cfn-nag 0.4.23 → 0.4.24

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5572ec3d44e64f632333208c4033c6886dedc9d863bd42a4fe6f3375cc0f9af
-  data.tar.gz: 9bf4ee8a6658b21a1081b207305ad8b62ae7a1fd2d030d72a12521b31a20c20d
+  metadata.gz: f9485f94c90e2e05e6e2ff624e8c43e70a5ca4fb5946060a6301d53f1e3f053f
+  data.tar.gz: 40b173ce55caad1c9fe9991ea4a8520d89ced23e0d2f2f6258295bc5925c9540
 SHA512:
-  metadata.gz: f1de134ef12c55bf97777244950df3e2b268619e6fb3df596f970bb8591111db26a16b7a697d0cab48f660448cf40f3936c5a19cef2ab360bd8badb861953216
-  data.tar.gz: 400363143dae1804502ab59a826cfa394527833b435a8a0ca1087b3f778ab7591e1a261761139791a66d1d0e3c2afa9a68423af6dbc809da6d73afd023552c98
+  metadata.gz: b482ad1361062684629561b900f69ec92e54c1a6f213edd1a958e916ace31ee196e09d5690441765c99530d2898728ad7662a62d6d56c76c5e4932ad41542c33
+  data.tar.gz: b93b1b8d83ffad07cd6da18ddf13f33109b0b72c553f8c3af6ae3dbb3a8f6917567fd78314a6f908f5e57b59cb9f1022b9d492ae4e7ed80c54cdc06e40cda9ff

data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb

@@ -1,14 +1,12 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
+require_relative 'password_base_rule'
 
-class DMSEndpointPasswordRule < BaseRule
+class DMSEndpointPasswordRule < PasswordBaseRule
   def rule_text
-    'DMS Endpoint must not be a plaintext string or a Ref to a NoEcho ' \
-    'Parameter with a Default value.'
+    'DMS Endpoint password must not be a plaintext string ' \
+    'or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type
@@ -19,17 +17,11 @@ class DMSEndpointPasswordRule < BaseRule
     'F37'
   end
 
-  def audit_impl(cfn_model)
-    dms_endpoints = cfn_model.resources_by_type('AWS::DMS::Endpoint')
-    violating_dms_endpoints = dms_endpoints.select do |endpoint|
-      if endpoint.password.nil?
-        false
-      else
-        insecure_parameter?(cfn_model, endpoint.password) ||
-          insecure_string_or_dynamic_reference?(cfn_model, endpoint.password)
-      end
-    end
+  def resource_type
+    'AWS::DMS::Endpoint'
+  end
 
-    violating_dms_endpoints.map(&:logical_resource_id)
+  def password_property
+    :password
   end
 end

data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb

@@ -1,15 +1,13 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
+require_relative 'password_base_rule'
 
 # Rule class to fail on DirectoryService::MicrosoftAD password in template
-class DirectoryServiceMicrosoftADPasswordRule < BaseRule
+class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
   def rule_text
-    'Directory Service Microsoft AD must not be a plaintext string or a ' \
-    'Ref to a NoEcho Parameter with a Default value.'
+    'Directory Service Microsoft AD password must not be a plaintext string ' \
+    'or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type
@@ -20,16 +18,11 @@ class DirectoryServiceMicrosoftADPasswordRule < BaseRule
     'F36'
   end
 
-  def audit_impl(cfn_model)
-    violating_ad = cfn_model.resources_by_type('AWS::DirectoryService::MicrosoftAD')
-                            .select do |ad|
-      if ad.password.nil?
-        false
-      else
-        insecure_parameter?(cfn_model, ad.password) ||
-          insecure_string_or_dynamic_reference?(cfn_model, ad.password)
-      end
-    end
-    violating_ad.map(&:logical_resource_id)
+  def resource_type
+    'AWS::DirectoryService::MicrosoftAD'
+  end
+
+  def password_property
+    :password
   end
 end

data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb

@@ -1,14 +1,13 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
+require_relative 'password_base_rule'
 
