def test_all_rules_valid():
for r in DEFAULT_RULES.values():
if r.RULE_MODE not in ["BLOCKING", "MONITOR", "DEBUG"]:
assert False
assert True
def test_debug_filter(template_cross_account_role_with_name, caplog):
logging.disable(logging.NOTSET)
caplog.set_level(logging.DEBUG)
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_filters=[
Filter(
reason="Test reason",
rule_mode=RuleMode.ALLOWED,
eval={
"and": [
{
"and": [
{
"exists": {
"ref": "resource.Properties.RoleName"
}
},
{
"regex": [
"^prefix-.*$", {
"ref":
"resource.Properties.RoleName"
}
]
},
]
},
{
"eq": [{
"ref": "principal"
}, "arn:aws:iam::999999999:role/[email protected]"]
},
]
},
rules={"CrossAccountTrustRule"},
debug=True,
),
],
)
rules = [
DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
]
processor = RuleProcessor(*rules)
processor.process_cf_template(template_cross_account_role_with_name,
mock_config)
for line in [
"Filter: Test reason",
"ref(resource.Properties.RoleName) -> prefix-test-root-role",
"exists(prefix-test-root-role) -> True",
"ref(resource.Properties.RoleName) -> prefix-test-root-role",
"regex(^prefix-.*$, prefix-test-root-role) -> True",
"ref(principal) -> arn:aws:iam::999999999:role/[email protected]",
"eq(arn:aws:iam::999999999:role/[email protected], arn:aws:iam::999999999:role/[email protected]) -> True",
"Filter result: True",
]:
assert line in caplog.text
def test_load_filters_work_with_several_rules(template_two_roles_dict,
test_files_location):
config = Config(
rules=["CrossAccountTrustRule", "PartialWildcardPrincipalRule"],
aws_account_id="123456789",
stack_name="mockstack",
)
config.load_rules_config_file(
open(
f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"
))
config.add_filters_from_dir(f"{test_files_location}/filters")
rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, config)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RootRoleTwo has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/[email protected]",
risk_value=RuleRisk.MEDIUM,
rule="CrossAccountTrustRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRoleTwo"},
resource_types={"AWS::IAM::Role"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRoleTwo"},
resource_types={"AWS::IAM::Role"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRoleTwo"},
resource_types={"AWS::IAM::Role"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:root')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRoleTwo"},
resource_types={"AWS::IAM::Role"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::999999999:role/[email protected]')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRoleTwo"},
resource_types={"AWS::IAM::Role"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')",
risk_value=RuleRisk.MEDIUM,
rule="PartialWildcardPrincipalRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"RootRoleTwo"},
resource_types={"AWS::IAM::Role"},
),
],
)
def init_cfripper() -> Tuple[Config, RuleProcessor]:
config = Config(rules=DEFAULT_RULES.keys())
rule_processor = RuleProcessor(
*[DEFAULT_RULES.get(rule)(config) for rule in config.rules])
return config, rule_processor