"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
import regex as re
from cfnlint.helpers import RESOURCE_SPECS
from cfnlint.rules import CloudFormationLintRule, RuleMatch
class AllowedPattern(CloudFormationLintRule):
"""Check if properties have a valid value"""
id = "E3031"
shortdesc = "Check if property values adhere to a specific pattern"
description = "Check if properties have a valid value in case of a pattern (Regular Expression)"
source_url = "https://github.com/awslabs/cfn-python-lint/blob/main/docs/cfn-resource-specification.md#allowedpattern"
tags = ["resources", "property", "allowed pattern", "regex"]
def __init__(self):
"""Init"""
super().__init__()
self.config_definition = {
"exceptions": {
"default": [],
"type": "list",
"itemtype": "string",
}
}
self.configure()
def initialize(self, cfn):
"""Initialize the rule"""
for resource_type_spec in RESOURCE_SPECS.get(cfn.regions[0]).get(
"ResourceTypes"
):
self.resource_property_types.append(resource_type_spec)
for property_type_spec in RESOURCE_SPECS.get(cfn.regions[0]).get(
"PropertyTypes"
):
self.resource_sub_property_types.append(property_type_spec)
def check_value(self, value, path, property_name, **kwargs):
"""Check Value"""
matches = []
# Get the Allowed Pattern Regex
value_pattern_regex = kwargs.get("value_specs", {}).get(
"AllowedPatternRegex", {}
)
# Get the "Human Readable" version for the error message. Optional, if not specified,
# the RegEx itself is used.
value_pattern = kwargs.get("value_specs", {}).get(
"AllowedPattern", value_pattern_regex
)
if isinstance(value, (int, float)):
value = str(value)
if isinstance(value, str):
if value_pattern_regex:
regex = re.compile(value_pattern_regex, re.ASCII)
# Ignore values with dynamic references. Simple check to prevent false-positives
# See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
if "{{resolve:" not in value:
if not regex.match(value):
for exception in self.config.get("exceptions"):
exception_regex = re.compile(exception)
if exception_regex.match(value):
return matches
full_path = "/".join(str(x) for x in path)
message = "{} contains invalid characters (Pattern: {}) at {}"
matches.append(
RuleMatch(
path,
message.format(property_name, value_pattern, full_path),
)
)
return matches
def check(self, cfn, properties, value_specs, property_specs, path):
"""Check itself"""
matches = []
for p_value, p_path in properties.items_safe(path[:]):
for prop in p_value:
if prop in value_specs:
value = value_specs.get(prop).get("Value", {})
if value:
value_type = value.get("ValueType", "")
property_type = (
property_specs.get("Properties").get(prop).get("Type")
)
value_specs = (
RESOURCE_SPECS.get(cfn.regions[0])
.get("ValueTypes")
.get(value_type, {})
)
if value_specs == "CACHED":
value_specs = (
RESOURCE_SPECS.get("us-east-1")
.get("ValueTypes")
.get(value_type, {})
)
matches.extend(
cfn.check_value(
p_value,
prop,
p_path,
check_value=self.check_value,
value_specs=value_specs,
cfn=cfn,
property_type=property_type,
property_name=prop,
)
)
return matches
def match_resource_sub_properties(self, properties, property_type, path, cfn):
"""Match for sub properties"""
matches = []
specs = (
RESOURCE_SPECS.get(cfn.regions[0])
.get("PropertyTypes")
.get(property_type, {})
.get("Properties", {})
)
property_specs = (
RESOURCE_SPECS.get(cfn.regions[0]).get("PropertyTypes").get(property_type)
)
matches.extend(self.check(cfn, properties, specs, property_specs, path))
return matches
def match_resource_properties(self, properties, resource_type, path, cfn):
"""Check CloudFormation Properties"""
matches = []
specs = (
RESOURCE_SPECS.get(cfn.regions[0])
.get("ResourceTypes")
.get(resource_type, {})
.get("Properties", {})
)
resource_specs = (
RESOURCE_SPECS.get(cfn.regions[0]).get("ResourceTypes").get(resource_type)
)
matches.extend(self.check(cfn, properties, specs, resource_specs, path))
return matches
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| __pycache__ | Folder | 0755 |
|
|
| AllowedPattern.py | File | 5.76 KB | 0644 |
|
| AllowedValue.py | File | 4.8 KB | 0644 |
|
| AtLeastOne.py | File | 4.11 KB | 0644 |
|
| AvailabilityZone.py | File | 3.41 KB | 0644 |
|
| BasedOnValue.py | File | 6.33 KB | 0644 |
|
| Exclusive.py | File | 3.98 KB | 0644 |
|
| ImageId.py | File | 2.37 KB | 0644 |
|
| Inclusive.py | File | 3.7 KB | 0644 |
|
| JsonSize.py | File | 6.08 KB | 0644 |
|
| ListDuplicates.py | File | 4.39 KB | 0644 |
|
| ListDuplicatesAllowed.py | File | 4.76 KB | 0644 |
|
| ListSize.py | File | 4.88 KB | 0644 |
|
| NumberSize.py | File | 4.88 KB | 0644 |
|
| OnlyOne.py | File | 3.89 KB | 0644 |
|
| Password.py | File | 3.63 KB | 0644 |
|
| Properties.py | File | 27.49 KB | 0644 |
|
| PropertiesTemplated.py | File | 2.44 KB | 0644 |
|
| Required.py | File | 4.1 KB | 0644 |
|
| RequiredBasedOnValue.py | File | 831 B | 0644 |
|
| StringSize.py | File | 4.52 KB | 0644 |
|
| UnwantedBasedOnValue.py | File | 837 B | 0644 |
|
| ValuePrimitiveType.py | File | 11.6 KB | 0644 |
|
| ValueRefGetAtt.py | File | 11.96 KB | 0644 |
|
| __init__.py | File | 106 B | 0644 |
|