class SubPropertyWithListPasswordBaseRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 19
def audit_impl(cfn_model)
  resources = cfn_model.resources_by_type(resource_type)

  violating_resources = resources.select do |resource|
    resource_with_insecure_subproperty_within_list_property?(
      cfn_model, resource, password_property, sub_property_name
    )
  end

  violating_resources.map(&:logical_resource_id)
end
password_property() click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 13
def password_property
  raise 'must implement in subclass'
end
resource_type() click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 9
def resource_type
  raise 'must implement in subclass'
end
sub_property_name() click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 17
def sub_property_name; end

Private Instance Methods

resource_with_insecure_subproperty_within_list_property?( cfn_model, resource, password_property, sub_property_name ) click to toggle source

This method name is a mouthful. Consider a cfn resource with a property that is a list like OpsworkStack::RdsDbInstances. The elements of that list include a password property. This predicate goes looking for unsafe password values “down” in the elements of the list

# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 38
def resource_with_insecure_subproperty_within_list_property?(
  cfn_model, resource, password_property, sub_property_name
)
  property_list = resource.send(password_property)
  return false unless property_list

  property_list.find do |property_element|
    sub_value = property_element[sub_property_name]
    insecure_parameter?(cfn_model, sub_value) || insecure_string_or_dynamic_reference?(cfn_model, sub_value)
  end
end