def test_s3_has_required_tags(self): expected_result = [{ 'failure_count': '0', 'filename': '/json/s3_bucket/has_required_tags.json', 'file_results': [] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/s3_bucket/has_required_tags.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None config_dict['use_optional_rules'] = True validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_rds_instance_with_public_access(self): expected_result = [{ 'failure_count': '1', 'filename': '/json/rds_instance/rds_instance_publicly_accessible.json', 'file_results': [{ 'id': 'F22', 'type': 'VIOLATION::FAILING_VIOLATION', 'message': 'RDS instance should not be publicly accessible', 'logical_resource_ids': "['PublicDB']" }] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/rds_instance/rds_instance_publicly_accessible.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_multiple_security_groups(self): expected_result = [{ 'failure_count': '0', 'filename': '/json/security_group/multiple_ingress_security_groups.json', 'file_results': [{ 'id': 'W5', 'type': 'VIOLATION::WARNING', 'message': 'Security Groups found with cidr open to world on egress', 'logical_resource_ids': "['emrSecurityGroup']" }] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/security_group/multiple_ingress_security_groups.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_dangling_egress_rule(self): expected_result = [{ 'failure_count': '1', 'filename': '/json/security_group/dangling_egress_rule.json', 'file_results': [{ 'id': 'FATAL', 'type': 'VIOLATION::FAILING_VIOLATION', 'message': '{"Unresolved logical resource ids: [\'test\']": None}', 'logical_resource_ids': 'None' }] }] if sys.version_info[0] < 3: expected_result = [{ 'failure_count': '1', 'filename': '/json/security_group/dangling_egress_rule.json', 'file_results': [{ 'id': 'FATAL', 'type': 'VIOLATION::FAILING_VIOLATION', 'message': '{"Unresolved logical resource ids: [u\'test\']": None}', 'logical_resource_ids': 'None' }] }] new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/security_group/dangling_egress_rule.json' debug = True config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_security_group_when_inline_sg_is_open_to_world(self): expected_result = [{ 'failure_count': '2', 'filename': '/json/security_group/two_security_group_two_cidr_ingress.json', 'file_results': [{ 'id': 'F1000', 'type': 'VIOLATION::FAILING_VIOLATION', 'message': 'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration', 'logical_resource_ids': "['sg', 'sg2']" }, { 'id': 'W2', 'type': 'VIOLATION::WARNING', 'message': 'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB', 'logical_resource_ids': "['sg2']" }, { 'id': 'W27', 'type': 'VIOLATION::WARNING', 'message': 'Security Groups found ingress with port range instead of just a single port', 'logical_resource_ids': "['sg', 'sg2', 'sg2']" }, { 'id': 'W9', 'type': 'VIOLATION::WARNING', 'message': 'Security Groups found with ingress cidr that is not /32', 'logical_resource_ids': "['sg2']" }] }] if sys.version_info[0] < 3: expected_result = [{ 'failure_count': '2', 'filename': '/json/security_group/two_security_group_two_cidr_ingress.json', 'file_results': [{ 'id': 'F1000', 'type': 'VIOLATION::FAILING_VIOLATION', 'message': 'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration', 'logical_resource_ids': "['sg', 'sg2']" }, { 'id': 'W2', 'type': 'VIOLATION::WARNING', 'message': 'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB', 'logical_resource_ids': "['sg2']" }, { 'id': 'W27', 'type': 'VIOLATION::WARNING', 'message': 'Security Groups found ingress with port range instead of just a single port', 'logical_resource_ids': "['sg', 'sg2', 'sg2']" }, { 'id': 'W9', 'type': 'VIOLATION::WARNING', 'message': 'Security Groups found with ingress cidr that is not /32', 'logical_resource_ids': "['sg2']" }] }] new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/security_group/two_security_group_two_cidr_ingress.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_security_group_when_egress_is_empty(self): expected_result = [{ 'failure_count': '1', 'filename': '/json/security_group/single_security_group_empty_ingress.json', 'file_results': [{ 'id': 'F1000', 'type': 'VIOLATION::FAILING_VIOLATION', 'message': 'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration', 'logical_resource_ids': "['sg']" }] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/security_group/single_security_group_empty_ingress.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_cloudformation(self): expected_result = [{ "failure_count": "0", "filename": "/json/cloudfront_distribution/cloudfront_distribution_without_logging.json", "file_results": [{ "id": "W10", "type": "VIOLATION::WARNING", "message": "CloudFront Distribution should enable access logging", "logical_resource_ids": ["rDistribution2"] }] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/cloudfront_distribution/cloudfront_distribution_without_logging.json' debug = True config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_results = validator.validate() print('expected results: ' + str(expected_result.replace('\'', '"'))) print('real result: ' + str(real_results)) self.maxDiff = None self.assertEqual(expected_result.replace('\'', '"'), real_results)
