def test_load_rules_config_file_invalid_file(test_files_location): mock_rules = [ "RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule" ] config = Config(stack_name="test_stack", rules=mock_rules) with pytest.raises(ValidationError): config.load_rules_config_file( open(f"{test_files_location}/config/rules_config_invalid.py"))
def test_load_rules_config_file_no_file(test_files_location): mock_rules = [ "RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule" ] config = Config(stack_name="test_stack", rules=mock_rules) with pytest.raises(FileNotFoundError): config.load_rules_config_file( open(f"{test_files_location}/config/non_existing_file.py"))
def test_load_rules_config_file_success(test_files_location): mock_rules = ["RuleThatUsesResourceAllowlist", "SecurityGroupOpenToWorldRule"] config = Config(stack_name="test_stack", rules=mock_rules) config.load_rules_config_file(open(f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py")) config.add_filters_from_dir(f"{test_files_location}/filters") rule_config = config.get_rule_config("CrossAccountTrustRule") filters = config.get_rule_filters("CrossAccountTrustRule") assert not rule_config.risk_value assert not rule_config.rule_mode assert len(filters) == 1
def init_cfripper( rules_config_file: Optional[TextIOWrapper], rules_filters_folder: Optional[str]) -> Tuple[Config, RuleProcessor]: rules = get_all_rules() config = Config(rules=rules.keys()) if rules_config_file: config.load_rules_config_file(rules_config_file) if rules_filters_folder: config.add_filters_from_dir(rules_filters_folder) rule_processor = RuleProcessor( *[rules.get(rule)(config) for rule in config.rules]) return config, rule_processor
def init_cfripper( rules_config_file: Optional[TextIOWrapper], rules_filters_folder: Optional[str], aws_account_id: Optional[str], aws_principals: Optional[List[str]], ) -> Tuple[Config, RuleProcessor]: rules = get_all_rules() config = Config(rules=rules.keys(), aws_account_id=aws_account_id, aws_principals=aws_principals) if rules_config_file: config.load_rules_config_file(rules_config_file) if rules_filters_folder: config.add_filters_from_dir(rules_filters_folder) rule_processor = RuleProcessor( *[rules.get(rule)(config) for rule in config.rules]) return config, rule_processor
def test_load_filters_work_with_several_rules(template_two_roles_dict, test_files_location): config = Config( rules=["CrossAccountTrustRule", "PartialWildcardPrincipalRule"], aws_account_id="123456789", stack_name="mockstack", ) config.load_rules_config_file( open( f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py" )) config.add_filters_from_dir(f"{test_files_location}/filters") rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules] processor = RuleProcessor(*rules) result = processor.process_cf_template(template_two_roles_dict, config) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/[email protected]", risk_value=RuleRisk.MEDIUM, rule="CrossAccountTrustRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123456789:root'", risk_value=RuleRisk.MEDIUM, rule="PartialWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), ], )
def test_filter_works_as_expected_with_rules_config_file( template_two_roles_dict, expected_result_two_roles, test_files_location): config = Config( rules=["CrossAccountTrustRule"], aws_account_id="123456789", stack_name="mockstack", ) config.load_rules_config_file( open( f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py" )) config.add_filters_from_dir(f"{test_files_location}/filters") rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules] processor = RuleProcessor(*rules) result = processor.process_cf_template(template_two_roles_dict, config) assert not result.valid assert compare_lists_of_failures(result.failures, expected_result_two_roles[-1:])