def it_condition_have_proto_protocol_and_port_port_for_cidr(
_step_obj, condition, proto, port, cidr):
searching_for = dict(port=port, protocol=proto, cidr_blocks=cidr)
for sg in _step_obj.context.stash:
if sg['type'] != 'aws_security_group':
raise TerraformComplianceInternalFailure(
'This method can only be used for aws_security_group resources '
'for now. You tried to used it on {}'.format(sg['type']))
sg_obj = SecurityGroup(searching_for,
sg['values'],
address=sg['address'])
if condition == 'must only':
sg_obj.must_only_have()
elif condition == 'must':
sg_obj.must_have()
elif condition == 'must not':
sg_obj.must_not_have()
else:
raise TerraformComplianceInternalFailure(
'You can only use "must have", "must not have" and "must only have"'
'conditions on this step for now.'
'You tried to use "{}"'.format(condition))
result, message = sg_obj.validate()
if result is False:
Error(_step_obj, message)
return True
def test_must_have_port_tcp_80_with_multi_cidr_32_success(self):
self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/24']
self.sg_in_conf[1]['cidr_blocks'] = ['192.168.0.0/16']
self.sg_in_conf[1]['from_port'] = 79
self.sg_in_conf[1]['to_port'] = 81
self.sg_given['cidr_blocks'] = '192.168.0.1/32'
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_have()
self.assertTrue(sg.validate())
def test_must_only_have_port_tcp_80_81_with_ALL_cidr_success(self):
self.sg_given['port'] = '80-81'
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_only_have()
result, error = sg.validate()
self.assertFalse(result)
self.assertEqual(
'tcp/81 port is not defined within 0.0.0.0/0 network in test_sg.',
error)
def test_must_have_port_tcp_443_444_with_ALL_cidr(self, *args):
self.sg_given['port'] = '443-444'
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_have()
result, error = sg.validate()
self.assertFalse(result)
self.assertEqual(
'tcp/(443,444) ports are not defined within 0.0.0.0/0 network in test_sg.',
error)
def test_must_have_port_tcp_443_with_ALL_cidr(self):
self.sg_given['port'] = 443
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_have()
result, error = sg.validate()
self.assertFalse(result)
self.assertEqual(
'tcp/443 port is not defined within 0.0.0.0/0 network in test_sg.',
error)
def test_must_have_port_tcp_80_81_with_ALL_cidr(self):
self.sg_given['port'] = '80-82'
self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0']
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_have()
result, error = sg.validate()
self.assertFalse(result)
self.assertEqual(
'tcp/82 port is not defined within 0.0.0.0/0 network in test_sg.',
error)
def test_must_have_port_tcp_443_with_multi_cidr(self):
self.sg_given['port'] = 443
self.sg_given['cidr_blocks'] = '192.168.1.0/24'
self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0']
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_have()
result, error = sg.validate()
self.assertFalse(result)
self.assertEqual(
'tcp/443 port is not defined within 192.168.1.0/24 network in test_sg.',
error)
def test_must_only_have_port_some_ports_are_over_configured(self):
self.sg_in_conf[0]['from_port'] = 79
self.sg_in_conf[0]['to_port'] = 81
self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0']
self.sg_in_conf[1]['from_port'] = 80
self.sg_in_conf[1]['to_port'] = 80
self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0']
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_only_have()
result, error = sg.validate()
self.assertFalse(result)
self.assertEqual(
'tcp/(81,79) ports are defined within 0.0.0.0/0 network in test_sg.',
error)
def test_must_only_have_port_not_match_multiple_errors_given(self):
self.sg_in_conf[0]['from_port'] = 22
self.sg_in_conf[0]['to_port'] = 23
self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0']
self.sg_in_conf[1]['from_port'] = 443
self.sg_in_conf[1]['to_port'] = 444
self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0']
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_only_have()
result, error = sg.validate()
self.assertFalse(result)
self.assertTrue(
'tcp/80 port is not defined within 0.0.0.0/0 network in test_sg.',
error)
self.assertTrue(
'tcp/(443,444,22,23) ports are defined within 0.0.0.0/0 network in test_sg.',
error)
self.assertTrue(
'None of the ports given defined within 0.0.0.0/0 network in test_sg.',
error)
def test_must_only_have_port_tcp_80_with_ALL_cidr_success(self):
sg = SecurityGroup(self.sg_given, self.sg_in_conf)
sg.must_only_have()
self.assertTrue(sg.validate())