def test_s3_has_required_tags(self):
expected_result = [{
'failure_count': '0',
'filename': '/json/s3_bucket/has_required_tags.json',
'file_results': []
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/s3_bucket/has_required_tags.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
config_dict['use_optional_rules'] = True
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_rds_instance_with_public_access(self):
expected_result = [{
'failure_count':
'1',
'filename':
'/json/rds_instance/rds_instance_publicly_accessible.json',
'file_results': [{
'id': 'F22',
'type': 'VIOLATION::FAILING_VIOLATION',
'message': 'RDS instance should not be publicly accessible',
'logical_resource_ids': "['PublicDB']"
}]
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/rds_instance/rds_instance_publicly_accessible.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_multiple_security_groups(self):
expected_result = [{
'failure_count':
'0',
'filename':
'/json/security_group/multiple_ingress_security_groups.json',
'file_results': [{
'id': 'W5',
'type': 'VIOLATION::WARNING',
'message':
'Security Groups found with cidr open to world on egress',
'logical_resource_ids': "['emrSecurityGroup']"
}]
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/security_group/multiple_ingress_security_groups.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_dangling_egress_rule(self):
expected_result = [{
'failure_count':
'1',
'filename':
'/json/security_group/dangling_egress_rule.json',
'file_results': [{
'id': 'FATAL',
'type': 'VIOLATION::FAILING_VIOLATION',
'message':
'{"Unresolved logical resource ids: [\'test\']": None}',
'logical_resource_ids': 'None'
}]
}]
if sys.version_info[0] < 3:
expected_result = [{
'failure_count':
'1',
'filename':
'/json/security_group/dangling_egress_rule.json',
'file_results': [{
'id': 'FATAL',
'type': 'VIOLATION::FAILING_VIOLATION',
'message':
'{"Unresolved logical resource ids: [u\'test\']": None}',
'logical_resource_ids': 'None'
}]
}]
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/security_group/dangling_egress_rule.json'
debug = True
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_security_group_when_inline_sg_is_open_to_world(self):
expected_result = [{
'failure_count':
'2',
'filename':
'/json/security_group/two_security_group_two_cidr_ingress.json',
'file_results': [{
'id': 'F1000',
'type': 'VIOLATION::FAILING_VIOLATION',
'message':
'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration',
'logical_resource_ids': "['sg', 'sg2']"
}, {
'id': 'W2',
'type': 'VIOLATION::WARNING',
'message':
'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB',
'logical_resource_ids': "['sg2']"
}, {
'id': 'W27',
'type': 'VIOLATION::WARNING',
'message':
'Security Groups found ingress with port range instead of just a single port',
'logical_resource_ids': "['sg', 'sg2', 'sg2']"
}, {
'id': 'W9',
'type': 'VIOLATION::WARNING',
'message':
'Security Groups found with ingress cidr that is not /32',
'logical_resource_ids': "['sg2']"
}]
}]
if sys.version_info[0] < 3:
expected_result = [{
'failure_count':
'2',
'filename':
'/json/security_group/two_security_group_two_cidr_ingress.json',
'file_results': [{
'id': 'F1000',
'type': 'VIOLATION::FAILING_VIOLATION',
'message':
'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration',
'logical_resource_ids': "['sg', 'sg2']"
}, {
'id': 'W2',
'type': 'VIOLATION::WARNING',
'message':
'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB',
'logical_resource_ids': "['sg2']"
}, {
'id': 'W27',
'type': 'VIOLATION::WARNING',
'message':
'Security Groups found ingress with port range instead of just a single port',
'logical_resource_ids': "['sg', 'sg2', 'sg2']"
}, {
'id': 'W9',
'type': 'VIOLATION::WARNING',
'message':
'Security Groups found with ingress cidr that is not /32',
'logical_resource_ids': "['sg2']"
}]
}]
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/security_group/two_security_group_two_cidr_ingress.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_security_group_when_egress_is_empty(self):
expected_result = [{
'failure_count':
'1',
'filename':
'/json/security_group/single_security_group_empty_ingress.json',
'file_results': [{
'id': 'F1000',
'type': 'VIOLATION::FAILING_VIOLATION',
'message':
'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration',
'logical_resource_ids': "['sg']"
}]
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/security_group/single_security_group_empty_ingress.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_cloudformation(self):
expected_result = [{
"failure_count":
"0",
"filename":
