aws-cf-checker
Advanced tools
Comparing version 0.5.0 to 0.6.0
@@ -13,7 +13,7 @@ /* | ||
* `allow`: (Array[Object]) List of allowed actions & resources (whitelist) | ||
* `action`: (String) IAM action (wildcard * can be used) | ||
* `resource`: (String) IAM resource (wildcard * can be used) | ||
* `action`: (String | Array[String]) IAM action (wildcard * can be used) | ||
* `resource`: (String | Array[String]) IAM resource (wildcard * can be used) | ||
* `deny`: (Array[Object]) List of denied actions & resources (blacklist) | ||
* `action`: (String) IAM action (wildcard * can be used) | ||
* `resource`: (String) IAM resource (wildcard * can be used) | ||
* `action`: (String | Array[String]) IAM action (wildcard * can be used) | ||
* `resource`: (String | Array[String]) IAM resource (wildcard * can be used) | ||
*/ | ||
@@ -39,14 +39,2 @@ | ||
function extractAllowedActions(statements) { | ||
"use strict"; | ||
return _.chain(statements) | ||
.filter(filterEffectAllow) | ||
.filter(function(statement) { | ||
return statement.Action !== undefined; | ||
}) | ||
.map("Action") | ||
.flatten() | ||
.value(); | ||
} | ||
function extractNotActions(statements) { | ||
@@ -63,14 +51,2 @@ "use strict"; | ||
function extractAllowedResources(statements) { | ||
"use strict"; | ||
return _.chain(statements) | ||
.filter(filterEffectAllow) | ||
.filter(function(statement) { | ||
return statement.Resource !== undefined; | ||
}) | ||
.map("Resource") | ||
.flatten() | ||
.value(); | ||
} | ||
function extractNotResources(statements) { | ||
@@ -101,17 +77,25 @@ "use strict"; | ||
function cross(action, resource) { | ||
function toWildcard(input) { | ||
"use strict"; | ||
if (action === undefined) { | ||
action = "*"; | ||
} else if (typeof action === "string") { | ||
action = [action]; | ||
if (input === undefined) { | ||
return "*"; | ||
} else { | ||
return input; | ||
} | ||
if (resource === undefined) { | ||
resource = "*"; | ||
} else if (typeof resource === "string") { | ||
resource = [resource]; | ||
} | ||
function toArray(input) { | ||
"use strict"; | ||
if (Array.isArray(input) === false) { | ||
return [input]; | ||
} else { | ||
return input; | ||
} | ||
} | ||
function cross(action, resource) { | ||
"use strict"; | ||
var res = []; | ||
_.each(action, function(a) { | ||
_.each(resource, function(r) { | ||
_.each(toArray(toWildcard(action)), function(a) { | ||
_.each(toArray(toWildcard(resource)), function(r) { | ||
res.push({"action": a, "resource": r}); | ||
@@ -160,3 +144,7 @@ }); | ||
if (options.allow !== undefined && _.some(options.allow, function(allow) { | ||
return wildstring.match(allow.action, pair.action) && wildstring.match(allow.resource, pair.resource); | ||
return _.some(toArray(toWildcard(allow.action)), function(action) { | ||
return wildstring.match(action, pair.action); | ||
}) && _.some(toArray(toWildcard(allow.resource)), function(resource) { | ||
return wildstring.match(resource, pair.resource); | ||
}); | ||
}) === false) { | ||
@@ -169,3 +157,7 @@ findings.push({ | ||
if (options.deny !== undefined && _.some(options.deny, function(deny) { | ||
return wildstring.match(deny.action, pair.action) && wildstring.match(deny.resource, pair.resource); | ||
return _.some(toArray(toWildcard(deny.action)), function(action) { | ||
