puppet-lint-security-plugins 0.1.6

data/lib/puppet-lint/plugins/check_security_package_pinned_version.rb

@@ -0,0 +1,25 @@
+require 'puppet-lint-security-plugins'
+
+# Matches package resources with specified version number
+PuppetLint.new_check(:security_package_pinned_version) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'package',
+      :severity => :warning,
+      :message => 'Package version pinned (security!)'
+    ) do |rule|
+
+      ensures = get_value_token_for_parameter(rule[:tokens],'ensure')
+
+      valid_values=['latest','purged','installed','present','installed','absent','held']
+
+      ensures.find_all do |token|
+        not valid_values.include? token.value
+      end
+
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_password_in_code.rb

@@ -0,0 +1,31 @@
+require 'puppet-lint-security-plugins'
+
+# Matches variable definitions wich may store passwords in clear text
+PuppetLint.new_check(:security_password_in_code) do
+
+  def check
+    passwords=/\A.*(passwor[dt]|_pwd?).*\z/i
+
+    variables_with_passwords=tokens.find_all do |token|
+      if token.type == :VARIABLE and token.value =~ passwords
+        value_token=get_variable_value_for(token) # maybe nil, if just a class parameter
+      end
+      is_a_good_password_variable = ( value_token.nil? or
+                                     value_token.value == 'hiera' or
+                                     value_token.value.empty? or
+                                     (
+                                       value_token.type != :STRING and
+                                       value_token.type != :SSTRING
+                                     )
+                                    )
+      not is_a_good_password_variable
+    end
+
+    bulk_notify(
+      :result => variables_with_passwords,
+      :severity => :error,
+      :message => 'Possible password in code detected (security!)'
+    )
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_password_variable_in_exec.rb

@@ -0,0 +1,22 @@
+require 'puppet-lint-security-plugins'
+
+# Matches class or defined_type parameters used in exec
+PuppetLint.new_check(:security_password_variable_in_exec) do
+  def check
+
+    check_resource_index(
+      :resource_type => 'exec',
+      :severity => :error,
+      :message => 'Possible password variable in exec used (security!)'
+    ) do |rule|
+
+      passwords=/\A.*(passwor[dt]|_pwd?).*\z/i
+
+      command_tokens=get_value_token_for_parameter(rule[:tokens],'command')
+      command_tokens.find_all do |token|
+        token.type == :VARIABLE and token.value =~ passwords
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_regex_unspecific.rb

@@ -0,0 +1,23 @@
+require 'puppet-lint-security-plugins'
+
+# Matches regular expression without start or end of string (\A,\z)
+# or line (^,$) range markers 
+PuppetLint.new_check(:security_regex_unspecific) do
+
+  def check
+
+    start_or_end_of_line_or_string_used = /\A(\\A|\^).*(\\z|\$)\z/
+
+    result = tokens.find_all do |token|
+      token.type == :REGEX and 
+        token.value !~ start_or_end_of_line_or_string_used
+    end
+
+    bulk_notify(
+      :result => result,
+      :severity => :warning,
+      :message => 'Unspecific regex used, maybe too much is matched.'
+
+    ) 
+  end
+end

data/lib/puppet-lint/plugins/check_security_service_mysql_disabled.rb

@@ -0,0 +1,22 @@
+require 'puppet-lint-security-plugins'
+
+# Matches class or defined_type parameters used in exec
+PuppetLint.new_check(:security_service_mysql_disabled) do
+  def check
+
+    check_resource_index(
+      :resource_type => 'service',
+      :severity => :warning,
+      :message => 'MySQL service disabled (security!)'
+    ) do |rule|
+
+      value_tokens=get_value_token_for_parameter(rule[:tokens],'ensure')
+      title_token = get_resource_title_for(rule)
+      title = title_token.value unless title_token.nil?
+      value_tokens.find_all do |token|
+        token.value == 'stopped' and title == 'mysql'
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_service_puppetmaster_disabled.rb

@@ -0,0 +1,24 @@
+require 'puppet-lint-security-plugins'
+
+# Matches class or defined_type parameters used in exec
+PuppetLint.new_check(:security_service_puppetmaster_disabled) do
+  def check
+
+    check_resource_index(
+      :resource_type => 'service',
+      :severity => :warning,
+      :message => 'Puppetmaster service disabled (security!)'
+    ) do |rule|
+
+      value_tokens=get_value_token_for_parameter(rule[:tokens],'ensure')
+
+      title_token = get_resource_title_for(rule)
+      title = title_token.value unless title_token.nil?
+
+      value_tokens.find_all do |token|
+        token.value == 'stopped' and title == 'puppetmaster'
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_ssh_root_allowed.rb

