Initial commit for Issue #67 - Adding rule to check for Cognito UserP… (

#366)

#67 - Adding rule to check for Cognito UserPool MfaConfiguration set to 'ON' or 'OPTIONAL'

* cleaning up

* change rule to failing violation

* refactors

* Refactoring rule. Added util script and methods for checking if property is referencing a parameter and for getting that parameter's Default value

* #369 PRESUMING that unwrapped on/off will cause cloudformation to fail.... this hopefully simplifies the search for OFF

1. ignore a boolean parse of on/off given cfn will just blow
2. don't sweat trying to resolve parameter values from the rule - that's a job for the model.  when the cognito_user_pool_mfa_configuration_violations_all_variations_with_param_refs.yaml is parsed with parameter_value subsitution enabled... the default values of the parameter are applied.

* cleaning up

* rubocop

Co-authored-by: Eric Kascic <eric.kascic@stelligent.com>

lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class CognitoUserPoolMfaConfigurationOnorOptionalRule < BaseRule
+  def rule_text
+    "AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL'"
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F51'
+  end
+
+  def audit_impl(cfn_model)
+    violating_userpools = cfn_model.resources_by_type('AWS::Cognito::UserPool').select do |userpool|
+      violating_userpool?(userpool)
+    end
+
+    violating_userpools.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violating_userpool?(user_pool)
+    user_pool.mfaConfiguration.to_s.casecmp('off').zero?
+  end
+end

spec/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule_spec.rb

@@ -0,0 +1,79 @@
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule'
+
+describe CognitoUserPoolMfaConfigurationOnorOptionalRule do
+  context "Cognito UserPool with MfaConfiguration set to 'ON' (Wrapped in quotes, i.e 'ON')." do
+    it 'Returns an empty list' do
+      cfn_model = CfnParser.new.parse read_test_template(
+                                          'yaml/cognito/cognito_user_pool_mfa_configuration_on_wrapped_in_quotes.yaml'
+                                      )
+
+      actual_logical_resource_ids = CognitoUserPoolMfaConfigurationOnorOptionalRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context "Cognito UserPool with MfaConfiguration set to ON/On/on (NOT wrapped in quotes)." do
+    it 'Returns offending logical resource ids' do
+      cfn_model = CfnParser.new.parse read_test_template(
+                                          'yaml/cognito/cognito_user_pool_mfa_configuration_on_not_wrapped_in_quotes.yaml'
+                                      )
+
+      actual_logical_resource_ids = CognitoUserPoolMfaConfigurationOnorOptionalRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+  #
+  context "Cognito UserPool with MfaConfiguration set to OFF/Off/off or 'OFF'/'Off'/'off' or
+  (Wrapped/Not wrapped in quotes and/or NOT fully upper case)." do
+    it 'Returns offending logical resource ids' do
+      cfn_model = CfnParser.new.parse read_test_template(
+                                          'yaml/cognito/cognito_user_pool_mfa_configuration_off_all_variations.yaml'
+                                      )
+
+      actual_logical_resource_ids = CognitoUserPoolMfaConfigurationOnorOptionalRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[CognitoUserPool1
+                                         CognitoUserPool2
+                                         CognitoUserPool3]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context "Cognito UserPool with MfaConfiguration set to OPTIONAL/'OPTIONAL' (uppercase)." do
+    it 'Returns an empty list' do
+      cfn_model = CfnParser.new.parse read_test_template(
+                                          'yaml/cognito/cognito_user_pool_mfa_configuration_optional_uppercase.yaml'
+                                      )
+
+      actual_logical_resource_ids = CognitoUserPoolMfaConfigurationOnorOptionalRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context "Cognito UserPool with MfaConfiguration set to OFF/Off/off or 'OFF'/'Off'/'off' or
+  when referenced by parameter values (Wrapped/Not wrapped in quotes and/or NOT fully upper case)." do
+    it 'Returns offending logical resource ids' do
+      # by specifying the parameters_values_json, it means apply parameter substitution to the model
+      # this is empty, but by triggering the subsitution, it means default values are substituted where defined
+      cfn_model = CfnParser.new.parse read_test_template(
+                                          'yaml/cognito/cognito_user_pool_mfa_configuration_violations_all_variations_with_param_refs.yaml',
+                                      ),
+                                      parameter_values_json='[]'
+
+      actual_logical_resource_ids = CognitoUserPoolMfaConfigurationOnorOptionalRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[CognitoUserPool4
+                                         CognitoUserPool5
+                                         CognitoUserPool6]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+end

