cfn-nag 0.3.67 → 0.3.68

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca2c6915b65ea17382453ae70f489848805320dcea810216e3830065242cf921
-  data.tar.gz: 2ad82b8452806b72055b58a984edd30573df020e4ca7b97802c21e000235e4c6
+  metadata.gz: ffbdd25dd16e216af5280c00d56987c2236765b6e0467c3c35fc3167333802f0
+  data.tar.gz: 1a7d2fbeaca398861088d3f138ebd2b1bc89e03f85aa58af230353fed6790012
 SHA512:
-  metadata.gz: aba6c9c12ede913365cb6dfd63aff3d517b8720e0c9f5e9f409757b5b9172ece6efa3d55613cad96070e9f753e4d80879fd876ed3d4468fc65497b9a1e2d7dc1
-  data.tar.gz: 1442d1e3d10b86a85339970c7e95c711a8c0c61f486461b85f01a2b6d696ebb4fd850a57f6a0be5df17567431a452d00e080af9549b31e8d0e6ff472ed9f9f25
+  metadata.gz: 93235ea544b753874959e97ad5e72c776b40ce5687adbb3fcdf8f9f45390e9280e049f72d0974c9d8116883454f740270ec39deac382e3da20d24842e37886d4
+  data.tar.gz: ad62b96251d1a425007cae5cfdab6244880920489fc552136386cf7ebeed84187b5eeca21d3de19be2ff3365d553d6bb95eda268ff522e229f88ca01bf14713e

data/bin/cfn_nag

@@ -8,7 +8,12 @@ require 'json'
 require 'rubygems/specification'
 
 opts = Trollop.options do
-  usage '[options] <cloudformation template path ...>|<cloudformation template in STDIN>'
+  options_message = '[options] <cloudformation template path ...>|' \
+                    '<cloudformation template in STDIN>'
+  custom_rule_exceptions_message = 'Isolate custom rule exceptions - ' \
+                                   'just emit the exception without stack ' \
+                                   ' trace and keep chugging'
+  usage options_message
   version Gem::Specification.find_by_name('cfn-nag').version
 
   opt :debug,
@@ -42,7 +47,7 @@ opts = Trollop.options do
       required: false,
       default: nil
   opt :isolate_custom_rule_exceptions,
-      'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging',
+      custom_rule_exceptions_message,
       type: :boolean,
       required: false,
       default: false
@@ -60,12 +65,13 @@ unless opts[:parameter_values_path].nil?
   parameter_values_string = IO.read(opts[:parameter_values_path])
 end
 
-cfn_nag = CfnNag.new(profile_definition: profile_definition,
-                     rule_directory: opts[:rule_directory],
-                     allow_suppression: opts[:allow_suppression],
-                     print_suppression: opts[:print_suppression],
-                     isolate_custom_rule_exceptions:
-                     opts[:isolate_custom_rule_exceptions])
+cfn_nag = CfnNag.new(
+  profile_definition: profile_definition,
+  rule_directory: opts[:rule_directory],
+  allow_suppression: opts[:allow_suppression],
+  print_suppression: opts[:print_suppression],
+  isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions]
+)
 
 total_failure_count = 0
 until ARGF.closed? || ARGF.eof?

data/bin/cfn_nag_scan

@@ -10,8 +10,20 @@ require 'rubygems/specification'
 opts = Trollop.options do
   version Gem::Specification.find_by_name('cfn-nag').version
 
