customer operator: regex, gt, lt (#2694)

Co-authored-by: Kevin DeJong <[email protected]>

Author: kftsehk

docs/custom_rules.md

@@ -41,9 +41,12 @@ The specified operator to be used for this rule. The supported values are define
 | == | Identical to `EQUALS` |
 | NOT_EQUALS | Checks the specified property is not equal to the value given |
 | != | Identical to `NOT_EQUALS` |
+| REGEX_MATCH | Checks the specified property matches regex given (using python `regex` module) |
 | IN | Checks the specified property is equal to or contained by the array value |
 | NOT_IN | Checks the specified property is not equal to or not contained by the array value |
 | \>= | Checks the specified property is greater than or equal to the value given |
+| \> | Checks the specified property is greater than the value given |
+| < | Checks the specified property is less than the value given |
 | <= | Checks the specified property is less than or equal to the value given |
 | IS | Checks the specified property is defined or not defined, the value must be one of DEFINED or NOT_DEFINED |
 

src/cfnlint/rules/custom/Operators.py

@@ -3,16 +3,21 @@
 SPDX-License-Identifier: MIT-0
 """
 
+import regex as re
+
 # pylint: disable=cyclic-import
 import cfnlint.rules
 
 OPERATOR = [
     "EQUALS",
     "NOT_EQUALS",
+    "REGEX_MATCH",
     "==",
     "!=",
     "IN",
     "NOT_IN",
+    ">",
+    "<",
     ">=",
     "<=",
     "IS DEFINED",
@@ -298,7 +303,29 @@ def rule_func(value, expected_values, path):
     )
 
 
-def CreateGreaterRule(rule_id, resourceType, prop, value, error_message):
+def CreateRegexMatchRule(rule_id, resourceType, prop, value, error_message):
+    def rule_func(value, expected_values, path):
+        matches = []
+        if not re.match(expected_values.strip(), str(value).strip()):
+            matches.append(
+                cfnlint.rules.RuleMatch(path, error_message or "Regex does not match")
+            )
+
+        return matches
+
+    return CreateCustomRule(
+        rule_id,
+        resourceType,
+        prop,
+        value,
+        error_message,
+        shortdesc="Custom rule to check for regex match",
+        description="Created from the custom rules parameter. This rule will check if a property value match the provided regex pattern.",
+        rule_func=rule_func,
+    )
+
+
+def CreateGreaterEqualRule(rule_id, resourceType, prop, value, error_message):
     def rule_func(value, expected_value, path):
         matches = []
         if checkInt(str(value).strip()) and checkInt(str(expected_value).strip()):
@@ -329,7 +356,69 @@ def rule_func(value, expected_value, path):
     )
 
 
+def CreateGreaterRule(rule_id, resourceType, prop, value, error_message):
+    def rule_func(value, expected_value, path):
+        matches = []
+        if checkInt(str(value).strip()) and checkInt(str(expected_value).strip()):
+            if int(str(value).strip()) <= int(str(expected_value).strip()):
+                matches.append(
+                    cfnlint.rules.RuleMatch(
+                        path, error_message or "Greater than check failed"
+                    )
+                )
+        else:
+            matches.append(
+                cfnlint.rules.RuleMatch(
+                    path, error_message or "Given values are not numeric"
+                )
+            )
+
+        return matches
+
+    return CreateCustomRule(
+        rule_id,
+        resourceType,
+        prop,
+        value,
+        error_message,
+        shortdesc="Custom rule to check for if a value is greater than the specified value",
+        description="Created from the custom rules parameter. This rule will check if a property value is greater than the specified value.",
+        rule_func=rule_func,
+    )
+
+
 def CreateLesserRule(rule_id, resourceType, prop, value, error_message):
+    def rule_func(value, expected_value, path):
+        matches = []
+        if checkInt(str(value).strip()) and checkInt(str(expected_value).strip()):
+            if int(str(value).strip()) >= int(str(expected_value).strip()):
+                matches.append(
+                    cfnlint.rules.RuleMatch(
+                        path, error_message or "Lesser than check failed"
+                    )
+                )
+        else:
+            matches.append(
+                cfnlint.rules.RuleMatch(
+                    path, error_message or "Given values are not numeric"
+                )
+            )
+
+        return matches
+
+    return CreateCustomRule(
+        rule_id,
+        resourceType,
+        prop,
+        value,
+        error_message,
+        shortdesc="Custom rule to check for if a value is lesser than the specified value",
+        description="Created from the custom rules parameter. This rule will check if a property value is lesser than the specified value.",
+        rule_func=rule_func,
+    )
+
+
+def CreateLesserEqualRule(rule_id, resourceType, prop, value, error_message):
     def rule_func(value, expected_value, path):
         matches = []
         if checkInt(str(value).strip()) and checkInt(str(expected_value).strip()):