spec/test_templates/yaml/cognito/cognito_user_pool_mfa_configuration_off_all_variations.yaml

@@ -0,0 +1,28 @@
+---
+Resources:
+  # When specifying MfaConfiguration as ON or OFF, those values MUST be wrapped in quotes.
+  # They are reserved YAML key words and CFN will fail to deploy stack otherwise.
+  CognitoUserPool1:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: 'OFF'
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+
+  CognitoUserPool2:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: 'Off'
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+
+  CognitoUserPool3:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: 'off'
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+

spec/test_templates/yaml/cognito/cognito_user_pool_mfa_configuration_on_not_wrapped_in_quotes.yaml

@@ -0,0 +1,19 @@
+---
+Resources:
+  # When specifying MfaConfiguration as ON or OFF, those values MUST be wrapped in quotes.
+  # They are reserved YAML key words and CFN will fail to deploy stack otherwise.
+  CognitoUserPool1:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: 'ON'
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+
+  CognitoUserPool2:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: ON
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'

spec/test_templates/yaml/cognito/cognito_user_pool_mfa_configuration_on_wrapped_in_quotes.yaml

@@ -0,0 +1,19 @@
+---
+Resources:
+  # When specifying MfaConfiguration as ON or OFF, those values MUST be wrapped in quotes.
+  # They are reserved YAML key words and CFN will fail to deploy stack otherwise.
+  CognitoUserPool1:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: 'ON'
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+
+  CognitoUserPool2:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: 'ON'
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'

spec/test_templates/yaml/cognito/cognito_user_pool_mfa_configuration_optional_uppercase.yaml

@@ -0,0 +1,19 @@
+---
+Resources:
+  # When specifying MfaConfiguration as ON or OFF, those values MUST be wrapped in quotes.
+  # They are reserved YAML key words and CFN will fail to deploy stack otherwise.
+  CognitoUserPool1:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: 'OPTIONAL'
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+
+  CognitoUserPool2:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: OPTIONAL
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'

spec/test_templates/yaml/cognito/cognito_user_pool_mfa_configuration_violations_all_variations_with_param_refs.yaml

@@ -0,0 +1,45 @@
+---
+Parameters:
+  CognitoUserPoolMfaConfiguration4:
+    Type: String
+    Default: 'OFF'
+    Description: Must be values of  either 'OFF | ON | OPTIONAL'
+
+  CognitoUserPoolMfaConfiguration5:
+    Type: String
+    Default: 'Off'
+    Description: Must be values of  either 'OFF | ON | OPTIONAL'
+
+  CognitoUserPoolMfaConfiguration6:
+    Type: String
+    Default: 'off'
+    Description: Must be values of  either 'OFF | ON | OPTIONAL'
+
+
+Resources:
+  # When specifying MfaConfiguration as ON or OFF, those values MUST be wrapped in quotes.
+  # They are reserved YAML key words and CFN will fail to deploy stack otherwise.
+  CognitoUserPool4:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: !Ref CognitoUserPoolMfaConfiguration4
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+
+  CognitoUserPool5:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: !Ref CognitoUserPoolMfaConfiguration5
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+
+  CognitoUserPool6:
+    Type: AWS::Cognito::UserPool
+    Properties:
+      MfaConfiguration: !Ref CognitoUserPoolMfaConfiguration6
+      # The below property is required when specifying ON/OPTIONAL for MfaConfiguration
+      SmsConfiguration:
+        SnsCallerArn: 'arn:aws:iam::12345678910:role/service-role/test-cognito-SMS-Role'
+