Clap4 (#336)

* init commit, bumped up clap to 3.0 * cargo audit for CI * reverting last commit + changing cargo-audit to not be part of build step, only ran every night * init commit bumping up to clap4 * cleaning some code up * temp commit * rebasing + fixing small bug * cleanup * adding help messages * adding more tests for test_command * more tests for prev engine * improving code style * typo * fixed unecessary match * cleaning up test command * fixes as per comments * fixes as per comments * fixed failing build
aws-cloudformation · Feb 24, 2023 · 25fd2ec · 25fd2ec
1 parent db43976
commit 25fd2ec
Show file tree

Hide file tree

Showing 20 changed files with 987 additions and 242 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/guard/Cargo.toml b/guard/Cargo.toml
@@ -20,7 +20,7 @@ crate-type = ["rlib"]
 nom = "5.1.2"
 nom_locate = "2.0.0"
 indexmap = { version = "1.6.0", features = ["serde-1"] }
-clap = "3.0.0"
+clap = "4.1.4"
 strip-ansi-escapes = "0.1.1"
 serde = { version = "1.0", features = ["derive"] }
 serde_yaml = "0.9.10"

diff --git a/guard/resources/test-command/dir/s3_bucket_logging_enabled.guard b/guard/resources/test-command/dir/s3_bucket_logging_enabled.guard
@@ -0,0 +1,41 @@
+#
+#####################################
+##           Gherkin               ##
+#####################################
+# Rule Identifier:
+#    S3_BUCKET_LOGGING_ENABLED
+#
+# Description:
+#   Checks whether logging is enabled for your S3 buckets.
+#
+# Reports on:
+#    AWS::S3::Bucket
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# Scenarios:
+# a) SKIP: when there are no S3 resource present
+# b) PASS: when all S3 resources Logging Configuration exists
+# c) FAIL: when all S3 resources have Logging Configuration is not set
+# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_LOGGING_ENABLED
+
+#
+# Select all S3 resources from incoming template (payload)
+#
+
+let s3_buckets_bucket_logging_enabled = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_LOGGING_ENABLED"
+]
+
+rule S3_BUCKET_LOGGING_ENABLED when %s3_buckets_bucket_logging_enabled  !empty {
+  %s3_buckets_bucket_logging_enabled.Properties.LoggingConfiguration exists
+  <<
+    Violation: S3 Bucket Logging needs to be configured to enable logging.
+    Fix: Set the S3 Bucket property LoggingConfiguration to start logging into S3 bucket.
+  >>
+}
diff --git a/guard/resources/test-command/dir/s3_bucket_server_side_encryption_enabled.guard b/guard/resources/test-command/dir/s3_bucket_server_side_encryption_enabled.guard
@@ -0,0 +1,13 @@
+let s3_buckets_server_side_encryption = Resources.*[ Type == 'AWS::S3::Bucket'
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED"
+]
+
+rule S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED when %s3_buckets_server_side_encryption !empty {
+  %s3_buckets_server_side_encryption.Properties.BucketEncryption exists
+  %s3_buckets_server_side_encryption.Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in ["aws:kms","AES256"]
+  <<
+    Violation: S3 Bucket must enable server-side encryption.
+    Fix: Set the S3 Bucket property BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm to either "aws:kms" or "AES256"
+  >>
+}
diff --git a/guard/resources/test-command/dir/tests/s3_bucket_logging_enabled_tests.yaml b/guard/resources/test-command/dir/tests/s3_bucket_logging_enabled_tests.yaml
@@ -0,0 +1,58 @@
+###
+# S3_BUCKET_LOGGING_ENABLED tests
+###
+---
+- name: Empty, SKIP
+  input: {}
+  expectations:
+    rules:
+      S3_BUCKET_LOGGING_ENABLED: SKIP
+
+- name: No resources, SKIP
+  input:
+    Resources: {}
+  expectations:
+    rules:
+      S3_BUCKET_LOGGING_ENABLED: SKIP
+
+- name: S3 Bucket with Logging Configuration present in resource, PASS
+  input:
+    Resources:
+      ExampleS3:
+        Type: AWS::S3::Bucket
+        Properties:
+          BucketName: my-bucket
+          VersioningConfiguration:
+            Status: Enabled
+          LoggingConfiguration:
+            DestinationBucketName: !Ref LoggingBucket
+            LogFilePrefix: testing-logs
+  expectations:
+    rules:
+      S3_BUCKET_LOGGING_ENABLED: PASS
+
+- name: S3 Bucket with Logging Configuration missing, FAIL
+  input:
+    Resources:
+      ExampleS3:
+        Type: AWS::S3::Bucket
+        Properties:
+          BucketName: my-bucket
+  expectations:
+    rules:
+      S3_BUCKET_LOGGING_ENABLED: FAIL
+
+- name: S3 Bucket with Logging Configuration missing with suppression, SKIP
+  input:
+    Resources:
+      ExampleS3:
+        Type: AWS::S3::Bucket
+        Metadata:
+          guard:
+            SuppressedRules:
+              - S3_BUCKET_LOGGING_ENABLED
+        Properties:
+          BucketName: my-bucket
+  expectations:
+    rules:
+      S3_BUCKET_LOGGING_ENABLED: SKIP