@@ -0,0 +1,26 @@
+require 'puppet-lint-security-plugins'
+
+# Needed: saz/ssh module (https://forge.puppetlabs.com/saz/ssh)
+# Matches ssh resources with PermitRootLogin enabled
+PuppetLint.new_check(:security_ssh_root_allowed) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => ['ssh','ssh::server'],
+      :severity => :error,
+      :message => 'SSH root login allowed (security!)'
+    ) do |rule|
+
+      options = get_hash_tokens_for_parameter(rule[:tokens],'options')#.each do |option|
+      options += get_hash_tokens_for_parameter(rule[:tokens],'server_options')#.each do |option|
+      permit_root_logins = get_value_token_for_parameter(options,'PermitRootLogin')
+
+      permit_root_logins.find_all do |token|
+        ['true','1','yes'].include? token.value
+      end
+
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_sudo_with_world_nopasswd.rb

@@ -0,0 +1,23 @@
+require 'puppet-lint-security-plugins'
+
+# Needed: saz/sudo module (https://forge.puppetlabs.com/saz/sudo)
+# Matches sudo resources with world root permissions
+PuppetLint.new_check(:security_sudo_with_world_nopasswd) do
+
+  def check
+    bad_sudo_regex=/\AALL.*NOPASSWD.*\z/i
+
+    check_resource_index(
+      :resource_type => 'sudo::conf',
+      :severity => :error,
+      :message => 'Sudo access with world permissions detected (security!)'
+    ) do |rule|
+
+      sudo_rules=get_value_token_for_parameter(rule[:tokens],'content')
+      sudo_rules.find_all do |token|
+        token.value =~ bad_sudo_regex
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_tidy_all_files.rb

@@ -0,0 +1,20 @@
+require 'puppet-lint-security-plugins'
+
+# Matches tidy resources without age and size parameters
+PuppetLint.new_check(:security_tidy_all_files) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'tidy',
+      :severity => :warning,
+      :message => 'Purging all files, be warned!'
+    ) do |rule|
+
+      ages=get_value_token_for_parameter(rule[:tokens],'age')
+      sizes=get_value_token_for_parameter(rule[:tokens],'size')
+      rule[:tokens].first if (ages + sizes).empty?
+
+    end
+  end
+end

data/lib/puppet-lint/plugins/check_security_tidy_matches_greedy.rb

@@ -0,0 +1,27 @@
+require 'puppet-lint-security-plugins'
+
+# Matches tidy resources with 'match' parameter equals '*'
+PuppetLint.new_check(:security_tidy_matches_greedy) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'tidy',
+      :severity => :warning,
+      :message => 'This will delete all files, be warned!'
+    ) do |rule|
+
+      tokens=rule[:tokens]
+      if value_is_array?(tokens,'matches')
+        matches=get_array_tokens_for_parameter(tokens,'matches')
+      else
+        matches=get_value_token_for_parameter(tokens,'matches')
+      end
+      matches.find_all do |token|
+        token.value == '*'
+      end
+
+    end
+  end
+end
+

data/lib/puppet-lint/plugins/check_security_tidy_recurse.rb

@@ -0,0 +1,21 @@
+require 'puppet-lint-security-plugins'
+
+# Matches tidy resources with recurse parameter enabled
+PuppetLint.new_check(:security_tidy_recurse) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'tidy',
+      :severity => :warning,
+      :message => 'Purging files recurse, be warned!'
+    ) do |rule|
+
+      recurses=get_value_token_for_parameter(rule[:tokens],'recurse')
+      recurses.find_all do |token|
+        ['true','1','inf'].include? token.value
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_user_with_id_0_created.rb

@@ -0,0 +1,28 @@
+require 'puppet-lint-security-plugins'
+
+# Matches user resources creating a non root user with id 0
+PuppetLint.new_check(:security_user_with_id_0_created) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'user',
+      :severity => :error,
+      :message => 'Another User with ID 0 would be created (security!)'
+    ) do |rule|
+
+      title=get_resource_title_for(rule)
+      uids=get_value_token_for_parameter(rule[:tokens],'uid')
+      allowdupes=get_value_token_for_parameter(rule[:tokens],'allowdupe')
+      users=get_value_token_for_parameter(rule[:tokens],'name')
+      users << title
+
+      uid_zero=uids.find_all{|uid| uid.value == "0"}
+      allowdupe_true=allowdupes.find_all{|allowdupe| allowdupe.value == "true"}
+
+      rule[:tokens].first if (not users.include? 'root') and
+        (not uid_zero.empty?) and (not allowdupe_true.empty?)
+    end
+
+  end
+end