return wildstring.match(action, pair.action); | ||
}) && _.some(toArray(toWildcard(deny.resource)), function(resource) { | ||
return wildstring.match(resource, pair.resource); | ||
}); | ||
}) === true) { | ||
@@ -179,4 +171,2 @@ findings.push({ | ||
} | ||
} | ||
@@ -183,0 +173,0 @@ _.chain(objects) |
{ | ||
"name": "aws-cf-checker", | ||
"version": "0.5.0", | ||
"version": "0.6.0", | ||
"description": "Checks AWS CloudFormation templates for security, reliability and conformity", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
@@ -162,6 +162,6 @@ [![Build Status](https://secure.travis-ci.org/widdix/aws-cf-checker.png)](http://travis-ci.org/widdix/aws-cf-checker) | ||
* `allow`: (Array[Object]) List of allowed actions & resources (whitelist) | ||
* `action`: (String) IAM action (wildcard * can be used) | ||
* `resource`: (String) IAM resource (wildcard * can be used) | ||
* `action`: (String | Array[String]) IAM action (wildcard * can be used) | ||
* `resource`: (String | Array[String]) IAM resource (wildcard * can be used) | ||
* `deny`: (Array[Object]) List of denied actions & resources (blacklist) | ||
* `action`: (String) IAM action (wildcard * can be used) | ||
* `resource`: (String) IAM resource (wildcard * can be used) | ||
* `action`: (String | Array[String]) IAM action (wildcard * can be used) | ||
* `resource`: (String | Array[String]) IAM resource (wildcard * can be used) |
@@ -36,3 +36,3 @@ var checker = require("../index.js"); | ||
}); | ||
it("string", function(done) { | ||
it("string in template", function(done) { | ||
test(wrap({ | ||
@@ -49,3 +49,3 @@ "Version": "2012-10-17", | ||
}); | ||
it("array", function(done) { | ||
it("array in template", function(done) { | ||
test(wrap({ | ||
@@ -64,2 +64,42 @@ "Version": "2012-10-17", | ||
}); | ||
it("string in action", function(done) { | ||
test(wrap({ | ||
"Version": "2012-10-17", | ||
"Statement": [{ | ||
"Effect": "Allow", | ||
"Action": "s3:PutObject", | ||
"Resource": "arn:aws:s3:::name-of-bucket" | ||
}] | ||
}), {"iamPolicy": {"allow": [{"action": "s3:PutObject", "resource": "*"}]}}, 0, done); | ||
}); | ||
it("array in action", function(done) { | ||
test(wrap({ | ||
"Version": "2012-10-17", | ||
"Statement": [{ | ||
"Effect": "Allow", | ||
"Action": "s3:PutObject", | ||
"Resource": "arn:aws:s3:::name-of-bucket" | ||
}] | ||
}), {"iamPolicy": {"allow": [{"action": ["s3:PutObject", "s3:DeleteObject"], "resource": "*"}]}}, 0, done); | ||
}); | ||
it("string in resource", function(done) { | ||
test(wrap({ | ||
"Version": "2012-10-17", | ||
"Statement": [{ | ||
"Effect": "Allow", | ||
"Action": "s3:PutObject", | ||
"Resource": "arn:aws:s3:::name-of-bucket" | ||
}] | ||
}), {"iamPolicy": {"allow": [{"action": "*", "resource": "arn:aws:s3:::*"}]}}, 0, done); | ||
}); | ||
it("array in resource", function(done) { | ||
test(wrap({ | ||
"Version": "2012-10-17", | ||
"Statement": [{ | ||
"Effect": "Allow", | ||
"Action": "s3:PutObject", | ||
"Resource": "arn:aws:s3:::name-of-bucket" | ||
}] | ||
}), {"iamPolicy": {"allow": [{"action": "*", "resource": ["arn:aws:s3:::*", "arn:aws:ec2:*:*"]}]}}, 0, done); | ||
}); | ||
describe("allow", function() { | ||
@@ -66,0 +106,0 @@ it("allow specific s3 bucket", function(done) { |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
74326
2370