 # Rule class to fail on DirectoryService::SimpleAD password in template
-class DirectoryServiceSimpleADPasswordRule < BaseRule
+class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule
   def rule_text
-    'DirectoryService::SimpleAD should use a parameter for password, with NoEcho'
+    'DirectoryService SimpleAD password must not be a plaintext string ' \
+    'or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type
@@ -19,16 +18,11 @@ class DirectoryServiceSimpleADPasswordRule < BaseRule
     'F31'
   end
 
-  def audit_impl(cfn_model)
-    violating_ad = cfn_model.resources_by_type('AWS::DirectoryService::SimpleAD')
-                            .select do |ad|
-      if ad.password.nil?
-        false
-      else
-        insecure_parameter?(cfn_model, ad.password) ||
-          insecure_string_or_dynamic_reference?(cfn_model, ad.password)
-      end
-    end
-    violating_ad.map(&:logical_resource_id)
+  def resource_type
+    'AWS::DirectoryService::SimpleAD'
+  end
+
+  def password_property
+    :password
   end
 end

data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb

@@ -1,14 +1,12 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
+require_relative 'password_base_rule'
 
-class RDSDBClusterMasterUserPasswordRule < BaseRule
+class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
-    'RDS DB Cluster master user password must be Ref to NoEcho Parameter. ' \
-    'Default credentials are not recommended'
+    'RDS DB Cluster master user password must not be a plaintext string ' \
+    'or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type
@@ -19,17 +17,11 @@ class RDSDBClusterMasterUserPasswordRule < BaseRule
     'F34'
   end
 
-  def audit_impl(cfn_model)
-    rds_dbclusters = cfn_model.resources_by_type('AWS::RDS::DBCluster')
-    violating_rdsclusters = rds_dbclusters.select do |cluster|
-      if cluster.masterUserPassword.nil?
-        false
-      else
-        insecure_parameter?(cfn_model, cluster.masterUserPassword) ||
-          insecure_string_or_dynamic_reference?(cfn_model, cluster.masterUserPassword)
-      end
-    end
+  def resource_type
+    'AWS::RDS::DBCluster'
+  end
 
-    violating_rdsclusters.map(&:logical_resource_id)
+  def password_property
+    :masterUserPassword
   end
 end

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb

@@ -1,14 +1,12 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
+require_relative 'password_base_rule'
 
-class RDSInstanceMasterUserPasswordRule < BaseRule
+class RDSInstanceMasterUserPasswordRule < PasswordBaseRule
   def rule_text
-    'RDS instance master user password must be Ref to NoEcho Parameter. ' \
-    'Default credentials are not recommended'
+    'RDS instance master user password must not be a plaintext string ' \
+    'or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type
@@ -19,21 +17,11 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
     'F23'
   end
 
-  # one word of warning... if somebody applies parameter values via JSON....
-  # this will compare that....
-  # probably shouldn't be doing that though if it's NoEcho there's a good reason
-  # bother checking synthesized_value? that would be the indicator.....
-  def audit_impl(cfn_model)
-    rds_dbinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
-    violating_rdsinstances = rds_dbinstances.select do |instance|
-      if instance.masterUserPassword.nil?
-        false
-      else
-        insecure_parameter?(cfn_model, instance.masterUserPassword) ||
-          insecure_string_or_dynamic_reference?(cfn_model, instance.masterUserPassword)
-      end
-    end
+  def resource_type
+    'AWS::RDS::DBInstance'
+  end
 
-    violating_rdsinstances.map(&:logical_resource_id)
+  def password_property
+    :masterUserPassword
   end
 end

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb

@@ -1,15 +1,13 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
+require_relative 'password_base_rule'
 
