aws-cf-checker - npm Package Compare versions

test/.jshintrc

4

check/iamInlinePolicy.js

		@@ -9,2 +9,3 @@ /*
		*/
		"use strict";

		@@ -14,3 +15,2 @@ var _ = require("lodash");
		function filterPartResource(object) {
		"use strict";
		return object.Part === "Resource";
		@@ -20,3 +20,2 @@ }
		function filterTypeIamEntity(object) {
		"use strict";
		return object.Type === "AWS::IAM::Group" \|\| object.Type === "AWS::IAM::Role" \|\| object.Type === "AWS::IAM::User" \|\| object.Type === "AWS::IAM::Policy";
		@@ -26,3 +25,2 @@ }
		exports.check = function(objects, options, cb) {
		"use strict";
		var findings = [];
		@@ -29,0 +27,0 @@ function checker(object) {

5

check/iamManagedPolicy.js

		@@ -9,2 +9,3 @@ /*
		*/
		"use strict";

		@@ -15,3 +16,2 @@ var _ = require("lodash");
		function filterPartResource(object) {
		"use strict";
		return object.Part === "Resource";
		@@ -21,3 +21,2 @@ }
		function filterTypeIamEntity(object) {
		"use strict";
		return object.Type === "AWS::IAM::Group" \|\| object.Type === "AWS::IAM::Role" \|\| object.Type === "AWS::IAM::User";
		@@ -27,3 +26,2 @@ }
		function extractManagedPolicyARNs(object) {
		"use strict";
		return object.Properties.ManagedPolicyArns;
		@@ -33,3 +31,2 @@ }
		exports.check = function(objects, options, cb) {
		"use strict";
		var findings = [];
		@@ -36,0 +33,0 @@ function checker(object) {

19

check/iamPolicy.js

		@@ -7,4 +7,3 @@ /*

		If you `deny` something, everything that is not denied is allowed.
		If you `allow` something, everything that is not allowed is denied.
		By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

		@@ -20,2 +19,3 @@ Options: (Object)
		*/
		"use strict";

		@@ -26,3 +26,2 @@ var _ = require("lodash");
		function filterPartResource(object) {
		"use strict";
		return object.Part === "Resource";
		@@ -32,3 +31,2 @@ }
		function filterTypeIamEntity(object) {
		"use strict";
		return object.Type === "AWS::IAM::Group" \|\| object.Type === "AWS::IAM::Role" \|\| object.Type === "AWS::IAM::User" \|\| object.Type === "AWS::IAM::Policy" \|\| "AWS::IAM::ManagedPolicy";
		@@ -38,3 +36,2 @@ }
		function filterEffectAllow(statement) {
		"use strict";
		return statement.Effect === "Allow";
		@@ -44,3 +41,2 @@ }
		function extractNotActions(statements) {
		"use strict";
		return _.chain(statements)
		@@ -56,3 +52,2 @@ .filter(function(statement) {
		function extractNotResources(statements) {
		"use strict";
		return _.chain(statements)
		@@ -68,3 +63,2 @@ .filter(function(statement) {
		function extractStatements(object) {
		"use strict";
		if (object.Type === "AWS::IAM::Policy" \|\| object.Type === "AWS::IAM::ManagedPolicy") {
		@@ -83,3 +77,2 @@ return object.Properties.PolicyDocument.Statement;
		function toWildcard(input) {
		"use strict";
		if (input === undefined) {
		@@ -93,3 +86,2 @@ return "*";
		function toArray(input) {
		"use strict";
		if (Array.isArray(input) === false) {
		@@ -103,3 +95,2 @@ return [input];
		function cross(action, resource) {
		"use strict";
		var res = [];
		@@ -116,3 +107,2 @@ _.each(toArray(toWildcard(action)), function(a) {
		function extractAllowedActionResourcePairs(statements) {
		"use strict";
		return _.chain(statements)
		@@ -128,3 +118,2 @@ .filter(filterEffectAllow)
		exports.check = function(objects, options, cb) {
		"use strict";
		var findings = [];
		@@ -152,3 +141,3 @@ function checker(object) {
		_.each(allowedActionResourcePairs, function(pair) {
		if (options.allow !== undefined && _.some(options.allow, function(allow) {
		if (_.some(options.allow, function(allow) {
		return _.some(toArray(toWildcard(allow.action)), function(allowAction) {
		@@ -165,3 +154,3 @@ return wildstring.match(allowAction, pair.action);
		}
		if (options.deny !== undefined && _.some(options.deny, function(deny) {
		if (_.some(options.deny, function(deny) {
		return _.some(toArray(toWildcard(deny.action)), function(denyAction) {
		@@ -168,0 +157,0 @@ return wildstring.match(denyAction, pair.action);

