cfn-nag 0.3.81 → 0.3.82

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +33 -0
  3. data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +1 -25
  4. data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb +3 -30
  5. data/lib/cfn-nag/util/enforce_noecho_parameter.rb +24 -0
  6. data/lib/cfn-nag/util/truthy.rb +7 -0
  7. metadata +5 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3b308c84a5c3289a13883a89e589cb464d5a629e9d51147660cd252c50ee85c0
4
- data.tar.gz: 804868f8a9c90a7c97788c91459bdabfa6663a8fb4e3b251153c89102bb69de4
3
+ metadata.gz: 93fe11635dc84e8b2b2dd8da535dae76801eb495589eee4fd9563b02104d6215
4
+ data.tar.gz: 5fddddfbf4bcd954492b0a12500ff44ac7fe22826cd8d6ad3c794870c9d9e675
5
5
  SHA512:
6
- metadata.gz: ce73f908b62746f5dc1e3c4a026106ddaaa3adf9ec6bbe49b1c7b60f461c2b6c2486f25de7d940516069f6c9a94da52c413886e623c5178e06db12487445d5b7
7
- data.tar.gz: 26079901e3a639a2b9e72f562ddb8481426d622cfdd3184e0c6be3af0cf0602d9d6b9fe80f0ec0c490f5e5d8a4a70b3c852c54d94d6a3a3c0ed48f47dd2c82af
6
+ metadata.gz: 9dd593f6cb582991b8e4b5da61668f18d5a59646c9e7c1484395974ad2ea5f86978b2b4a2d99179b720dd4b8aadd536f9e4dee0d5f94157501c751663ee48a73
7
+ data.tar.gz: e12af655af934e41450f5df8499ee95f539fd2285a48978af1694ae8614da24118cc50f011ea12ba94392748e7a890af17273ca1024c21ec518d32d8b60047ea
data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb ADDED
@@ -0,0 +1,33 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_noecho_parameter'
5
+ require_relative 'base'
6
+
7
+ # Rule class to fail on DirectoryService::SimpleAD password in template
8
+ class DirectoryServiceSimpleADPasswordRule < BaseRule
9
+ def rule_text
10
+ 'DirectoryService::SimpleAD should use a parameter for password, with NoEcho'
11
+ end
12
+
13
+ def rule_type
14
+ Violation::FAILING_VIOLATION
15
+ end
16
+
17
+ def rule_id
18
+ 'F31'
19
+ end
20
+
21
+ def audit_impl(cfn_model)
22
+ violating_ad = cfn_model.resources_by_type('AWS::DirectoryService::SimpleAD')
23
+ .select do |ad|
24
+ if ad.password.nil?
25
+ false
26
+ else
27
+ !no_echo_parameter_without_default?(cfn_model,
28
+ ad.password)
29
+ end
30
+ end
31
+ violating_ad.map(&:logical_resource_id)
32
+ end
33
+ end
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_noecho_parameter.rb'
4
5
  require_relative 'base'
5
6
 
6
7
  class RDSInstanceMasterUserPasswordRule < BaseRule
@@ -34,29 +35,4 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
34
35
 
35
36
  violating_rdsinstances.map(&:logical_resource_id)
36
37
  end
37
-
38
- private
39
-
40
- def to_boolean(string)
41
- string.to_s.casecmp('true').zero?
42
- end
43
-
44
- def no_echo_parameter_without_default?(cfn_model, master_user_password)
45
- # i feel like i've written this mess somewhere before
46
- if master_user_password.is_a? Hash
47
- if master_user_password.key? 'Ref'
48
- if cfn_model.parameters.key? master_user_password['Ref']
49
- parameter = cfn_model.parameters[master_user_password['Ref']]
50
-
51
- return to_boolean(parameter.noEcho) && parameter.default.nil?
52
- else
53
- return false
54
- end
55
- else
56
- return false
57
- end
58
- end
59
- # String or anything weird will fall through here
60
- false
61
- end
62
38
  end
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_noecho_parameter'
4
5
  require_relative 'base'
5
6
 
6
7
  # cfn_nag rules related to RDS Instance master username
@@ -29,39 +30,11 @@ class RDSInstanceMasterUsernameRule < BaseRule
29
30
  if instance.masterUsername.nil?
30
31
  false
31
32
  else
32
- !references_no_echo_parameter_without_default?(cfn_model,
33
- instance.masterUsername)
33
+ !no_echo_parameter_without_default?(cfn_model,
34
+ instance.masterUsername)
34
35
  end
35
36
  end
36
37
 
37
38
  violating_rdsinstances.map(&:logical_resource_id)
38
39
  end
39
-
40
- private
41
-
42
- def to_boolean(string)
43
- if string.to_s.casecmp('true').zero?
44
- true
45
- else
46
- false
47
- end
48
- end
49
-
50
- def references_no_echo_parameter_without_default?(cfn_model, master_username)
51
- if master_username.is_a? Hash
52
- if master_username.key? 'Ref'
53
- if cfn_model.parameters.key? master_username['Ref']
54
- parameter = cfn_model.parameters[master_username['Ref']]
55
-
56
- return to_boolean(parameter.noEcho) && parameter.default.nil?
57
- else
58
- return false
59
- end
60
- else
61
- return false
62
- end
63
- end
64
- # String or anything weird will fall through here
65
- false
66
- end
67
40
  end
data/lib/cfn-nag/util/enforce_noecho_parameter.rb ADDED
@@ -0,0 +1,24 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/util/truthy.rb'
4
+
5
+ # Migrated from multiple classes, with some modifications
6
+ # Returns true if the provided key_to_check is a no-echo parameter
7
+ # without a default value; false otherwise.
8
+ def no_echo_parameter_without_default?(cfn_model, key_to_check)
9
+ if key_to_check.is_a? Hash
10
+ if key_to_check.key? 'Ref'
11
+ if cfn_model.parameters.key? key_to_check['Ref']
12
+ parameter = cfn_model.parameters[key_to_check['Ref']]
13
+
14
+ return truthy?(parameter.noEcho) && parameter.default.nil?
15
+ else
16
+ return false
17
+ end
18
+ else
19
+ return false
20
+ end
21
+ end
22
+ # String or anything weird will fall through here
23
+ false
24
+ end
data/lib/cfn-nag/util/truthy.rb ADDED
@@ -0,0 +1,7 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Checks a string for truthiness. Any cased 'true' will evaluate to a true boolean.
4
+ # Any other string _at all_ results in false.
5
+ def truthy?(string)
6
+ string.to_s.casecmp('true').zero?
7
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.81
4
+ version: 0.3.82
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-04-26 00:00:00.000000000 Z
11
+ date: 2019-05-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rspec
@@ -142,6 +142,7 @@ files:
142
142
  - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
143
143
  - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
144
144
  - lib/cfn-nag/custom_rules/CodeBuildEncryptionKeyRule.rb
145
+ - lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
145
146
  - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
146
147
  - lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb
147
148
  - lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAtRestEncryptionRule.rb
@@ -209,6 +210,8 @@ files:
209
210
  - lib/cfn-nag/rule_id_set.rb
210
211
  - lib/cfn-nag/rule_registry.rb
211
212
  - lib/cfn-nag/template_discovery.rb
213
+ - lib/cfn-nag/util/enforce_noecho_parameter.rb
214
+ - lib/cfn-nag/util/truthy.rb
212
215
  - lib/cfn-nag/violation.rb
213
216
  - lib/cfn-nag/violation_filtering.rb
214
217
  homepage: https://github.com/stelligent/cfn_nag