 # cfn_nag rules related to RDS Instance master username
-class RDSInstanceMasterUsernameRule < BaseRule
+class RDSInstanceMasterUsernameRule < PasswordBaseRule
   def rule_text
-    'RDS instance master username must be Ref to NoEcho Parameter. Default ' \
-    'credentials are not recommended'
+    'RDS instance master username must not be a plaintext string ' \
+    'or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type
@@ -20,22 +18,11 @@ class RDSInstanceMasterUsernameRule < BaseRule
     'F24'
   end
 
-  # Warning: if somebody applies parameter values via JSON, this will compare
-  # that....
-  # probably shouldn't be doing that though -
-  # if it's NoEcho there's a good reason
-  # bother checking synthesized_value? that would be the indicator.....
-  def audit_impl(cfn_model)
-    violating_rdsinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
-                                      .select do |instance|
-      if instance.masterUsername.nil?
-        false
-      else
-        insecure_parameter?(cfn_model, instance.masterUsername) ||
-          insecure_string_or_dynamic_reference?(cfn_model, instance.masterUsername)
-      end
-    end
+  def resource_type
+    'AWS::RDS::DBInstance'
+  end
 
-    violating_rdsinstances.map(&:logical_resource_id)
+  def password_property
+    :masterUsername
   end
 end

data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb

@@ -1,14 +1,12 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
+require_relative 'password_base_rule'
 
-class RedshiftClusterMasterUserPasswordRule < BaseRule
+class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
-    'Redshift Cluster master user password must be Ref to NoEcho Parameter. ' \
-    'Default credentials are not recommended'
+    'Redshift Cluster master user password must not be a plaintext string ' \
+    'or a Ref to a NoEcho Parameter with a Default value.'
   end
 
   def rule_type
@@ -19,17 +17,11 @@ class RedshiftClusterMasterUserPasswordRule < BaseRule
     'F35'
   end
 
-  def audit_impl(cfn_model)
-    redshift_clusters = cfn_model.resources_by_type('AWS::Redshift::Cluster')
-    violating_redshift_clusters = redshift_clusters.select do |cluster|
-      if cluster.masterUserPassword.nil?
-        false
-      else
-        insecure_parameter?(cfn_model, cluster.masterUserPassword) ||
-          insecure_string_or_dynamic_reference?(cfn_model, cluster.masterUserPassword)
-      end
-    end
+  def resource_type
+    'AWS::Redshift::Cluster'
+  end
 
-    violating_redshift_clusters.map(&:logical_resource_id)
+  def password_property
+    :masterUserPassword
   end
 end

data/lib/cfn-nag/custom_rules/password_base_rule.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_reference_parameter'
+require 'cfn-nag/util/enforce_string_or_dynamic_reference'
+require_relative 'base'
+
+class PasswordBaseRule < BaseRule
+  def resource_type
+    raise 'must implement in subclass'
+  end
+
+  def password_property
+    raise 'must implement in subclass'
+  end
+
+  def audit_impl(cfn_model)
+    resources = cfn_model.resources_by_type(resource_type)
+
+    violating_resources = resources.select do |resource|
+      if resource.send(password_property).nil?
+        false
+      else
+        insecure_parameter?(cfn_model, resource.send(password_property)) ||
+          insecure_string_or_dynamic_reference?(cfn_model,
+                                                resource.send(password_property))
+      end
+    end
+
+    violating_resources.map(&:logical_resource_id)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.23
+  version: 0.4.24
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-06-24 00:00:00.000000000 Z
+date: 2019-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -239,6 +239,7 @@ files:
 - lib/cfn-nag/custom_rules/WorkspacesWorkspaceEncryptionRule.rb
 - lib/cfn-nag/custom_rules/base.rb
 - lib/cfn-nag/custom_rules/boolean_base_rule.rb
+- lib/cfn-nag/custom_rules/password_base_rule.rb
 - lib/cfn-nag/ip_addr.rb
 - lib/cfn-nag/jmes_path_discovery.rb
 - lib/cfn-nag/jmes_path_evaluator.rb