2

check/logicalID.js

		@@ -8,2 +8,3 @@ /*
		*/
		"use strict";

		@@ -18,3 +19,2 @@ var _ = require("lodash");
		exports.check = function(objects, options, cb) {
		"use strict";
		var findings = [];
		@@ -21,0 +21,0 @@ var c = options["case"] \|\| "pascal";

10

check/resourceType.js

		/*
		Checks if the resource types are allowed in the template. Wildcard * is supported.

		If you `deny` something, everything that is not denied is allowed.
		If you `allow` something, everything that is not allowed is denied.
		By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

		@@ -12,2 +11,3 @@ Options: (Object)
		*/
		"use strict";

		@@ -18,3 +18,2 @@ var _ = require("lodash");
		function filterPartResource(object) {
		"use strict";
		return object.Part === "Resource";
		@@ -24,6 +23,5 @@ }
		exports.check = function(objects, options, cb) {
		"use strict";
		var findings = [];
		function checker(object) {
		if (options.allow !== undefined && _.some(options.allow, function(allow) {
		if (_.some(options.allow, function(allow) {
		return wildstring.match(allow, object.Type);
		@@ -36,3 +34,3 @@ }) === false) {
		}
		if (options.deny !== undefined && _.some(options.deny, function(deny) {
		if (_.some(options.deny, function(deny) {
		return wildstring.match(deny, object.Type);
		@@ -39,0 +37,0 @@ }) === true) {

17

check/securityGroupInbound.js

		@@ -34,2 +34,3 @@ /*
		// TODO it should be possible to allow or deny ports in the options
		"use strict";

		@@ -40,3 +41,2 @@ var _ = require("lodash");
		function filterPartResource(object) {
		"use strict";
		return object.Part === "Resource";
		@@ -46,3 +46,2 @@ }
		function filterTypeSecurityGroup(object) {
		"use strict";
		return object.Type === "AWS::EC2::SecurityGroup";
		@@ -52,3 +51,2 @@ }
		function filterTypeSecurityGroupIngress(object) {
		"use strict";
		return object.Type === "AWS::EC2::SecurityGroupIngress";
		@@ -58,3 +56,2 @@ }
		function mapRef(entry) {
		"use strict";
		return entry.Ref;
		@@ -64,3 +61,2 @@ }
		function normalizeSecurityGroupAttachmentIds(propertyName) {
		"use strict";
		return function(object) {
		@@ -75,3 +71,2 @@ if (object.Properties[propertyName] === undefined) {
		function alwaysPrivate(object) {
		"use strict";
		return false;
		@@ -85,3 +80,2 @@ }
		"isPublicFun": function(object) {
		"use strict";
		if(object.Properties.Scheme === "internal") {
		@@ -119,3 +113,2 @@ return false;
		"normalizationFun": function(object) {
		"use strict";
		if (object.Properties.NetworkInterfaces) {
		@@ -139,3 +132,2 @@ return _.chain(object.Properties.NetworkInterfaces)
		"normalizationFun": function(object) {
		"use strict";
		return _.chain(object.Properties.SpotFleetRequestConfigData.LaunchSpecifications)
		@@ -160,3 +152,2 @@ .map("SecurityGroups")
		function findSecurityGroupAttachments(objects, securityGroupObject) {
		"use strict";
		return _.chain(objects)
		@@ -180,3 +171,2 @@ .filter(filterPartResource)
		function extractIngressRules(objects, securityGroupObject) {
		"use strict";
		return _.chain(objects)
		@@ -195,3 +185,2 @@ .filter(filterPartResource)
		function hasPublicAttachments(attachments) {
		"use strict";
		return _.chain(attachments)
		@@ -206,3 +195,2 @@ .find(function(attachment) {
		function hasPrivateAttachments(attachments) {
		"use strict";
		return _.chain(attachments)
		@@ -217,3 +205,2 @@ .find(function(attachment) {
		function hasPublicRules(rules) {
		"use strict";
		return _.chain(rules)
		@@ -230,3 +217,2 @@ .find(function(rule) {
		function hasPrivateRules(rules) {
		"use strict";
		return _.chain(rules)
		@@ -243,3 +229,2 @@ .find(function(rule) {
		exports.check = function(objects, options, cb) {
		"use strict";
		var findings = [];
		@@ -246,0 +231,0 @@ function checker(object) {

