Module: Rule

Included in:

CfnNag

Defined in:

lib/rule.rb

Instance Attribute Summary

• #input_json_path ⇒ Object

  Returns the value of attribute input_json_path.

Class Method Summary

• .count_failures(violations) ⇒ Object
• .count_warnings(violations) ⇒ Object
• .empty?(array) ⇒ Boolean

Instance Method Summary

• #add_violation(type:, message:, logical_resource_ids: nil, violating_code: nil) ⇒ Object
• #assertion(jq:, message:) ⇒ Object
• #fatal_assertion(jq:, message:) ⇒ Object
• #fatal_violation(jq:, message:) ⇒ Object
• #raw_fatal_assertion(jq:, message:) ⇒ Object
• #raw_fatal_violation(jq:, message:) ⇒ Object
• #resources ⇒ Object

  jq preamble to spit out Resources but as an array of key-value pairs can be used in jq rule definition but…

• #resources_by_type(resource) ⇒ Object

  jq to filter Cloudformation resources by Type can be used in jq rule definition but…

• #violation(jq:, message:) ⇒ Object
• #warning(jq:, message:) ⇒ Object

Instance Attribute Details

#input_json_path ⇒ Object

Returns the value of attribute input_json_path.

# File 'lib/rule.rb', line 5

def input_json_path
  @input_json_path
end

Class Method Details

.count_failures(violations) ⇒ Object

# File 'lib/rule.rb', line 98

def self.count_failures(violations)
  violations.inject(0) do |count, violation|
    if violation.type == Violation::FAILING_VIOLATION
      if empty?(violation.logical_resource_ids)
        count += 1
      else
        count += violation.logical_resource_ids.size
      end
    end
    count
  end
end

.count_warnings(violations) ⇒ Object

# File 'lib/rule.rb', line 85

def self.count_warnings(violations)
  violations.inject(0) do |count, violation|
    if violation.type == Violation::WARNING
      if empty?(violation.logical_resource_ids)
        count += 1
      else
        count += violation.logical_resource_ids.size
      end
    end
    count
  end
end

.empty?(array) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/rule.rb', line 81

def self.empty?(array)
  array.nil? or array.size ==0
end

Instance Method Details

#add_violation(type:, message:, logical_resource_ids: nil, violating_code: nil) ⇒ Object

# File 'lib/rule.rb', line 111

def add_violation(type:,
                  message:,
                  logical_resource_ids: nil,
                  violating_code: nil)
  violation = Violation.new(type: type,
                            message: message,
                            logical_resource_ids: logical_resource_ids,
                            violating_code: violating_code)
  @violations << violation
end

#assertion(jq:, message:) ⇒ Object

# File 'lib/rule.rb', line 75

def assertion(jq:, message:)
  failing_rule(jq_expression: jq,
               fail_if_found: false,
               message: message)
end

#fatal_assertion(jq:, message:) ⇒ Object

# File 'lib/rule.rb', line 47

def fatal_assertion(jq:, message:)
  failing_rule(jq_expression: jq,
               fail_if_found: false,
               fatal: true,
               message: message)
end

#fatal_violation(jq:, message:) ⇒ Object

# File 'lib/rule.rb', line 62

def fatal_violation(jq:, message:)
  failing_rule(jq_expression: jq,
               fail_if_found: true,
               fatal: true,
               message: message)
end

#raw_fatal_assertion(jq:, message:) ⇒ Object

# File 'lib/rule.rb', line 39

def raw_fatal_assertion(jq:, message:)
  failing_rule(jq_expression: jq,
               fail_if_found: false,
               fatal: true,
               message: message,
               raw: true)
end

#raw_fatal_violation(jq:, message:) ⇒ Object

# File 'lib/rule.rb', line 54

def raw_fatal_violation(jq:, message:)
  failing_rule(jq_expression: jq,
               fail_if_found: true,
               fatal: true,
               message: message,
               raw: true)
end

#resources ⇒ Object

jq preamble to spit out Resources but as an array of key-value pairs can be used in jq rule definition but… this is probably reducing replication at the cost of opaqueness

# File 'lib/rule.rb', line 9

def resources
  '.Resources|with_entries(.value.LogicalResourceId = .key)[]'
end

#resources_by_type(resource) ⇒ Object

jq to filter Cloudformation resources by Type can be used in jq rule definition but… this is probably reducing replication at the cost of opaqueness

# File 'lib/rule.rb', line 15

def resources_by_type(resource)
  "#{resources}| select(.Type == \"#{resource}\")"
end

#violation(jq:, message:) ⇒ Object

# File 'lib/rule.rb', line 69

def violation(jq:, message:)
  failing_rule(jq_expression: jq,
               fail_if_found: true,
               message: message)
end

#warning(jq:, message:) ⇒ Object

# File 'lib/rule.rb', line 19

def warning(jq:, message:)
  @warning_registry << message

  return if @stop_processing

  Logging.logger['log'].debug jq

  stdout = jq_command(@input_json_path, jq)
  result = $?.exitstatus
  scrape_jq_output_for_error(jq, stdout)

  resource_ids = parse_logical_resource_ids(stdout)
  new_warnings = resource_ids.size
  if result == 0 and new_warnings > 0
    add_violation(type: Violation::WARNING,
                  message: message,
                  logical_resource_ids: resource_ids)
  end
end