コード例 #1
0
ファイル: test_config.py プロジェクト: Skyscanner/cfripper 
def test_load_rules_config_file_invalid_file(test_files_location):
    mock_rules = [
        "RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule"
    ]
    config = Config(stack_name="test_stack", rules=mock_rules)

    with pytest.raises(ValidationError):
        config.load_rules_config_file(
            open(f"{test_files_location}/config/rules_config_invalid.py"))
コード例 #2
0
ファイル: test_config.py プロジェクト: Skyscanner/cfripper 
def test_load_rules_config_file_no_file(test_files_location):
    mock_rules = [
        "RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule"
    ]
    config = Config(stack_name="test_stack", rules=mock_rules)

    with pytest.raises(FileNotFoundError):
        config.load_rules_config_file(
            open(f"{test_files_location}/config/non_existing_file.py"))
コード例 #3
0
ファイル: test_config.py プロジェクト: syllogy/cfripper 
def test_load_rules_config_file_success(test_files_location):
    mock_rules = ["RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule"]
    config = Config(stack_name="test_stack", rules=mock_rules)
    config.load_rules_config_file(open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"))
    config.add_filters_from_dir(f"{test_files_location}/filters")
    rule_config = config.get_rule_config("CrossAccountTrustRule")
    filters = config.get_rule_filters("CrossAccountTrustRule")
    assert not rule_config.risk_value
    assert not rule_config.rule_mode
    assert len(filters) == 1
コード例 #4
0
ファイル: cli.py プロジェクト: syllogy/cfripper 
def init_cfripper(
        rules_config_file: Optional[TextIOWrapper],
        rules_filters_folder: Optional[str]) -> Tuple[Config, RuleProcessor]:
    rules = get_all_rules()
    config = Config(rules=rules.keys())
    if rules_config_file:
        config.load_rules_config_file(rules_config_file)
    if rules_filters_folder:
        config.add_filters_from_dir(rules_filters_folder)
    rule_processor = RuleProcessor(
        *[rules.get(rule)(config) for rule in config.rules])
    return config, rule_processor
コード例 #5
0
ファイル: cli.py プロジェクト: claytonbrown/cfripper 
def init_cfripper(
    rules_config_file: Optional[TextIOWrapper],
    rules_filters_folder: Optional[str],
    aws_account_id: Optional[str],
    aws_principals: Optional[List[str]],
) -> Tuple[Config, RuleProcessor]:
    rules = get_all_rules()
    config = Config(rules=rules.keys(),
                    aws_account_id=aws_account_id,
                    aws_principals=aws_principals)
    if rules_config_file:
        config.load_rules_config_file(rules_config_file)
    if rules_filters_folder:
        config.add_filters_from_dir(rules_filters_folder)
    rule_processor = RuleProcessor(
        *[rules.get(rule)(config) for rule in config.rules])
    return config, rule_processor
コード例 #6
0
ファイル: test_config.py プロジェクト: Skyscanner/cfripper 
def test_load_filters_work_with_several_rules(template_two_roles_dict,
                                              test_files_location):
    config = Config(
        rules=["CrossAccountTrustRule", "PartialWildcardPrincipalRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
    )
    config.load_rules_config_file(
        open(
            f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"
        ))
    config.add_filters_from_dir(f"{test_files_location}/filters")
    rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(template_two_roles_dict, config)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/[email protected]",
                risk_value=RuleRisk.MEDIUM,
                rule="CrossAccountTrustRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123456789:root'",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
        ],
    )
コード例 #7
0
def test_filter_works_as_expected_with_rules_config_file(
        template_two_roles_dict, expected_result_two_roles,
        test_files_location):
    config = Config(
        rules=["CrossAccountTrustRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
    )
    config.load_rules_config_file(
        open(
            f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"
        ))
    config.add_filters_from_dir(f"{test_files_location}/filters")
    rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(template_two_roles_dict, config)

    assert not result.valid
    assert compare_lists_of_failures(result.failures,
                                     expected_result_two_roles[-1:])