7

cli.js

		#!/usr/bin/env node
		"use strict";

		var checker = require("./index.js");
		@@ -7,3 +9,2 @@ var fs = require("fs");
		function checkCallback(err, findings) {
		"use strict";
		if (err) {
		@@ -23,3 +24,2 @@ console.error(err.message);
		function checkFile(file, options) {
		"use strict";
		checker.checkFile(file, options, checkCallback);
		@@ -29,3 +29,2 @@ }
		function checkJSON(json, options) {
		"use strict";
		checker.checkTemplate(JSON.parse(json), options, checkCallback);
		@@ -47,9 +46,7 @@ }
		process.stdin.on("data", function(chunk) {
		"use strict";
		data += chunk;
		});
		process.stdin.on("end", function() {
		"use strict";
		checkJSON(data, checks);
		});
		}

40

index.js

		@@ -0,6 +1,8 @@
		"use strict";

		var fs = require("fs");
		var _ = require("lodash");
		var async = require("neo-async");

		function loadJSONFile(filename, cb) {
		"use strict";
		fs.readFile(filename, {"encoding": "utf8"}, cb);
		@@ -10,3 +12,2 @@ }
		function parseJSON(json, cb) {
		"use strict";
		cb(null, JSON.parse(json));
		@@ -16,3 +17,2 @@ }
		function clone(obj) {
		"use strict";
		return JSON.parse(JSON.stringify(obj));
		@@ -22,3 +22,2 @@ }
		function mapTemplate(template, cb) {
		"use strict";
		var objects = [];
		@@ -42,21 +41,27 @@ function mapper(part) {
		function runChecks(objects, checks, cb) {
		"use strict";
		var findings = [];
		function checkCallback(err, checkFindings) {
		async.map(Object.keys(checks), function(check, cb) {
		var required;
		try {
		required = require("./check/" + check + ".js");
		} catch (err) {
		cb(err);
		return;
		}
		required.check(objects, checks[check], function(err, findings) {
		if (err) {
		cb(err);
		} else {
		cb(null, findings);
		}
		});
		}, function(err, nestedFindings) {
		if (err) {
		return cb(err);
		cb(err);
		} else {
		findings = findings.concat(checkFindings);
		cb(null, _.flatten(nestedFindings));
		}
		}
		for (var check in checks) {
		if (checks.hasOwnProperty(check)) {
		require("./check/" + check + ".js").check(objects, checks[check], checkCallback);
		}
		}
		cb(null, findings);
		});
		}

		function checkTemplate(template, checks, cb) {
		"use strict";
		mapTemplate(template, function(err, objects) {
		@@ -74,3 +79,2 @@ if (err) {
		exports.checkFile = function(filename, checks, cb) {
		"use strict";
		loadJSONFile(filename, function(err, json) {
		@@ -77,0 +81,0 @@ if (err) {

