
7
|
+
data.tar.gz: 5057bb311c09bd37e9271f6e4ec02822e189416fabac9abf0ca718d679432303f8ede7bf45118f9ac661c0f66e6d085833415b274e2cbf7e4b90b29b4887fe51
|
|
@@ -18,7 +18,6 @@ class S3BucketPolicyWildcardActionRule < BaseRule
|
|
|
18
18
|
logical_resource_ids = []
|
|
19
19
|
|
|
20
20
|
cfn_model.resources_by_type('AWS::S3::BucketPolicy').each do |bucket_policy|
|
|
21
|
-
|
|
22
21
|
if !bucket_policy.policy_document.wildcard_allowed_actions.empty?
|
|
23
22
|
logical_resource_ids << bucket_policy.logical_resource_id
|
|
24
23
|
end
|
|
@@ -18,7 +18,6 @@ class SqsQueuePolicyWildcardActionRule < BaseRule
|
|
|
18
18
|
logical_resource_ids = []
|
|
19
19
|
|
|
20
20
|
cfn_model.resources_by_type('AWS::SQS::QueuePolicy').each do |queue_policy|
|
|
21
|
-
|
|
22
21
|
if !queue_policy.policy_document.wildcard_allowed_actions.empty?
|
|
23
22
|
logical_resource_ids << queue_policy.logical_resource_id
|
|
24
23
|
end
|
|
@@ -1,30 +1,48 @@
|
|
|
1
1
|
require_relative 'profile'
|
|
2
2
|
|
|
3
|
+
# Load rule profile
|
|
3
4
|
class ProfileLoader
|
|
4
5
|
def initialize(rules_registry)
|
|
5
6
|
@rules_registry = rules_registry
|
|
6
7
|
end
|
|
7
8
|
|
|
9
|
+
# Load rules from a profile definition
|
|
8
10
|
def load(profile_definition:)
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
11
|
+
# coerce falsy profile_definition into empty string for
|
|
12
|
+
# empty profile check
|
|
13
|
+
profile_definition ||= ''
|
|
14
|
+
raise 'Empty profile' if profile_definition.strip == ''
|
|
12
15
|
|
|
13
16
|
new_profile = Profile.new
|
|
14
17
|
|
|
15
18
|
profile_definition.each_line do |line|
|
|
16
|
-
rule_id = line
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
rule_id = rule_line_match.captures.first
|
|
20
|
-
if @rules_registry.by_id(rule_id) == nil
|
|
21
|
-
raise "#{rule_id} is not a legal rule identifier from: " \
|
|
22
|
-
"#{@rules_registry.rules.map(&:id)}"
|
|
23
|
-
else
|
|
24
|
-
new_profile.add_rule rule_id
|
|
25
|
-
end
|
|
26
|
-
end
|
|
19
|
+
next unless (rule_id = rule_line_match(line))
|
|
20
|
+
check_valid_rule_id rule_id
|
|
21
|
+
new_profile.add_rule rule_id
|
|
27
22
|
end
|
|
28
23
|
new_profile
|
|
29
24
|
end
|
|
25
|
+
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
# Parses a line, returns first matching line or false if
|
|
29
|
+
# no match
|
|
30
|
+
def rule_line_match(rule_id)
|
|
31
|
+
rule_id = rule_id.chomp
|
|
32
|
+
matches = /^([a-zA-Z]*?[0-9]+)\s*(.*)/.match(rule_id)
|
|
33
|
+
return false if matches.nil?
|
|
34
|
+
matches.captures.first
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# Return ids of rules in registry
|
|
38
|
+
def rules_ids
|
|
39
|
+
@rules_registry.rules.map(&:id)
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
# Return true if rule_id is valid (present in rules registry),
|
|
43
|
+
# else raise an error
|
|
44
|
+
def check_valid_rule_id(rule_id)
|
|
45
|
+
return true unless @rules_registry.by_id(rule_id).nil?
|
|
46
|
+
raise "#{rule_id} is not a legal rule identifier from: #{rules_ids}"
|
|
47
|
+
end
|
|
30
48
|
end
|