src/cfnlint/rules/custom/__init__.py

@@ -72,6 +72,10 @@ def process_sets(raw_value):
             return cfnlint.rules.custom.Operators.CreateNotEqualsRule(
                 error_level + str(rule_id), resourceType, prop, value, error_message
             )
+        if operator == "REGEX_MATCH":
+            return cfnlint.rules.custom.Operators.CreateRegexMatchRule(
+                error_level + str(rule_id), resourceType, prop, value, error_message
+            )
         if operator == "IN":
             return cfnlint.rules.custom.Operators.CreateInSetRule(
                 error_level + str(rule_id), resourceType, prop, value, error_message
@@ -80,14 +84,22 @@ def process_sets(raw_value):
             return cfnlint.rules.custom.Operators.CreateNotInSetRule(
                 error_level + str(rule_id), resourceType, prop, value, error_message
             )
-        if operator == ">=":
+        if operator == ">":
             return cfnlint.rules.custom.Operators.CreateGreaterRule(
                 error_level + str(rule_id), resourceType, prop, value, error_message
             )
-        if operator == "<=":
+        if operator == ">=":
+            return cfnlint.rules.custom.Operators.CreateGreaterEqualRule(
+                error_level + str(rule_id), resourceType, prop, value, error_message
+            )
+        if operator == "<":
             return cfnlint.rules.custom.Operators.CreateLesserRule(
                 error_level + str(rule_id), resourceType, prop, value, error_message
             )
+        if operator == "<=":
+            return cfnlint.rules.custom.Operators.CreateLesserEqualRule(
+                error_level + str(rule_id), resourceType, prop, value, error_message
+            )
         if operator == "IS":
             if value in ["DEFINED", "NOT_DEFINED"]:
                 return cfnlint.rules.custom.Operators.CreateCustomIsDefinedRule(

test/fixtures/custom_rules/bad/custom_rule_invalid_greater_than.txt

@@ -1,2 +1,4 @@
 AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold >= 5
-AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold >= AB
+AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold > 3
+AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold >= AB
+AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold > AB

test/fixtures/custom_rules/bad/custom_rule_invalid_less_than.txt

@@ -1,2 +1,4 @@
 AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold <= 1
-AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold <= AB
+AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold < 3
+AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold <= AB
+AWS::ElasticLoadBalancing::LoadBalancer HealthCheck.HealthyThreshold < AB

test/fixtures/custom_rules/bad/custom_rule_invalid_regex.txt

@@ -0,0 +1 @@
+AWS::IAM::Role AssumeRolePolicyDocument.Version REGEX_MATCH "^202.*$"

test/fixtures/custom_rules/good/custom_rule_perfect.txt

@@ -6,5 +6,10 @@ AWS::IAM::Policy PolicyName EQUALS "root" WARN ABC
 AWS::IAM::Policy PolicyName IN [2012-10-16,root,2012-10-18] ERROR ABC
 AWS::IAM::Policy PolicyName NOT_EQUALS "user" WARN ABC
 AWS::IAM::Policy PolicyName NOT_IN [2012-10-16,2012-11-20,2012-10-18] ERROR ABC
+AWS::EC2::Instance BlockDeviceMappings.Ebs.VolumeSize >= 20 WARN
+AWS::EC2::Instance BlockDeviceMappings.Ebs.VolumeSize > 10 ERROR ABC
+AWS::EC2::Instance BlockDeviceMappings.Ebs.VolumeSize <= 50 ERROR DEF
+AWS::EC2::Instance BlockDeviceMappings.Ebs.VolumeSize < 40 WARN ABC
+AWS::CloudFormation::Stack TemplateURL REGEX_MATCH "^https.*$" WARN ABC
 AWS::Lambda::Function Environment.Variables.NODE_ENV IS DEFINED
 AWS::Lambda::Function Environment.Variables.PRIVATE_KEY IS NOT_DEFINED

test/unit/module/custom_rules/test_custom_rules.py

@@ -56,6 +56,9 @@ def setUp(self):
         self.invalid_less_than = (
             "test/fixtures/custom_rules/bad/custom_rule_invalid_less_than.txt"
         )
+        self.invalid_regex = (
+            "test/fixtures/custom_rules/bad/custom_rule_invalid_regex.txt"
+        )
 
     def test_perfect_parse(self):
         """Test Successful Custom_Rule Parsing"""
@@ -102,6 +105,13 @@ def test_invalid_less_than(self):
             > -1
         )
 
+    def test_invalid_regex(self):
+        """Test Successful Custom_Rule Parsing"""
+        assert (
+            self.run_tests(self.invalid_regex)[0].message.find("Regex does not match")
+            > -1
+        )
+
     def test_valid_boolean_value(self):
         """Test Boolean values"""
         assert self.run_tests(self.valid_boolean) == []