3

lib/privateIpRange.js

		@@ -0,1 +1,3 @@
		"use strict";

		var _ = require("lodash");
		@@ -11,3 +13,2 @@ var Netmask = require("netmask").Netmask;
		module.exports = function(rangeOrAddress) {
		"use strict";
		var block;
		@@ -14,0 +15,0 @@ if (rangeOrAddress.indexOf("/") !== -1) {

22

package.json

		{
		"name": "aws-cf-checker",
		"version": "0.7.0",
		"version": "1.0.0",
		"description": "Checks AWS CloudFormation templates for security, reliability and conformity",
		@@ -16,16 +16,20 @@ "keywords": [
		"author": "Michael Wittig <michael@widdix.de>",
		"contributors": ["Andreas Wittig <andreas@widdix.de>"],
		"contributors": [
		"Andreas Wittig <andreas@widdix.de>"
		],
		"license": "MIT",
		"dependencies": {
		"lodash": "3.10.1",
		"lodash": "4.13.1",
		"minimist": "1.2.0",
		"netmask": "1.0.5",
		"neo-async": "1.8.2",
		"netmask": "1.0.6",
		"wildstring": "1.0.8"
		},
		"devDependencies": {
		"assert-plus": "0.1.5",
		"mocha": "2.3.3",
		"jshint": "2.8.0",
		"madge": "0.5.0",
		"npmedge": "0.2.2"
		"assert-plus": "1.0.0",
		"mocha": "2.5.3",
		"jshint": "2.9.2",
		"madge": "0.5.3",
		"npmedge": "0.2.2",
		"istanbul": "0.4.3"
		},
		@@ -32,0 +36,0 @@ "repository": {

6

README.md

		@@ -101,4 +101,3 @@ [![Build Status](https://secure.travis-ci.org/widdix/aws-cf-checker.png)](http://travis-ci.org/widdix/aws-cf-checker)

		If you `deny` something, everything that is not denied is allowed.
		If you `allow` something, everything that is not allowed is denied.
		By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

		@@ -157,4 +156,3 @@ Options: (Object)

		If you `deny` something, everything that is not denied is allowed.
		If you `allow` something, everything that is not allowed is denied.
		By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

		@@ -161,0 +159,0 @@ Options: (Object)

26

test/iamInlinePolicy.js

		@@ -0,1 +1,3 @@
		"use strict";

		var checker = require("../index.js");
		@@ -47,3 +49,3 @@ var assert = require("assert-plus");
		});
		it("with allowed inline policy", function(done) {
		it("with allowed inline policy", function(done) {
		test({
		@@ -70,2 +72,24 @@ "Resources": {
		});
		it("with default", function(done) {
		test({
		"Resources": {
		"Test": {
		"Type": "AWS::IAM::Policy",
		"Properties": {
		"PolicyDocument": {
		"Version": "2012-10-17",
		"Statement": [{
		"Effect": "Allow",
		"Action": [
		"s3:GetObject",
		"s3:ListBucket"
		],
		"Resource": "*"
		}]
		}
		}
		}
		}
		}, {"iamInlinePolicy": true}, 0, done);
		});
		});
		@@ -72,0 +96,0 @@ describe("User", function() {