+  input_path_message = 'CloudFormation template to nag on or directory of ' \
+                       'templates.  Default is all *.json, *.yaml, *.yml ' \
+                       'and *.template recursively, but can be constrained ' \
+                       'by --template-pattern'
+
+  custom_rule_exceptions_message = 'Isolate custom rule exceptions - just ' \
+                                   'emit the exception without stack trace ' \
+                                   'and keep chugging'
+
+  template_pattern_message = 'Within the --input-path, match files to scan ' \
+                             'against this regular expression'
+
   opt :input_path,
-      'CloudFormation template to nag on or directory of templates.  Default is all *.json, *.yaml, *.yml and *.template recursively, but can be constrained by --template-pattern',
+      input_path_message,
       type: :io,
       required: true
   opt :output_format,
@@ -49,12 +61,12 @@ opts = Trollop.options do
       required: false,
       default: false
   opt :isolate_custom_rule_exceptions,
-      'Isolate custom rule exceptions - just emit the exception without stack trace and keep chugging',
+      custom_rule_exceptions_message,
       type: :boolean,
       required: false,
       default: false
   opt :template_pattern,
-      'Within the --input-path, match files to scan against this regular expression',
+      template_pattern_message,
       type: :string,
       required: false,
       default: '..*\.json|..*\.yaml|..*\.yml|..*\.template'
@@ -72,14 +84,17 @@ unless opts[:profile_path].nil?
   profile_definition = IO.read(opts[:profile_path])
 end
 
-cfn_nag = CfnNag.new(profile_definition: profile_definition,
-                     rule_directory: opts[:rule_directory],
-                     allow_suppression: opts[:allow_suppression],
-                     print_suppression: opts[:print_suppression],
-                     isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions])
+cfn_nag = CfnNag.new(
+  profile_definition: profile_definition,
+  rule_directory: opts[:rule_directory],
+  allow_suppression: opts[:allow_suppression],
+  print_suppression: opts[:print_suppression],
+  isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions]
+)
 
 exit cfn_nag.audit_aggregate_across_files_and_render_results(
-  input_path: opts[:input_path], output_format: opts[:output_format],
+  input_path: opts[:input_path],
+  output_format: opts[:output_format],
   parameter_values_path: opts[:parameter_values_path],
   template_pattern: opts[:template_pattern]
 )

data/lib/cfn-nag/cfn_nag.rb

@@ -66,19 +66,6 @@ class CfnNag
     aggregate_results
   end
 
-  def audit_result(violations)
-    {
-      failure_count: Violation.count_failures(violations),
-      violations: violations
-    }
-  end
-
-  def fatal_violation(message)
-    Violation.new(id: 'FATAL',
-                  type: Violation::FAILING_VIOLATION,
-                  message: message)
-  end
-
   ##
   # Given cloudformation json/yml, run all the rules against it
   #
@@ -118,6 +105,19 @@ class CfnNag
 
   private
 
+  def audit_result(violations)
+    {
+      failure_count: Violation.count_failures(violations),
+      violations: violations
+    }
+  end
+
+  def fatal_violation(message)
+    Violation.new(id: 'FATAL',
+                  type: Violation::FAILING_VIOLATION,
+                  message: message)
+  end
+
   def filter_violations_by_profile(violations)
     profile = nil
     unless @profile_definition.nil?

data/lib/cfn-nag/custom_rule_loader.rb

@@ -78,9 +78,11 @@ class CustomRuleLoader
   def filter_rule_classes(cfn_model, violations)
     discover_rule_classes(@rule_directory).each do |rule_class|
       begin
-        filtered_cfn_model = cfn_model_with_suppressed_resources_removed cfn_model: cfn_model,
-                                                                         rule_id: rule_class.new.rule_id,
-                                                                         allow_suppression: @allow_suppression
+        filtered_cfn_model = cfn_model_with_suppressed_resources_removed(
+          cfn_model: cfn_model,
+          rule_id: rule_class.new.rule_id,
+          allow_suppression: @allow_suppression
+        )
         audit_result = rule_class.new.audit(filtered_cfn_model)
         violations << audit_result unless audit_result.nil?
       rescue Exception => exception
@@ -122,7 +124,8 @@ class CustomRuleLoader
       logical_resource_id = mangled_metadata.first
       mangled_rules = mangled_metadata[1]
 
-      STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression rule id: #{mangled_rules}"
+      STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression " \
+                  "rule id: #{mangled_rules}"
     end
   end
 
