def test_must_have_port_tcp_80_with_multi_cidr_32_success(self): self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/24'] self.sg_in_conf[1]['cidr_blocks'] = ['192.168.0.0/16'] self.sg_in_conf[1]['from_port'] = 79 self.sg_in_conf[1]['to_port'] = 81 self.sg_given['cidr_blocks'] = '192.168.0.1/32' sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_have() self.assertTrue(sg.validate())
def it_condition_have_proto_protocol_and_port_port_for_cidr( _step_obj, condition, proto, port, cidr): searching_for = dict(port=port, protocol=proto, cidr_blocks=cidr) for sg in _step_obj.context.stash: if sg['type'] != 'aws_security_group': raise TerraformComplianceInternalFailure( 'This method can only be used for aws_security_group resources ' 'for now. You tried to used it on {}'.format(sg['type'])) sg_obj = SecurityGroup(searching_for, sg['values'], address=sg['address']) if condition == 'must only': sg_obj.must_only_have() elif condition == 'must': sg_obj.must_have() elif condition == 'must not': sg_obj.must_not_have() else: raise TerraformComplianceInternalFailure( 'You can only use "must have", "must not have" and "must only have"' 'conditions on this step for now.' 'You tried to use "{}"'.format(condition)) result, message = sg_obj.validate() if result is False: Error(_step_obj, message) return True
def test_must_only_have_port_tcp_80_81_with_ALL_cidr_success(self): self.sg_given['port'] = '80-81' sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/81 port is not defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_have_port_tcp_443_444_with_ALL_cidr(self, *args): self.sg_given['port'] = '443-444' sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/(443,444) ports are not defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_have_port_tcp_443_with_ALL_cidr(self): self.sg_given['port'] = 443 sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/443 port is not defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_have_port_tcp_80_81_with_ALL_cidr(self): self.sg_given['port'] = '80-82' self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0'] sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/82 port is not defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_have_port_tcp_443_with_multi_cidr(self): self.sg_given['port'] = 443 self.sg_given['cidr_blocks'] = '192.168.1.0/24' self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0'] sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/443 port is not defined within 192.168.1.0/24 network in test_sg.', error)
def test_must_only_have_port_some_ports_are_over_configured(self): self.sg_in_conf[0]['from_port'] = 79 self.sg_in_conf[0]['to_port'] = 81 self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0'] self.sg_in_conf[1]['from_port'] = 80 self.sg_in_conf[1]['to_port'] = 80 self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0'] sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/(81,79) ports are defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_not_have_port_tcp_22_with_range_with_ALL_cidr_success(self): self.sg_given['port'] = '21-22' self.sg_in_conf[0]['from_port'] = 22 self.sg_in_conf[0]['to_port'] = 23 self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16'] self.assertTrue( SecurityGroup(self.sg_given, self.sg_in_conf).validate())
def test_must_not_have_port_tcp_80_with_ALL_cidr(self): result, error = SecurityGroup(self.sg_given, self.sg_in_conf).validate() self.assertFalse(result) self.assertEqual( 'tcp/80 port is defined within 0.0.0.0/0 network in test.security_group_rule1.', error)
def test_must_not_have_port_tcp_22_23_with_ALL_multi_success(self): self.sg_given['port'] = '22-23' self.sg_in_conf[0]['from_port'] = 22 self.sg_in_conf[0]['to_port'] = 23 self.sg_given['cidr_blocks'] = '192.168.1.0/16' self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/24', '10.0.0.0/8'] self.assertTrue( SecurityGroup(self.sg_given, self.sg_in_conf).validate())
def test_must_not_have_port_tcp_80_with_multi_cidr(self): self.sg_given['cidr_blocks'] = '192.168.1.0/24' self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0'] result, error = SecurityGroup(self.sg_given, self.sg_in_conf).validate() self.assertFalse(result) self.assertEqual( 'tcp/80 port is defined within 192.168.0.0/16, 0.0.0.0/0 networks in ' 'test.security_group_rule1.', error)
def test_must_not_have_port_tcp_22_23_with_ALL_cidr(self): self.sg_given['port'] = '22-23' self.sg_in_conf[0]['from_port'] = 22 self.sg_in_conf[0]['to_port'] = 23 result, error = SecurityGroup(self.sg_given, self.sg_in_conf).validate() self.assertFalse(result) self.assertEqual( 'tcp/(22,23) ports are defined within 0.0.0.0/0 network in test.security_group_rule1.', error)
def test_must_only_have_port_not_match_multiple_errors_given(self): self.sg_in_conf[0]['from_port'] = 22 self.sg_in_conf[0]['to_port'] = 23 self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0'] self.sg_in_conf[1]['from_port'] = 443 self.sg_in_conf[1]['to_port'] = 444 self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0'] sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() result, error = sg.validate() self.assertFalse(result) self.assertTrue( 'tcp/80 port is not defined within 0.0.0.0/0 network in test_sg.', error) self.assertTrue( 'tcp/(443,444,22,23) ports are defined within 0.0.0.0/0 network in test_sg.', error) self.assertTrue( 'None of the ports given defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_not_have_port_tcp_22_23_with_multi_cidr(self): self.sg_given['port'] = '22-23' self.sg_in_conf[0]['from_port'] = 22 self.sg_in_conf[0]['to_port'] = 23 self.sg_given['cidr_blocks'] = '192.168.1.0/24' self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0'] result, error = SecurityGroup(self.sg_given, self.sg_in_conf).validate() self.assertFalse(result) self.assertEqual( 'tcp/(22,23) ports are defined within 192.168.0.0/16, 0.0.0.0/0 networks in ' 'test.security_group_rule1.', error)
def test_must_only_have_port_tcp_80_with_ALL_cidr_success(self): sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() self.assertTrue(sg.validate())
def test_must_not_have_port_tcp_80_with_ALL_cidr_success(self): self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16'] self.assertTrue( SecurityGroup(self.sg_given, self.sg_in_conf).validate())