data/lib/puppet-lint/security.rb

@@ -0,0 +1,280 @@
+# Defines helper methods for check plugins
+class PuppetLint::CheckPlugin
+
+  # This types represent valid values for variables and parameters
+  VALID_CONTENT_TOKENS=[:NAME,:SSTRING,:STRING,:NUMBER,:TRUE,:FALSE,:DQPRE,:DQMID,:DQPOST,:VARIABLE]
+
+  # Checks if given resource is defined in given class or define
+  #
+  # @param resource [Hash] puppet-lint resource_index hash
+  # @param class_or_define [Hash] puppet-lint class_index or defined_type_index hash
+  # @return [Boolean] it is defined inside or not
+  def resource_in_class_or_define?(resource,class_or_define)
+    resource[:start] > class_or_define[:start] and
+      resource[:end] < class_or_define[:end]
+  end
+
+  # Checks if given parameter of a puppet resource is an array
+  #
+  # @param tokens [Array] puppet-lint token objects
+  # @param parameter [String] search only mathing parameters
+  # @return [Boolean] it is an array or not
+  def value_is_array?(tokens,parameter)
+    values_with_lbracks=tokens.find_all do |token|
+      #  match 'parameter => ['
+      token.type == :LBRACK and
+        token.prev_code_token.type == :FARROW and
+        token.prev_code_token.prev_code_token.value == parameter
+    end
+    not values_with_lbracks.empty?
+  end
+
+  # Get array of tokens for given parameter out of puppet resource definition
+  #
+  # @param tokens [Array] puppet-lint token objects
+  # @param parameter [String] search only mathing parameters
+  # @return [Array] an array of matching token objects
+  def get_array_tokens_for_parameter(tokens,parameter)
+    get_tokens_between(tokens,:BRACK,parameter).reject do |token|
+      token.type == :COMMA
+    end
+  end
+
+  # Get array of tokens with given parameter out of a hash
+  #
+  # @param tokens [Array] puppet-lint token objects
+  # @param parameter [String] search only mathing parameters
+  # @return [Array] an array of matching token objects
+  def get_hash_tokens_for_parameter(tokens,parameter)
+    get_tokens_between(tokens,:BRACE,parameter)
+  end
+
+  # Get array of tokens with given parameter out of any puppet block
+  #
+  # @param tokens [Array] puppet-lint token objects
+  # @param parameter [String] search only mathing parameters
+  # @return [Array] an array of matching token objects
+  def get_tokens_between(tokens,type,parameter)
+    brace_open=tokens.find do |token|
+      token.type == left(type) and
+        # Vorher kommt ein Pfeil, somit ist es der  Wert eines Parmeters
+        token.prev_code_token.type == :FARROW and
+        # Vor dem Pfeil kommt der gesuchte Parameter
+        token.prev_code_token.prev_code_token.value == parameter
+    end
+
+    if brace_open.nil?
+      return []
+    else
+      return get_block_between(type,brace_open)
+    end
+  end
+
+  # Get resource block for given puppet resource name.
+  # Resource type is irrelevant
+  #
+  # @param resource_title [String] resource title of queried resource block
+  # @param token [PuppetLint::Lexer::Token] Token of a puppet resource
+  # @return [Array] an array of array with matching token objects
+  def get_resource_block_for(resource_title,token)
+      titles=title_tokens_with_block
+
+      titles.find_all do | hash |
+        hash[:title].value == resource_title
+      end.first.values.flatten
+
+  end
+
+  # Get array of tokens with values of given parameter
+  #
+  # @param tokens [Array] puppet-lint token objects
+  # @param parameter [String] search only mathing parameters
+  # @return [Array] an array of matching token objects
+  def get_value_token_for_parameter(tokens,parameter)
+    value_starts_tokens=tokens.find_all do |token|
+      VALID_CONTENT_TOKENS.include? token.type and
+        # An arrow first indicates the value of a parameter
+        token.prev_code_token.type == :FARROW and
+        # The given parameter comes first, then the arrow
+        token.prev_code_token.prev_code_token.value == parameter
+    end
+    value_starts_tokens.map do |token|
+      if token.type==:DQPRE
+        t=[]
+        until token.type == :DQPOST
+          t << token
+          token=token.next_code_token
+        end
+        t
+      else
+        token
+      end
+    end.flatten
+  end
+
+  # Get array of tokens with arguments of a puppet-function
+  #
+  # @param tokens [Array] puppet-lint token objects
+  # @param function [String] search only mathing functions
+  # @return [Array] an array of matching token objects
+  def get_argument_token_for_function(tokens,function)
+    lparen=tokens.find do |token|
+      token.type == :LPAREN and
+        token.prev_code_token.type == :NAME and
+        token.prev_code_token.value == function
+    end
+
+    if lparen.nil?
+      return []
