RubyGems - cfn-nag - Versions diffs - 0.4.70 → 0.4.71 - Mend

cfn-nag 0.4.70 → 0.4.71

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +31 -0
data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +31 -0
metadata +3 -3
data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb +0 -56
data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb +0 -53

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b5f716aaaa7aa9cf67851bc4e5b617779a57f2efa7f36cc0a2a7afafa9614917
-  data.tar.gz: 332173d8f2a259b4e3192b429789abff67d96b22e3dea0e4677452b47146b49a
+  metadata.gz: 8aac032953583895153e90c0c12415050b835ff4d220df996979b4ec8d769a82
+  data.tar.gz: 6ebf25a6c6a86e76e11081c7016bbad1148a5af529cc85db608d84b9bbcf7836
 SHA512:
-  metadata.gz: 6cf097e08a2bf950ad1bc8be489de3bb36fbe8013b474096b040ca33dfd8d5dad151a1fa64546f5d42e992fed163b41189b0a0099689322120cb9f091fe5d7d0
-  data.tar.gz: 1e71cf559c01a9b9e1bdb5d86a629a38da31b6a39c5fe1c2b7323bc45c874a355fdaa2e33e41477b60ff96823dce246b15aedd38cd6298357e55d68de2ceddbd
+  metadata.gz: 90b0d3a36532be603b08bbf78c8c5f28df13bf3164cd5cf0c9ed06ff56093445dc42a27540b0e09a2c8f1606d1e5b28bfdec4cb8d4a742c09e972bdcab34cf29
+  data.tar.gz: f798dd0079bb6448ee8bd130d13f053e9c2c282a7c2b7e06976850962ecb166437ccb158634cb8859c23b496a33c17ce9199aa9a309dd1b521c8abf48814c4f3

data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb ADDED

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'sub_property_with_list_password_base_rule'
+class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
+  def rule_text
+    'AmazonMQ Broker Users Password must not be a plaintext ' \
+    'string or a Ref to a NoEcho Parameter with a Default value.'
+  end
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+  def rule_id
+    'F52'
+  end
+  def resource_type
+    'AWS::AmazonMQ::Broker'
+  end
+  def password_property
+    :users
+  end
+  def sub_property_name
+    'Password'
+  end
+end

data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb ADDED

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'password_base_rule'
+class IAMUserLoginProfilePasswordRule < PasswordBaseRule
+  def rule_text
+    'IAM User LoginProfile Password must not be a plaintext string or ' \
+    'a Ref to a NoEcho Parameter with a Default value.'
+  end
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+  def rule_id
+    'F51'
+  end
+  def resource_type
+    'AWS::IAM::User'
+  end
+  def password_property
+    :loginProfile
+  end
+  def sub_property_name
+    'Password'
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.70
+  version: 0.4.71
 platform: ruby
 authors:
 - Eric Kascic
@@ -159,7 +159,7 @@ files:
 - lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb
 - lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb
 - lib/cfn-nag/custom_rules/AmazonMQBrokerEncryptionOptionsRule.rb
-- lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
+- lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb
 - lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb
 - lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
 - lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb
@@ -187,6 +187,7 @@ files:
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2AccessLoggingRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
+- lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyPassRoleWildcardResourceRule.rb
@@ -208,7 +209,6 @@ files:
 - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb
-- lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb
 - lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
 - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb

data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb DELETED

@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
-class AmazonMQBrokerUserPasswordRule < BaseRule
-  def rule_text
-    'Amazon MQ Broker resource Users property should exist and its Password property value ' \
-    'should not show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
-  end
-  def rule_type
-    Violation::FAILING_VIOLATION
-  end
-  def rule_id
-    'F52'
-  end
-  def audit_impl(cfn_model)
-    brokers = cfn_model.resources_by_type('AWS::AmazonMQ::Broker')
-    violating_brokers = brokers.select do |mq_broker|
-      violating_users?(cfn_model, mq_broker)
-    end
-    violating_brokers.map(&:logical_resource_id)
-  end
-  private
-  def user_has_insecure_password?(cfn_model, user)
-    if user.key? 'Password'
-      if insecure_parameter?(cfn_model, user['Password'])
-        true
-      elsif insecure_string_or_dynamic_reference?(cfn_model, user['Password'])
-        true
-      elsif user['Password'].nil?
-        true
-      end
-    else
-      true
-    end
-  end
-  def violating_users?(cfn_model, mq_broker)
-    if !mq_broker.users.nil?
-      violating_users = mq_broker.users.select do |user|
-        user_has_insecure_password?(cfn_model, user)
-      end
-      !violating_users.empty?
-    else
-      true
-    end
-  end
-end

data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb DELETED

@@ -1,53 +0,0 @@
-# frozen_string_literal: true
-require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
-class IamUserLoginProfilePasswordRule < BaseRule
-  def rule_text
-    'If the IAM user LoginProile property exists, then its Password value should not ' \
-    'show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
-  end
-  def rule_type
-    Violation::FAILING_VIOLATION
-  end
-  def rule_id
-    'F51'
-  end
-  def audit_impl(cfn_model)
-    resources = cfn_model.resources_by_type('AWS::IAM::User')
-    violating_resources = resources.select do |iam_user|
-      violating_users?(cfn_model, iam_user)
-    end
-    violating_resources.map(&:logical_resource_id)
-  end
-  private
-  def iam_user_has_insecure_password?(cfn_model, login_profile)
-    if login_profile.key? 'Password'
-      if insecure_parameter?(cfn_model, login_profile['Password'])
-        true
-      elsif insecure_string_or_dynamic_reference?(cfn_model, login_profile['Password'])
-        true
-      elsif login_profile['Password'].nil?
-        true
-      end
-    else
-      true
-    end
-  end
-  def violating_users?(cfn_model, iam_user)
-    if !iam_user.loginProfile.nil?
-      iam_user_has_insecure_password?(cfn_model, iam_user.loginProfile)
-    else
-      false
-    end
-  end
-end