@@ -132,7 +135,9 @@ class CustomRuleLoader
       rule_to_suppress['id'] == rule_id
     end
     if found_suppression_rule && @print_suppression
-      STDERR.puts "Suppressing #{rule_id} on #{logical_resource_id} for reason: #{found_suppression_rule['reason']}"
+      message = "Suppressing #{rule_id} on #{logical_resource_id} for " \
+                "reason: #{found_suppression_rule['reason']}"
+      STDERR.puts message
     end
     !found_suppression_rule.nil?
   end

data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb

@@ -5,7 +5,8 @@ require_relative 'base'
 
 class LambdaPermissionInvokeFunctionActionRule < BaseRule
   def rule_text
-    'Lambda permission beside InvokeFunction might not be what you want?  Not sure!?'
+    'Lambda permission beside InvokeFunction might not be what you want? ' \
+    'Not sure!?'
   end
 
   def rule_type
@@ -17,10 +18,11 @@ class LambdaPermissionInvokeFunctionActionRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_lambdas = cfn_model.resources_by_type('AWS::Lambda::Permission').select do |lambda_permission|
+    lambda_permissions = cfn_model.resources_by_type('AWS::Lambda::Permission')
+    violating_lambda_permissions = lambda_permissions.select do |lambda_permission|
       lambda_permission.action != 'lambda:InvokeFunction'
     end
 
-    violating_lambdas.map(&:logical_resource_id)
+    violating_lambda_permissions.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb

@@ -18,10 +18,11 @@ class LambdaPermissionWildcardPrincipalRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_lambdas = cfn_model.resources_by_type('AWS::Lambda::Permission').select do |lambda_permission|
+    lambda_permissions = cfn_model.resources_by_type('AWS::Lambda::Permission')
+    violating_lambda_permissions = lambda_permissions.select do |lambda_permission|
       LambdaPrincipal.wildcard? lambda_permission.principal
     end
 
-    violating_lambdas.map(&:logical_resource_id)
+    violating_lambda_permissions.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb

@@ -5,7 +5,8 @@ require_relative 'base'
 
 class RDSInstanceMasterUserPasswordRule < BaseRule
   def rule_text
-    'RDS instance master user password must be Ref to NoEcho Parameter. Default credentials are not recommended'
+    'RDS instance master user password must be Ref to NoEcho Parameter. ' \
+    'Default credentials are not recommended'
   end
 
   def rule_type
@@ -16,15 +17,18 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
     'F23'
   end
 
-  # one word of warning... if somebody applies parameter values via JSON.... this will compare that....
-  # probably shouldn't be doing that though - if it's NoEcho there's a good reason
+  # one word of warning... if somebody applies parameter values via JSON....
+  # this will compare that....
+  # probably shouldn't be doing that though if it's NoEcho there's a good reason
   # bother checking synthesized_value? that would be the indicator.....
   def audit_impl(cfn_model)
-    violating_rdsinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance').select do |instance|
+    rds_dbinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
+    violating_rdsinstances = rds_dbinstances.select do |instance|
       if instance.masterUserPassword.nil?
         false
       else
-        !references_no_echo_parameter_without_default?(cfn_model, instance.masterUserPassword)
+        !no_echo_parameter_without_default?(cfn_model,
+                                            instance.masterUserPassword)
       end
     end
 
@@ -37,7 +41,7 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
     string.to_s.casecmp('true').zero?
   end
 
-  def references_no_echo_parameter_without_default?(cfn_model, master_user_password)
+  def no_echo_parameter_without_default?(cfn_model, master_user_password)
     # i feel like i've written this mess somewhere before
     if master_user_password.is_a? Hash
       if master_user_password.key? 'Ref'

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb

@@ -6,7 +6,8 @@ require_relative 'base'
 # cfn_nag rules related to RDS Instance master username
 class RDSInstanceMasterUsernameRule < BaseRule
   def rule_text
-    'RDS instance master username must be Ref to NoEcho Parameter. Default credentials are not recommended'
+    'RDS instance master username must be Ref to NoEcho Parameter. Default ' \
+    'credentials are not recommended'
   end
 
   def rule_type

data/lib/cfn-nag/custom_rules/RDSInstancePubliclyAccessibleRule.rb

@@ -17,7 +17,9 @@ class RDSInstancePubliclyAccessibleRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    violating_rdsinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance').select do |instance|
+    rds_dbinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
+
+    violating_rdsinstances = rds_dbinstances.select do |instance|
       instance.publiclyAccessible.nil? || instance.publiclyAccessible.to_s.casecmp('true').zero?
     end
 

data/lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb

@@ -17,12 +17,10 @@ class S3BucketPublicReadWriteAclRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    logical_resource_ids = []
-
-    cfn_model.resources_by_type('AWS::S3::Bucket').each do |bucket|
-      logical_resource_ids << bucket.logical_resource_id if bucket.accessControl == 'PublicReadWrite'
+    violating_buckets = cfn_model.resources_by_type('AWS::S3::Bucket').select do |bucket|
+      bucket.accessControl == 'PublicReadWrite'
     end
 
-    logical_resource_ids
+    violating_buckets.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb

@@ -20,21 +20,21 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
   end
 
   ##
-  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  # This will behave slightly different than the legacy jq based rule which was
+  # targeted against inline ingress only
   def audit_impl(cfn_model)
-    logical_resource_ids = []
-    cfn_model.security_groups.each do |security_group|
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_egresses = security_group.egresses.select do |egress|
         ip4_open?(egress) || ip6_open?(egress)
       end
 
-      logical_resource_ids << security_group.logical_resource_id unless violating_egresses.empty?
+      !violating_egresses.empty?
     end
 
     violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
       ip4_open?(standalone_egress) || ip6_open?(standalone_egress)
     end
 
-    logical_resource_ids + violating_egresses.map(&:logical_resource_id)
+    violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb

@@ -17,21 +17,21 @@ class SecurityGroupEgressPortRangeRule < BaseRule
   end
 
   ##
-  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  # This will behave slightly different than the legacy jq based rule which was
+  # targeted against inline ingress only
   def audit_impl(cfn_model)
-    logical_resource_ids = []
-    cfn_model.security_groups.each do |security_group|
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_egresses = security_group.egresses.select do |egress|
         egress.fromPort != egress.toPort
       end
 
-      logical_resource_ids << security_group.logical_resource_id unless violating_egresses.empty?
+      !violating_egresses.empty?
     end
 
     violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
       standalone_egress.fromPort != standalone_egress.toPort
     end
 
-    logical_resource_ids + violating_egresses.map(&:logical_resource_id)
+    violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb

@@ -20,21 +20,21 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
   end
 
   ##
-  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  # This will behave slightly different than the legacy jq based rule which was
+  # targeted against inline ingress only
   def audit_impl(cfn_model)
-    logical_resource_ids = []
-    cfn_model.security_groups.each do |security_group|
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_ingresses = security_group.ingresses.select do |ingress|
         ip4_cidr_range?(ingress) || ip6_cidr_range?(ingress)
       end
 
-      logical_resource_ids << security_group.logical_resource_id unless violating_ingresses.empty?
+      !violating_ingresses.empty?
     end
 
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
       ip4_cidr_range?(standalone_ingress) || ip6_cidr_range?(standalone_ingress)
     end
 
-    logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
+    violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb

@@ -8,7 +8,8 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
   include IpAddr
 
   def rule_text
-    'Security Groups found with cidr open to world on ingress.  This should never be true on instance.  Permissible on ELB'
+    'Security Groups found with cidr open to world on ingress.  This should ' \
+    'never be true on instance.  Permissible on ELB'
   end
 
   def rule_type
@@ -23,19 +24,18 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
   # This will behave slightly different than the legacy jq based rule
   # which was targeted against inline ingress only
   def audit_impl(cfn_model)
-    logical_resource_ids = []
-    cfn_model.security_groups.each do |security_group|
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_ingresses = security_group.ingresses.select do |ingress|
         ip4_open?(ingress) || ip6_open?(ingress)
       end
 
-      logical_resource_ids << security_group.logical_resource_id unless violating_ingresses.empty?
+      !violating_ingresses.empty?
     end
 
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
       ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress)
     end
 
-    logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
+    violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb

@@ -5,7 +5,8 @@ require_relative 'base'
 
 class SecurityGroupIngressPortRangeRule < BaseRule
   def rule_text
-    'Security Groups found ingress with port range instead of just a single port'
+    'Security Groups found ingress with port range instead of just a single ' \
+    'port'
   end
 
   def rule_type
@@ -17,21 +18,21 @@ class SecurityGroupIngressPortRangeRule < BaseRule
   end
 
