Feature/352 allow novalue in password rules (stelligent#353)

* stelligent#352 adding check to verify if reference is to NoValue

* stelligent#352 adding corresponding template file and spec test

* stelligent#352 using more descriptive template file name and ensuring that the proper reference is returned from the !If intrinsic function

* stelligent#352 swapping to use the True return value from the !If intrinsic function

* stelligent#352 satisfying rubocop and splitting up if statements

lib/cfn-nag/util/enforce_reference_parameter.rb

@@ -2,8 +2,8 @@
 
 require 'cfn-nag/util/truthy.rb'
 
-# Returns false if the provided key_to_check is a no-echo parameter
-# without a default value; true otherwise.
+# Returns false if the provided key_to_check is a no-echo parameter without a
+# default value, or pseudo parameter reference to 'AWS::NoValue'; true otherwise.
 # Only applicable for a hash
 def insecure_parameter?(cfn_model, key_to_check)
   # We only want to perform the check against a hash
@@ -13,16 +13,21 @@ def insecure_parameter?(cfn_model, key_to_check)
   # verify that Ref is being used properly
   return false unless key_to_check.key? 'Ref'
 
-  # Check if the key parameter is Ref and if that corresponding reference is
-  # setup securely by stating NoEcho=true & Default is not present
-  if cfn_model.parameters.key? key_to_check['Ref']
-    parameter = cfn_model.parameters[key_to_check['Ref']]
-    if truthy?(parameter.noEcho) && parameter.default.nil?
-      return false
-    end
-  end
+  # Check if the property is a pseudo parameter reference to 'AWS::NoValue'
+  return false if key_to_check['Ref'] == 'AWS::NoValue'
+
+  # Run 'no_echo_and_no_default_parameter_check' if the key parameter is Ref
+  return no_echo_and_no_default_parameter_check(cfn_model, key_to_check) if
+    cfn_model.parameters.key? key_to_check['Ref']
 
   # Return true if key_to_check is a hash and/or a key Ref that does not have
   # the NoEcho parameter set to true and a Default parameter that is not nil
   true
 end
+
+# Returns false if the parameter is setup securely by stating NoEcho=true & Default
+# is not present; otherwise returns true
+def no_echo_and_no_default_parameter_check(cfn_model, key_to_check)
+  parameter = cfn_model.parameters[key_to_check['Ref']]
+  truthy?(parameter.noEcho) && parameter.default.nil? ? false : true
+end

spec/test_templates/yaml/rds_dbcluster/rds_dbcluster_master_user_password_with_novalue_pseudo_parameter.yaml

@@ -0,0 +1,16 @@
+---
+Parameters:
+  DBClusterMasterUserPassword:
+    Type: String
+    NoEcho: True
+Conditions:
+  Foobar: foobar
+Resources:
+  RDSDBCluster:
+    Type: AWS::RDS::DBCluster
+    Properties:
+      DeletionProtection: True
+      Engine: aurora-mysql
+      MasterUserPassword: !If [ Foobar, !Ref 'AWS::NoValue', !Ref DBClusterMasterUserPassword ]
+      MasterUsername: !If [ Foobar, !Ref 'AWS::NoValue', admin ]
+      Port: 3306

spec/util/enforce_reference_parameter_spec.rb

@@ -17,6 +17,20 @@
       end
     end
 
+    it 'returns false if AWS::NoValue Pseudo Parameter is used' do
+      cfn_model = CfnParser.new.parse read_test_template(
+        'yaml/rds_dbcluster/' \
+        'rds_dbcluster_master_user_password_with_novalue_pseudo_parameter.yaml'
+      )
+      cfn_model.resources_by_type('AWS::RDS::DBCluster')
+               .select do |cluster|
+        raise "masterUserPassword shouldn't be nil" if cluster.masterUserPassword.nil?
+
+        expect(cluster.masterUserPassword).to eq "Ref"=>"AWS::NoValue"
+        expect(insecure_parameter?(cfn_model, cluster.masterUserPassword)).to eq false
+      end
+    end
+
     it 'returns true if there is a problem' do
       cfn_model = CfnParser.new.parse read_test_template(
         'yaml/rds_dbcluster/' \