26

test/iamManagedPolicy.js

		@@ -0,1 +1,3 @@
		"use strict";

		var checker = require("../index.js");
		@@ -61,2 +63,14 @@ var assert = require("assert-plus");
		});
		it("one policy attached, allow []", function(done) {
		test({
		"Resources": {
		"Test": {
		"Type": "AWS::IAM::Role",
		"Properties": {
		"ManagedPolicyArns": ["arn:aws:iam::aws:policy/AdministratorAccess"]
		}
		}
		}
		}, {"iamManagedPolicy": {allow: []}}, 1, done);
		});
		it("two policies attached, allow [*]", function(done) {
		@@ -147,2 +161,14 @@ test({
		});
		it("one policy attached, deny []", function(done) {
		test({
		"Resources": {
		"Test": {
		"Type": "AWS::IAM::Role",
		"Properties": {
		"ManagedPolicyArns": ["arn:aws:iam::aws:policy/AdministratorAccess"]
		}
		}
		}
		}, {"iamManagedPolicy": {deny: []}}, 0, done);
		});
		it("one policy attached, deny [*]", function(done) {
		@@ -149,0 +175,0 @@ test({

60

test/iamPolicy.js

		@@ -0,1 +1,3 @@
		"use strict";

		var checker = require("../index.js");
		@@ -116,3 +118,3 @@ var assert = require("assert-plus");
		});
		describe("deny", function() {
		describe("explicit deny", function() {
		it("deny all s3 buckets", function(done) {
		@@ -128,3 +130,3 @@ test(wrap({
		}]
		}), {"iamPolicy": {"deny": [{"action": "s3:", "resource": "arn:aws:s3:::"}]}}, 1, done);
		}), {"iamPolicy": {"allow": [""], "deny": [{"action": "s3:", "resource": "arn:aws:s3:::*"}]}}, 1, done);
		});
		@@ -270,3 +272,47 @@ });
		});
		describe("deny", function() {
		describe("explicit deny", function() {
		it("empty", function(done) {
		test({
		"Resources": {
		}
		}, {"iamPolicy": {}}, 0, done);
		});
		it("nothing allowed", function(done) {
		test(wrap({
		"Version": "2012-10-17",
		"Statement": [{
		"Effect": "Allow",
		"Action": [
		"s3:PutObject"
		],
		"Resource": "*"
		}]
		}), {"iamPolicy": {}}, 1, done);
		});
		it("allow wildcard does not match", function(done) {
		test(wrap({
		"Version": "2012-10-17",
		"Statement": [{
		"Effect": "Allow",
		"Action": [
		"s3:PutObject"
		],
		"Resource": "*"
		}]
		}), {"iamPolicy": {"allow": [{"action": "ec2:", "resource": ""}]}}, 1, done);
		});
		it("allow wildcard does match", function(done) {
		test(wrap({
		"Version": "2012-10-17",
		"Statement": [{
		"Effect": "Allow",
		"Action": [
		"s3:PutObject"
		],
		"Resource": "*"
		}]
		}), {"iamPolicy": {"allow": [{"action": "s3:", "resource": ""}]}}, 0, done);
		});
		});
		describe("explicit deny", function() {
		it("wildcard", function(done) {
		@@ -282,3 +328,3 @@ test(wrap({
		}]
		}), {"iamPolicy": {"deny": [{"action": "s3:", "resource": ""}]}}, 1, done);
		}), {"iamPolicy": {"allow": [""], "deny": [{"action": "s3:", "resource": "*"}]}}, 1, done);
		});
		@@ -295,3 +341,3 @@ it("denied action in one statement with one action", function(done) {
		}]
		}), {"iamPolicy": {"deny": [{"action": "s3:GetObject", "resource": "*"}]}}, 1, done);
		}), {"iamPolicy": {"allow": [""], "deny": [{"action": "s3:GetObject", "resource": ""}]}}, 1, done);
		});
		@@ -308,3 +354,3 @@ it("not denied action in one statement with one action", function(done) {
		}]
		}), {"iamPolicy": {"deny": [{"action": "s3:GetObject", "resource": "*"}]}}, 0, done);
		}), {"iamPolicy": {"allow": [""], "deny": [{"action": "s3:GetObject", "resource": ""}]}}, 0, done);
		});
		@@ -321,3 +367,3 @@ it("ignore Effect := Deny", function(done) {
		}]
		}), {"iamPolicy": {"deny": []}}, 0, done);
		}), {"iamPolicy": {"allow": ["*"], "deny": []}}, 0, done);
		});
		@@ -324,0 +370,0 @@ });

