cfn-nag 0.3.39 → 0.3.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6c5f5526f00bdcb756ccda1d679afe742fa2ea77a5858eb86fb5d1b8216a89b8
|
|
4
|
+
data.tar.gz: 307512c7fe5ea5de57323c68e7aeab2646026c4d2411c41e5f6b9da9f066b243
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 38392d3069353e411ad7a4bff68113f0420ccf1ad2ae6ae3288d3510214114e3d339bf9110a267a5e41d74ea612d5b0900fe7c1d69c554b3cffafa15a8b959ec
|
|
7
|
+
data.tar.gz: 5057bb311c09bd37e9271f6e4ec02822e189416fabac9abf0ca718d679432303f8ede7bf45118f9ac661c0f66e6d085833415b274e2cbf7e4b90b29b4887fe51
|
|
@@ -18,7 +18,6 @@ class S3BucketPolicyWildcardActionRule < BaseRule
|
|
|
18
18
|
logical_resource_ids = []
|
|
19
19
|
|
|
20
20
|
cfn_model.resources_by_type('AWS::S3::BucketPolicy').each do |bucket_policy|
|
|
21
|
-
|
|
22
21
|
if !bucket_policy.policy_document.wildcard_allowed_actions.empty?
|
|
23
22
|
logical_resource_ids << bucket_policy.logical_resource_id
|
|
24
23
|
end
|
|
@@ -18,7 +18,6 @@ class SqsQueuePolicyWildcardActionRule < BaseRule
|
|
|
18
18
|
logical_resource_ids = []
|
|
19
19
|
|
|
20
20
|
cfn_model.resources_by_type('AWS::SQS::QueuePolicy').each do |queue_policy|
|
|
21
|
-
|
|
22
21
|
if !queue_policy.policy_document.wildcard_allowed_actions.empty?
|
|
23
22
|
logical_resource_ids << queue_policy.logical_resource_id
|
|
24
23
|
end
|
|
@@ -1,30 +1,48 @@
|
|
|
1
1
|
require_relative 'profile'
|
|
2
2
|
|
|
3
|
+
# Load rule profile
|
|
3
4
|
class ProfileLoader
|
|
4
5
|
def initialize(rules_registry)
|
|
5
6
|
@rules_registry = rules_registry
|
|
6
7
|
end
|
|
7
8
|
|
|
9
|
+
# Load rules from a profile definition
|
|
8
10
|
def load(profile_definition:)
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
11
|
+
# coerce falsy profile_definition into empty string for
|
|
12
|
+
# empty profile check
|
|
13
|
+
profile_definition ||= ''
|
|
14
|
+
raise 'Empty profile' if profile_definition.strip == ''
|
|
12
15
|
|
|
13
16
|
new_profile = Profile.new
|
|
14
17
|
|
|
15
18
|
profile_definition.each_line do |line|
|
|
16
|
-
rule_id = line
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
rule_id = rule_line_match.captures.first
|
|
20
|
-
if @rules_registry.by_id(rule_id) == nil
|
|
21
|
-
raise "#{rule_id} is not a legal rule identifier from: " \
|
|
22
|
-
"#{@rules_registry.rules.map(&:id)}"
|
|
23
|
-
else
|
|
24
|
-
new_profile.add_rule rule_id
|
|
25
|
-
end
|
|
26
|
-
end
|
|
19
|
+
next unless (rule_id = rule_line_match(line))
|
|
20
|
+
check_valid_rule_id rule_id
|
|
21
|
+
new_profile.add_rule rule_id
|
|
27
22
|
end
|
|
28
23
|
new_profile
|
|
29
24
|
end
|
|
25
|
+
|
|
26
|
+
private
|
|
27
|
+
|
|
28
|
+
# Parses a line, returns first matching line or false if
|
|
29
|
+
# no match
|
|
30
|
+
def rule_line_match(rule_id)
|
|
31
|
+
rule_id = rule_id.chomp
|
|
32
|
+
matches = /^([a-zA-Z]*?[0-9]+)\s*(.*)/.match(rule_id)
|
|
33
|
+
return false if matches.nil?
|
|
34
|
+
matches.captures.first
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# Return ids of rules in registry
|
|
38
|
+
def rules_ids
|
|
39
|
+
@rules_registry.rules.map(&:id)
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
# Return true if rule_id is valid (present in rules registry),
|
|
43
|
+
# else raise an error
|
|
44
|
+
def check_valid_rule_id(rule_id)
|
|
45
|
+
return true unless @rules_registry.by_id(rule_id).nil?
|
|
46
|
+
raise "#{rule_id} is not a legal rule identifier from: #{rules_ids}"
|
|
47
|
+
end
|
|
30
48
|
end
|