   ##
-  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  # This will behave slightly different than the legacy jq based rule which was
+  # targeted against inline ingress only
   def audit_impl(cfn_model)
-    logical_resource_ids = []
-    cfn_model.security_groups.each do |security_group|
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_ingresses = security_group.ingresses.select do |ingress|
         ingress.fromPort != ingress.toPort
       end
 
-      logical_resource_ids << security_group.logical_resource_id unless violating_ingresses.empty?
+      !violating_ingresses.empty?
     end
 
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
       standalone_ingress.fromPort != standalone_ingress.toPort
     end
 
-    logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
+    violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
   end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb

@@ -5,7 +5,8 @@ require_relative 'base'
 
 class SecurityGroupMissingEgressRule < BaseRule
   def rule_text
-    'Missing egress rule means all traffic is allowed outbound.  Make this explicit if it is desired configuration'
+    'Missing egress rule means all traffic is allowed outbound.  Make this ' \
+    'explicit if it is desired configuration'
   end
 
   def rule_type
@@ -17,11 +18,10 @@ class SecurityGroupMissingEgressRule < BaseRule
   end
 
   def audit_impl(cfn_model)
-    logical_resource_ids = []
-    cfn_model.security_groups.each do |security_group|
-      logical_resource_ids << security_group.logical_resource_id if security_group.egresses.empty?
+    violating_security_groups = cfn_model.security_groups.select do |security_group|
+      security_group.egresses.empty?
     end
 
-    logical_resource_ids
+    violating_security_groups.map(&:logical_resource_id)
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.3.67
+  version: 0.3.68
 platform: ruby
 authors:
 - Eric Kascic
@@ -193,7 +193,6 @@ files:
 - lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
 - lib/cfn-nag/custom_rules/WorkspacesWorkspaceEncryptionRule.rb
 - lib/cfn-nag/custom_rules/base.rb
-- lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
 - lib/cfn-nag/ip_addr.rb
 - lib/cfn-nag/jmes_path_discovery.rb
 - lib/cfn-nag/jmes_path_evaluator.rb

data/lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb

@@ -1,60 +0,0 @@
-# frozen_string_literal: true
-
-# require 'cfn-nag/violation'
-# require 'model/action_parser'
-#
-# class UnencryptedS3PutObjectAllowedRule
-#
-#   def rule_text
-#     'It appears that the S3 Bucket Policy allows s3:PutObject without server-side encryption'
-#   end
-#
-#   def rule_type
-#     Violation::WARNING
-#   end
-#
-#   def rule_id
-#     'W1000'
-#   end
-#
-#   def audit(cfn_model)
-#     logical_resource_ids = []
-#     cfn_model.bucket_policies.each do |bucket_policy|
-#       found_statement = bucket_policy.statements.find do |statement|
-#         blocks_put_object_without_encryption(statement)
-#       end
-#       if found_statement.nil?
-#         logical_resource_ids << bucket_policy.logical_resource_id
-#       end
-#     end
-#
-#     if logical_resource_ids.size > 0
-#       Violation.new(id: rule_id,
-#                     type: rule_type,
-#                     message: rule_text,
-#                     logical_resource_ids: logical_resource_ids)
-#     else
-#       nil
-#     end
-#   end
-#
-#   private
-#
-#   def blocks_put_object_without_encryption(statement)
-#     encryption_condition = {
-#       'StringNotEquals' => {
-#         's3:x-amz-server-side-encryption' => 'AES256'
-#       }
-#     }
-#
-#     # this isn't quite complete.  parsing the Resource field can be tricky
-#     # looking for a trailing wildcard will likely be right most of the time
-#     # but there are a lot of string manipulations to confuse things so...
-#     # just warn when we can't find at least the Deny+encryption - they may have an
-#     # incomplete Deny (for encryption) and that will slip through
-#     statement['Effect'] == 'Deny' and
-#         ActionParser.new.include?(actual_action: statement['Action'], action_to_look_for: 's3:PutObject') and
-#         S3BucketPolicy::condition_includes?(statement, encryption_condition) and
-#         statement['Principal'] == '*'
-#   end
-# end