cfn-nag 0.4.28 → 0.4.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +31 -0
  3. data/lib/cfn-nag/custom_rules/password_base_rule.rb +34 -4
  4. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3f4ecf712c97dd6ed7c5ddcf6a2ce4dad39bed49126cda319b5ed745e7f9cfe7
4
- data.tar.gz: ebf786e319e90aa28b8da6c214ee0ec4f44ec1aa54ab8dd9f35bb5e537414ec3
3
+ metadata.gz: '011839ee5d19c5990b7fb7b28a87b961336cf98a35a3a7fa5792e01e5d9470cc'
4
+ data.tar.gz: b04751c2b454226955d2b6aac10ee005338c9a5cb2aa0f3c34bfd5ca216138b6
5
5
  SHA512:
6
- metadata.gz: 1730e2a044e598aeba8505dfa7ea891b61475ca64dfca3cc3630aa25509cf8c2cec2add50bc8efbb20e19a840a27e93a4a6727d8dfd1b9060b0832b019628f7f
7
- data.tar.gz: 8d4a72cf87fab25fb416042ee00a0a19309c253e512e93db24979767e6cc4028683c94457a01d60de546480755d36ebb27e35aba1a14ef02e6cb0d06916b7b98
6
+ metadata.gz: 98a9ffb0a8d6888eabf60416c88e1ad05626eacf0bf279a05ac973f7140702eec5cc9915acf2464176e1bb43bbccc8decac5dac048a62b6ae95e5fc16f196de8
7
+ data.tar.gz: 2c16cc585f3d22f7912d32d38202fe67297ab3c10927f4f5e329384fa0916052cf633027349fbc92db9be496959f0f9346eee423886f8ceef95ab1f3a2e324a8
data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb ADDED
@@ -0,0 +1,31 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'password_base_rule'
5
+
6
+ class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
7
+ def rule_text
8
+ 'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
9
+ 'or a Ref to a NoEcho Parameter with a Default value.'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::FAILING_VIOLATION
14
+ end
15
+
16
+ def rule_id
17
+ 'F50'
18
+ end
19
+
20
+ def resource_type
21
+ 'AWS::Amplify::App'
22
+ end
23
+
24
+ def password_property
25
+ :basicAuthConfig
26
+ end
27
+
28
+ def sub_property_name
29
+ 'Password'
30
+ end
31
+ end
data/lib/cfn-nag/custom_rules/password_base_rule.rb CHANGED
@@ -14,19 +14,49 @@ class PasswordBaseRule < BaseRule
14
14
  raise 'must implement in subclass'
15
15
  end
16
16
 
17
+ def sub_property_name; end
18
+
17
19
  def audit_impl(cfn_model)
18
20
  resources = cfn_model.resources_by_type(resource_type)
19
21
 
20
22
  violating_resources = resources.select do |resource|
21
- if resource.send(password_property).nil?
23
+ if verify_parameter_exists(resource, password_property, sub_property_name)
22
24
  false
23
25
  else
24
- insecure_parameter?(cfn_model, resource.send(password_property)) ||
25
- insecure_string_or_dynamic_reference?(cfn_model,
26
- resource.send(password_property))
26
+ verify_insecure_string_and_parameter(
27
+ cfn_model, resource, password_property, sub_property_name
28
+ )
27
29
  end
28
30
  end
29
31
 
30
32
  violating_resources.map(&:logical_resource_id)
31
33
  end
32
34
  end
35
+
36
+ private
37
+
38
+ def verify_parameter_exists(resource, password_property, sub_property_name)
39
+ if sub_property_name.nil?
40
+ resource.send(password_property).nil?
41
+ else
42
+ resource.send(password_property)[sub_property_name].nil?
43
+ end
44
+ end
45
+
46
+ def verify_insecure_string_and_parameter(
47
+ cfn_model, resource, password_property, sub_property_name
48
+ )
49
+ if sub_property_name.nil?
50
+ insecure_parameter?(cfn_model, resource.send(password_property)) ||
51
+ insecure_string_or_dynamic_reference?(
52
+ cfn_model, resource.send(password_property)
53
+ )
54
+ else
55
+ insecure_parameter?(
56
+ cfn_model, resource.send(password_property)[sub_property_name]
57
+ ) ||
58
+ insecure_string_or_dynamic_reference?(
59
+ cfn_model, resource.send(password_property)[sub_property_name]
60
+ )
61
+ end
62
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.28
4
+ version: 0.4.29
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-07-02 00:00:00.000000000 Z
11
+ date: 2019-07-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -170,6 +170,7 @@ files:
170
170
  - lib/cfn-nag/cfn_nag_logging.rb
171
171
  - lib/cfn-nag/cli_options.rb
172
172
  - lib/cfn-nag/custom_rule_loader.rb
173
+ - lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
173
174
  - lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
174
175
  - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
175
176
  - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb