class SubPropertyWithListPasswordBaseRule
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 19 def audit_impl(cfn_model) resources = cfn_model.resources_by_type(resource_type) violating_resources = resources.select do |resource| resource_with_insecure_subproperty_within_list_property?( cfn_model, resource, password_property, sub_property_name ) end violating_resources.map(&:logical_resource_id) end
password_property()
click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 13 def password_property raise 'must implement in subclass' end
resource_type()
click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 9 def resource_type raise 'must implement in subclass' end
sub_property_name()
click to toggle source
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 17 def sub_property_name; end
Private Instance Methods
resource_with_insecure_subproperty_within_list_property?( cfn_model, resource, password_property, sub_property_name )
click to toggle source
This method name is a mouthful. Consider a cfn resource with a property that is a list like OpsworkStack::RdsDbInstances. The elements of that list include a password property. This predicate goes looking for unsafe password values “down” in the elements of the list
# File lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb, line 38 def resource_with_insecure_subproperty_within_list_property?( cfn_model, resource, password_property, sub_property_name ) property_list = resource.send(password_property) return false unless property_list property_list.find do |property_element| sub_value = property_element[sub_property_name] insecure_parameter?(cfn_model, sub_value) || insecure_string_or_dynamic_reference?(cfn_model, sub_value) end end