+    else
+      return get_block_between(:PAREN,lparen)
+    end
+  end
+
+  # Get first token with begin of value to a given parameter token
+  #
+  # @param token [PuppetLint::Lexer::Token] Token of a parameter to a puppet resource
+  # @return [PuppetLint::Lexer::Token] Token with value (first token after equals
+  def get_variable_value_for(token)
+    if token.type == :VARIABLE and token.next_code_token.type == :EQUALS
+      token=token.next_code_token
+      until token.next_code_token.nil? or VALID_CONTENT_TOKENS.include? token.type or token.type == :VARIABLE
+        token=token.next_code_token
+      end
+      return token
+    else
+      return nil
+    end
+  end
+
+  # Get Hash of titles and tokens of puppet manifest
+  #
+  # @return [Array] of [Hashes] with title as [PuppetLint::Lexer::Token] token
+  #         and array of token with parameters as [PuppetLint::Lexer::Token]
+  def title_tokens_with_block
+
+    # Get all token blocks having between colon and semic or rbrace
+    title_tokens.map do |block_starter|
+      token_array=[]
+      t = block_starter.next_token
+
+      until [:SEMIC,:RBRACE].include? t.type
+        token_array << t unless t.type == :COLON
+        t = t.next_token
+      end
+
+      {
+        :title   => block_starter,
+        :tokens  => token_array
+      }
+
+    end
+
+  end
+
+  # Get resource title for rule
+  #
+  # @param [Hash] representing a resource_index
+  # @return [String] resource title of given rule
+  def get_resource_title_for(rule)
+    title_token=title_tokens_with_block.find do |h|
+      h[:tokens].first == rule[:tokens].first
+    end
+    title_token[:title] unless title_token.nil?
+  end
+
+
+  # Warps puppet-lint notify and generates notifies for array of problems
+  #
+  # @param hash [Hash] Hash with options
+  # @option hash [Array] :result Array of PuppetLint::Lexer::Token containing problems
+  # @option hash [Symbol] :severity Severity of problem (:warning or :critical)
+  # @option hash [String] :message Description of problem
+  #
+  # @return nothing
+  def bulk_notify(hash)
+    hash[:result].each do |v|
+      notify hash[:severity], {
+        :message => hash[:message],
+        :line    => v.line,
+        :column  => v.column,
+      }
+    end
+  end
+
+  # Wrapper to check logic. Searches tokens matching given puppet resource or class.
+  #
+  # @param hash [Hash] Hash with options
+  # @option hash [Array] :resource_type Array of PuppetLint::Lexer::Token containing problems
+  # @option hash [Symbol] :severity Severity of problem (:warning or :critical)
+  # @option hash [String] :message Description of problem
+  #
+  # @return nothing
+  def check_resource_index(hash)
+
+    # Operate on arrays
+    unless hash[:resource_type].is_a? Array
+      resource_types=[hash[:resource_type]]
+    else
+      resource_types=hash[:resource_type]
+    end
+
+    rules=resource_indexes.find_all do |resource|
+      # Need to search resource titles, when not a predefined puppet resource
+      if resource[:type].type == :CLASS
+         resource_titles = title_tokens.map { |t| t.value }
+         diff_titles = (resource_types - resource_titles)
+
+         # Difference is smaler then original
+         # so some elements where substracted
+         diff_titles.count < resource_types.count
+      else
+        resource_types.include? resource[:type].value
+      end
+    end
+
+    result=rules.map do |rule|
+      yield rule
+    end.flatten.compact
+
+    bulk_notify(hash.merge(:result => result))
+
+  end
+
+  private
+
+  # Get array of tokens between braces
+  #
+  # @param type [Symbol] Caps symbol representing type of brace (:BRACE, :BRACK, :PAREN)
+  # @param start_token [PuppetLint::Lexer::Token] Token with opening brace
+  # @return [Array] an array of matching token objects
+  def get_block_between(type,start_token)
+    token_array=[]
+    t = start_token.next_code_token
+    brack_counter=1
+    until brack_counter==0
+      brack_counter -= 1 if t.next_code_token.type == right(type)
+      brack_counter += 1 if t.next_code_token.type == left(type)
+      token_array << t
+      t = t.next_code_token
+    end
+    return token_array
+  end
+
+  # Converts brace symbol to left/opening brace (prefixes 'L')
+  #
+  # @param type [Symbol] Caps symbol representing type of brace (:BRACE, :BRACK, :PAREN)
+  # @return [Symbol] Caps symbol with prefixed 'L'
+  def left(type)
+    ("L"+type.to_s).to_sym
+  end
+
+  # Converts brace symbol to right/closing brace (prefixes 'R')
+  #
+  # @param type [Symbol] Caps symbol representing type of brace (:BRACE, :BRACK, :PAREN)
+  # @return [Symbol] Caps symbol with prefixed 'R'
+  def right(type)
+    ("R"+type.to_s).to_sym
+  end
+
+end