RubyGems - cfn-nag - Versions diffs - 0.3.81 → 0.3.82 - Mend

cfn-nag 0.3.81 → 0.3.82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +33 -0
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +1 -25
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb +3 -30
data/lib/cfn-nag/util/enforce_noecho_parameter.rb +24 -0
data/lib/cfn-nag/util/truthy.rb +7 -0
metadata +5 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b308c84a5c3289a13883a89e589cb464d5a629e9d51147660cd252c50ee85c0
-  data.tar.gz: 804868f8a9c90a7c97788c91459bdabfa6663a8fb4e3b251153c89102bb69de4
+  metadata.gz: 93fe11635dc84e8b2b2dd8da535dae76801eb495589eee4fd9563b02104d6215
+  data.tar.gz: 5fddddfbf4bcd954492b0a12500ff44ac7fe22826cd8d6ad3c794870c9d9e675
 SHA512:
-  metadata.gz: ce73f908b62746f5dc1e3c4a026106ddaaa3adf9ec6bbe49b1c7b60f461c2b6c2486f25de7d940516069f6c9a94da52c413886e623c5178e06db12487445d5b7
-  data.tar.gz: 26079901e3a639a2b9e72f562ddb8481426d622cfdd3184e0c6be3af0cf0602d9d6b9fe80f0ec0c490f5e5d8a4a70b3c852c54d94d6a3a3c0ed48f47dd2c82af
+  metadata.gz: 9dd593f6cb582991b8e4b5da61668f18d5a59646c9e7c1484395974ad2ea5f86978b2b4a2d99179b720dd4b8aadd536f9e4dee0d5f94157501c751663ee48a73
+  data.tar.gz: e12af655af934e41450f5df8499ee95f539fd2285a48978af1694ae8614da24118cc50f011ea12ba94392748e7a890af17273ca1024c21ec518d32d8b60047ea

data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb ADDED Viewed

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_noecho_parameter'
+require_relative 'base'
+# Rule class to fail on DirectoryService::SimpleAD password in template
+class DirectoryServiceSimpleADPasswordRule < BaseRule
+  def rule_text
+    'DirectoryService::SimpleAD should use a parameter for password, with NoEcho'
+  end
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+  def rule_id
+    'F31'
+  end
+  def audit_impl(cfn_model)
+    violating_ad = cfn_model.resources_by_type('AWS::DirectoryService::SimpleAD')
+                            .select do |ad|
+      if ad.password.nil?
+        false
+      else
+        !no_echo_parameter_without_default?(cfn_model,
+                                            ad.password)
+      end
+    end
+    violating_ad.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_noecho_parameter.rb'
 require_relative 'base'
 class RDSInstanceMasterUserPasswordRule < BaseRule
@@ -34,29 +35,4 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
     violating_rdsinstances.map(&:logical_resource_id)
   end
-  private
-  def to_boolean(string)
-    string.to_s.casecmp('true').zero?
-  end
-  def no_echo_parameter_without_default?(cfn_model, master_user_password)
-    # i feel like i've written this mess somewhere before
-    if master_user_password.is_a? Hash
-      if master_user_password.key? 'Ref'
-        if cfn_model.parameters.key? master_user_password['Ref']
-          parameter = cfn_model.parameters[master_user_password['Ref']]
-          return to_boolean(parameter.noEcho) && parameter.default.nil?
-        else
-          return false
-        end
-      else
-        return false
-      end
-    end
-    # String or anything weird will fall through here
-    false
-  end
 end

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_noecho_parameter'
 require_relative 'base'
 # cfn_nag rules related to RDS Instance master username
@@ -29,39 +30,11 @@ class RDSInstanceMasterUsernameRule < BaseRule
       if instance.masterUsername.nil?
         false
       else
-        !references_no_echo_parameter_without_default?(cfn_model,
-                                                       instance.masterUsername)
+        !no_echo_parameter_without_default?(cfn_model,
+                                            instance.masterUsername)
       end
     end
     violating_rdsinstances.map(&:logical_resource_id)
   end
-  private
-  def to_boolean(string)
-    if string.to_s.casecmp('true').zero?
-      true
-    else
-      false
-    end
-  end
-  def references_no_echo_parameter_without_default?(cfn_model, master_username)
-    if master_username.is_a? Hash
-      if master_username.key? 'Ref'
-        if cfn_model.parameters.key? master_username['Ref']
-          parameter = cfn_model.parameters[master_username['Ref']]
-          return to_boolean(parameter.noEcho) && parameter.default.nil?
-        else
-          return false
-        end
-      else
-        return false
-      end
-    end
-    # String or anything weird will fall through here
-    false
-  end
 end

data/lib/cfn-nag/util/enforce_noecho_parameter.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+require 'cfn-nag/util/truthy.rb'
+# Migrated from multiple classes, with some modifications
+# Returns true if the provided key_to_check is a no-echo parameter
+# without a default value; false otherwise.
+def no_echo_parameter_without_default?(cfn_model, key_to_check)
+  if key_to_check.is_a? Hash
+    if key_to_check.key? 'Ref'
+      if cfn_model.parameters.key? key_to_check['Ref']
+        parameter = cfn_model.parameters[key_to_check['Ref']]
+        return truthy?(parameter.noEcho) && parameter.default.nil?
+      else
+        return false
+      end
+    else
+      return false
+    end
+  end
+  # String or anything weird will fall through here
+  false
+end

data/lib/cfn-nag/util/truthy.rb ADDED Viewed

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+# Checks a string for truthiness. Any cased 'true' will evaluate to a true boolean.
+# Any other string _at all_ results in false.
+def truthy?(string)
+  string.to_s.casecmp('true').zero?
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.3.81
+  version: 0.3.82
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-04-26 00:00:00.000000000 Z
+date: 2019-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -142,6 +142,7 @@ files:
 - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
 - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
 - lib/cfn-nag/custom_rules/CodeBuildEncryptionKeyRule.rb
+- lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
 - lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb
 - lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAtRestEncryptionRule.rb
@@ -209,6 +210,8 @@ files:
 - lib/cfn-nag/rule_id_set.rb
 - lib/cfn-nag/rule_registry.rb
 - lib/cfn-nag/template_discovery.rb
+- lib/cfn-nag/util/enforce_noecho_parameter.rb
+- lib/cfn-nag/util/truthy.rb
 - lib/cfn-nag/violation.rb
 - lib/cfn-nag/violation_filtering.rb
 homepage: https://github.com/stelligent/cfn_nag