"/json/cloudfront_distribution/cloudfront_distribution_without_logging.json",
"file_results": [{
"id": "W10",
"type": "VIOLATION::WARNING",
"message":
"CloudFront Distribution should enable access logging",
"logical_resource_ids": ["rDistribution2"]
}]
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/cloudfront_distribution/cloudfront_distribution_without_logging.json'
debug = True
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_results = validator.validate()
print('expected results: ' + str(expected_result.replace('\'', '"')))
print('real result: ' + str(real_results))
self.maxDiff = None
self.assertEqual(expected_result.replace('\'', '"'), real_results)
def test_sqs_policy(self):
expected_result = [{
'failure_count':
'0',
'filename':
'/json/sqs_queue_policy/sqs_policy_with_not_action.json',
'file_results': [{
'id':
'W18',
'type':
'VIOLATION::WARNING',
'message':
'SQS Queue policy should not allow Allow+NotAction',
'logical_resource_ids':
"['QueuePolicyWithNotAction', 'QueuePolicyWithNotAction2']"
}]
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/sqs_queue_policy/sqs_policy_with_not_action.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
self.assertEqual(expected_result, real_result)
def test_ec2_invalid_template(self):
expected_result = [{
'failure_count':
'0',
'filename':
'/json/ec2_instance/invalid_template.json',
'file_results': [{
'id': 'W1',
'type': 'VIOLATION::WARNING',
'message':
'Specifying credentials in the template itself is probably not the safest thing',
'logical_resource_ids': "['EC2I4LBA1']"
}]
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/ec2_instance/invalid_template.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_ec2_instance_insensitive_authentication(self):
expected_result = [{
'failure_count':
'1',
'filename':
'/json/ec2_instance/cfn_insensitive_authentication.json',
'file_results': [{
'id': 'F3',
'type': 'VIOLATION::FAILING_VIOLATION',
'message':
'IAM role should not allow * action on its permissions policy',
'logical_resource_ids': "['RootRole']"
}, {
'id': 'W11',
'type': 'VIOLATION::WARNING',
'message':
'IAM role should not allow * resource on its permissions policy',
'logical_resource_ids': "['RootRole']"
}]
}]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = [
"id", "type", "message", "logical_resource_ids"
]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key])
for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(
os.path.dirname(os.path.realpath(__file__))
) + '/cloudformation_validator/test_templates/json/ec2_instance/cfn_insensitive_authentication.json'
debug = True
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: ' + str(expected_result))
print('real results: ' + str(real_result))
self.assertEqual(expected_result, real_result)
def test_ebs_volume_no_tags(self):
expected_result = [
{
"failure_count": "1",
"filename": "/json/ec2_volume/no_tags.json",
"file_results": [
{
"id": "F89",
"type": "VIOLATION::FAILING_VIOLATION",
"message": "Ebs volume does not have the required tags of Name, ResourceOwner, DeployedBy, Project",
"logical_resource_ids": ["NewVolume"]
}
]
}
]
if sys.version_info[0] < 3:
new_file_results = []
for info in expected_result[0]['file_results']:
print('info: ' + str(info))
print('type: ' + str(type(info)))
order_of_keys = ["id", "type", "message", "logical_resource_ids"]
new_results = OrderedDict()
for key in order_of_keys:
new_results[key] = info[key]
new_file_results.append(new_results)
print('new file results: ' + str(new_file_results))
expected_result[0]['file_results'] = new_file_results
order_of_keys = ["failure_count", "filename", "file_results"]
list_of_tuples = [(key, expected_result[0][key]) for key in order_of_keys]
expected_result = [OrderedDict(list_of_tuples)]
expected_result = pretty(expected_result)
template_name = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))+'/cloudformation_validator/test_templates/json/ec2_volume/no_tags.json'
debug = False
config_dict = {}
config_dict['template_file'] = template_name
config_dict['debug'] = debug
config_dict['profile'] = None
config_dict['rules_directory'] = None
config_dict['input_path'] = None
config_dict['profile'] = None
config_dict['allow_suppression'] = False
config_dict['print_suppression'] = False
config_dict['parameter_values_path'] = None
config_dict['isolate_custom_rule_exceptions'] = None
config_dict['use_optional_rules'] = True
validator = class_to_test(config_dict)
real_result = validator.validate()
self.maxDiff = None
print('expected results: '+str(expected_result))
print('real results: '+str(real_result))
self.assertEqual(expected_result.replace('\'','"'), real_result)