2

test/logicalID.js

		@@ -0,1 +1,3 @@
		"use strict";

		var checker = require("../index.js");
		@@ -2,0 +4,0 @@ var assert = require("assert-plus");

2

test/privateIpRange.js

		@@ -0,1 +1,3 @@
		"use strict";

		var privateIpRange = require("../lib/privateIpRange.js");
		@@ -2,0 +4,0 @@ var assert = require("assert-plus");

64

test/resourceType.js

		@@ -0,1 +1,3 @@
		"use strict";

		var checker = require("../index.js");
		@@ -16,3 +18,3 @@ var assert = require("assert-plus");
		describe("resourceType", function() {
		describe("deny", function() {
		describe("implicit deny", function() {
		it("empty", function(done) {
		@@ -24,2 +26,58 @@ test({
		"resourceType": {
		}
		}, 0, done);
		});
		it("nothing allowed", function(done) {
		test({
		"Resources": {
		"VPC": {
		"Type": "AWS::EC2::InternetGateway",
		"Properties": {
		}
		}
		}
		}, {
		"resourceType": {
		}
		}, 1, done);
		});
		it("allow wildcard does not match", function(done) {
		test({
		"Resources": {
		"VPC": {
		"Type": "AWS::EC2::InternetGateway",
		"Properties": {
		}
		}
		}
		}, {
		"resourceType": {
		"allow": ["AWS::IAM::*"]
		}
		}, 1, done);
		});
		it("allow wildcard does match", function(done) {
		test({
		"Resources": {
		"VPC": {
		"Type": "AWS::EC2::InternetGateway",
		"Properties": {
		}
		}
		}
		}, {
		"resourceType": {
		"allow": ["AWS::EC2::*"]
		}
		}, 0, done);
		});
		});
		describe("explicit deny", function() {
		it("empty", function(done) {
		test({
		"Resources": {
		}
		}, {
		"resourceType": {
		"allow": ["*"],
		"deny": ["AWS::EC2::VPC"]
		@@ -40,2 +98,3 @@ }
		"resourceType": {
		"allow": ["*"],
		"deny": ["AWS::EC2::VPC"]
		@@ -56,2 +115,3 @@ }
		"resourceType": {
		"allow": ["*"],
		"deny": ["AWS::EC2::VPC"]
		@@ -72,2 +132,3 @@ }
		"resourceType": {
		"allow": ["*"],
		"deny": ["AWS::IAM::*"]
		@@ -88,2 +149,3 @@ }
		"resourceType": {
		"allow": ["*"],
		"deny": ["*"]
		@@ -90,0 +152,0 @@ }

2

test/securityGroupInbound.js

		@@ -0,1 +1,3 @@
		"use strict";

		var checker = require("../index.js");
		@@ -2,0 +4,0 @@ var assert = require("assert-plus");

15

test/template.js

		@@ -0,1 +1,3 @@
		"use strict";

		var checker = require("../index.js");
		@@ -5,2 +7,15 @@ var assert = require("assert-plus");
		describe("templates", function() {
		describe("missing check", function() {
		it("check", function(done) {
		checker.checkFile("./test/templates/template1.json", {
		"missing": true
		}, function(err, findings) {
		if (err) {
		done();
		} else {
		assert.fail();
		}
		});
		});
		});
		describe("template0", function() {
		@@ -7,0 +22,0 @@ it("check", function(done) {

.jshintignore

Sorry, the diff of this file is not supported yet

.jshintrc

Sorry, the diff of this file is not supported yet

.travis.yml

Sorry, the diff of this file is not supported yet

Makefile

Sorry, the diff of this file is not supported yet

aws-cf-checker - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes