def test_filter_do_not_report_anything(single_security_group_one_cidr_ingress):
mock_config = Config(
rules=["EC2SecurityGroupMissingEgressRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"EC2SecurityGroupMissingEgressRule":
RuleConfig(filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={"eq": [{
"ref": "config.stack_name"
}, "mockstack"]},
)
], )
},
)
rules = [
DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(
single_security_group_one_cidr_ingress, mock_config)
assert result.valid
def test_non_matching_filters_are_reported_normally(
single_security_group_one_cidr_ingress):
mock_config = Config(
rules=["EC2SecurityGroupMissingEgressRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"EC2SecurityGroupMissingEgressRule":
RuleConfig(filters=[
Filter(rule_mode=RuleMode.WHITELISTED,
eval={
"eq": [{
"ref": "config.stack_name"
}, "anotherstack"]
})
], )
},
)
rules = [
DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(
single_security_group_one_cidr_ingress, mock_config)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 1
assert result.failed_monitored_rules[
0].rule == "EC2SecurityGroupMissingEgressRule"
assert (
result.failed_monitored_rules[0].reason ==
"Missing egress rule in sg means all traffic is allowed outbound. Make this explicit if it is desired configuration"
)
def test_filter_works_as_expected(template_two_roles_dict, expected_result_two_roles):
config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{"eq": [{"ref": "config.stack_name"}, "mockstack"]},
{"eq": [{"ref": "logical_id"}, "RootRoleOne"]},
]
},
)
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, config)
assert not result.valid
assert result.failed_rules[0] == expected_result_two_roles[-1]
def test_non_matching_filters_are_reported_normally(
invalid_security_group_range):
mock_config = Config(
rules=["EC2SecurityGroupOpenToWorldRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"EC2SecurityGroupOpenToWorldRule":
RuleConfig(filters=[
Filter(rule_mode=RuleMode.WHITELISTED,
eval={
"eq": [{
"ref": "config.stack_name"
}, "anotherstack"]
})
], )
},
)
rules = [
DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(invalid_security_group_range,
mock_config)
assert not result.valid
assert result.failed_rules[0].rule == "EC2SecurityGroupOpenToWorldRule"
assert (
result.failed_rules[0].reason ==
"Port(s) 0-79, 81-100 open to public IPs: (11.0.0.0/8) in security group 'SecurityGroup'"
)
def test_filter_do_not_report_anything(bad_template):
mock_config = Config(
rules=["EC2SecurityGroupIngressOpenToWorldRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"EC2SecurityGroupIngressOpenToWorldRule":
RuleConfig(filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{
"eq": [{
"ref": "config.stack_name"
}, "mockstack"]
},
{
"eq": [{
"ref": "ingress.FromPort"
}, 46]
},
]
},
)
], )
},
)
rules = [
DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(bad_template, mock_config)
assert result.valid
def test_exist_function_and_property_exists(
template_cross_account_role_with_name):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule":
RuleConfig(filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{
"and": [
{
"exists": {
"ref":
"resource.Properties.RoleName"
}
},
{
"regex": [
"^prefix-.*$", {
"ref":
"resource.Properties.RoleName"
}
]
},
]
},
{
"eq":
[{
"ref": "principal"
},
"arn:aws:iam::999999999:role/[email protected]"
]
},
]
},
),
])
},
)
rules = [
DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(
template_cross_account_role_with_name, mock_config)
assert result.valid
def test_non_matching_filters_are_reported_normally(template_two_roles_dict, expected_result_two_roles):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "anotherstack"]})
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, mock_config)
assert not result.valid
assert result.failed_rules == expected_result_two_roles
def test_filter_do_not_report_anything(template_two_roles_dict):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "mockstack"]})
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, mock_config)
assert result.valid
from cfripper.config.filter import Filter
from cfripper.config.rule_config import RuleConfig
from cfripper.model.enums import RuleMode
# RULES_CONFIG is here a list of RuleConfig instead of a dict with the rule names as keys
RULES_CONFIG = [
RuleConfig(filters=[
Filter(
rule_mode=RuleMode.ALLOWED,
eval={
"and": [
{
"eq": [{
"ref": "config.stack_name"
}, "mockstack"]
},
{
"eq": [{
"ref": "logical_id"
}, "RootRoleOne"]
},
]
},
)
], )
]
from cfripper.config.rule_config import RuleConfig
RULES_CONFIG = {"CrossAccountTrustRule": RuleConfig()}
from cfripper.config.rule_config import RuleConfig
from cfripper.config.rule_configs.allow_http_ports_open_to_world import (
allow_http_ports_open_to_world_rules_config_filter, )
from cfripper.config.rule_configs.firehose_ips import firehose_ips_rules_config_filter
from cfripper.model.enums import RuleMode
RULES_CONFIG = {
"EC2SecurityGroupMissingEgressRule":
RuleConfig(rule_mode=RuleMode.DISABLED),
}
FILTERS = [
allow_http_ports_open_to_world_rules_config_filter,
firehose_ips_rules_config_filter
]