forked from aws-cloudformation/cfn-lint
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Password.py
85 lines (77 loc) · 3.65 KB
/
Password.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
import re
from cfnlint.rules import CloudFormationLintRule
from cfnlint.rules import RuleMatch
from cfnlint.helpers import REGEX_DYN_REF_SSM, REGEX_DYN_REF
class Password(CloudFormationLintRule):
"""Check if Password Properties are properly configured"""
id = 'W2501'
shortdesc = 'Check if Password Properties are correctly configured'
description = (
'Password properties should not be strings and if parameter using NoEcho'
)
source_url = 'https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#creds'
tags = ['parameters', 'passwords', 'security', 'dynamic reference']
def match(self, cfn):
"""Check CloudFormation Password Parameters"""
matches = []
password_properties = [
'AccountPassword',
'AdminPassword',
'ADDomainJoinPassword',
'CrossRealmTrustPrincipalPassword',
'KdcAdminPassword',
'Password',
'DbPassword',
'MasterUserPassword',
'PasswordParam',
]
parameters = cfn.get_parameter_names()
fix_params = []
for password_property in password_properties:
# Build the list of refs
refs = cfn.search_deep_keys(password_property)
trees = []
for tree in refs:
if len(tree) > 2:
if tree[0] == 'Resources' and tree[2] == 'Properties':
trees.append(tree)
for tree in trees:
obj = tree[-1]
if isinstance(obj, (str)):
if re.match(REGEX_DYN_REF, obj):
if re.match(REGEX_DYN_REF_SSM, obj):
message = f'Password should use a secure dynamic reference for {"/".join(map(str, tree[:-1]))}'
matches.append(RuleMatch(tree[:-1], message))
else:
message = f'Password shouldn\'t be hardcoded for {"/".join(map(str, tree[:-1]))}'
matches.append(RuleMatch(tree[:-1], message))
elif isinstance(obj, dict):
if len(obj) == 1:
for key, value in obj.items():
if key == 'Ref':
if value in parameters:
param = cfn.template['Parameters'][value]
if 'NoEcho' in param:
if not param['NoEcho']:
fix_params.append(
{
'Name': value,
'Use': password_property,
}
)
else:
fix_params.append(
{'Name': value, 'Use': password_property}
)
else:
message = f'Inappropriate map found for password on {"/".join(map(str, tree[:-1]))}'
matches.append(RuleMatch(tree[:-1], message))
for paramname in fix_params:
message = f'Parameter {paramname["Name"]} used as {paramname["Use"]}, therefore NoEcho should be True'
tree = ['Parameters', paramname['Name']]
matches.append(RuleMatch(tree, message))
return matches