def test_sqs_policy(self): expected_result = [{ 'failure_count': '0', 'filename': '/json/sqs_queue_policy/sqs_policy_with_not_action.json', 'file_results': [{ 'id': 'W18', 'type': 'VIOLATION::WARNING', 'message': 'SQS Queue policy should not allow Allow+NotAction', 'logical_resource_ids': "['QueuePolicyWithNotAction', 'QueuePolicyWithNotAction2']" }] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/sqs_queue_policy/sqs_policy_with_not_action.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None self.assertEqual(expected_result, real_result)
def test_ec2_invalid_template(self): expected_result = [{ 'failure_count': '0', 'filename': '/json/ec2_instance/invalid_template.json', 'file_results': [{ 'id': 'W1', 'type': 'VIOLATION::WARNING', 'message': 'Specifying credentials in the template itself is probably not the safest thing', 'logical_resource_ids': "['EC2I4LBA1']" }] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/ec2_instance/invalid_template.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_ec2_instance_insensitive_authentication(self): expected_result = [{ 'failure_count': '1', 'filename': '/json/ec2_instance/cfn_insensitive_authentication.json', 'file_results': [{ 'id': 'F3', 'type': 'VIOLATION::FAILING_VIOLATION', 'message': 'IAM role should not allow * action on its permissions policy', 'logical_resource_ids': "['RootRole']" }, { 'id': 'W11', 'type': 'VIOLATION::WARNING', 'message': 'IAM role should not allow * resource on its permissions policy', 'logical_resource_ids': "['RootRole']" }] }] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = [ "id", "type", "message", "logical_resource_ids" ] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname( os.path.dirname(os.path.realpath(__file__)) ) + '/cloudformation_validator/test_templates/json/ec2_instance/cfn_insensitive_authentication.json' debug = True config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: ' + str(expected_result)) print('real results: ' + str(real_result)) self.assertEqual(expected_result, real_result)
def test_ebs_volume_no_tags(self): expected_result = [ { "failure_count": "1", "filename": "/json/ec2_volume/no_tags.json", "file_results": [ { "id": "F89", "type": "VIOLATION::FAILING_VIOLATION", "message": "Ebs volume does not have the required tags of Name, ResourceOwner, DeployedBy, Project", "logical_resource_ids": ["NewVolume"] } ] } ] if sys.version_info[0] < 3: new_file_results = [] for info in expected_result[0]['file_results']: print('info: ' + str(info)) print('type: ' + str(type(info))) order_of_keys = ["id", "type", "message", "logical_resource_ids"] new_results = OrderedDict() for key in order_of_keys: new_results[key] = info[key] new_file_results.append(new_results) print('new file results: ' + str(new_file_results)) expected_result[0]['file_results'] = new_file_results order_of_keys = ["failure_count", "filename", "file_results"] list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys] expected_result = [OrderedDict(list_of_tuples)] expected_result = pretty(expected_result) template_name = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))+'/cloudformation_validator/test_templates/json/ec2_volume/no_tags.json' debug = False config_dict = {} config_dict['template_file'] = template_name config_dict['debug'] = debug config_dict['profile'] = None config_dict['rules_directory'] = None config_dict['input_path'] = None config_dict['profile'] = None config_dict['allow_suppression'] = False config_dict['print_suppression'] = False config_dict['parameter_values_path'] = None config_dict['isolate_custom_rule_exceptions'] = None config_dict['use_optional_rules'] = True validator = class_to_test(config_dict) real_result = validator.validate() self.maxDiff = None print('expected results: '+str(expected_result)) print('real results: '+str(real_result)) self.assertEqual(expected_result.replace('\'','"'), real_result)