def test_no_failures_are_raised(good_template): rule = GenericWildcardPrincipalRule(None) result = rule.invoke(good_template) assert result.valid assert len(result.failed_rules) == 0 assert len(result.failed_monitored_rules) == 0
def test_failures_are_raised(bad_template): rule = GenericWildcardPrincipalRule(None) result = rule.invoke(bad_template) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= "PolicyA should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at 'somewhatrestricted:*'", risk_value=RuleRisk.MEDIUM, rule="GenericWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"PolicyA"}, resource_types={"AWS::IAM::Policy"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "PolicyA should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at 'arn:aws:iam::*:12345'", risk_value=RuleRisk.MEDIUM, rule="GenericWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"PolicyA"}, resource_types={"AWS::IAM::Policy"}, ), ], )
def test_failures_are_raised(bad_template): rule = GenericWildcardPrincipalRule(None) result = rule.invoke(bad_template) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= "PolicyA should not allow wildcard in principals or account-wide principals (principal: 'somewhatrestricted:*')", risk_value=RuleRisk.MEDIUM, rule="GenericWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"PolicyA"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "PolicyA should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123445:*')", risk_value=RuleRisk.MEDIUM, rule="GenericWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"PolicyA"}, ), ], )
def test_generic_wildcard_ignores_kms(): rule = GenericWildcardPrincipalRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from( "rules/CrossAccountTrustRule/kms_basic.yml").resolve( extra_params={"Principal": "arn:aws:iam::*:*"}) result = rule.invoke(model) assert result.valid
def test_generic_wildcard_ignores_kms_keys_since_they_have_another_rule_for_them( ): rule = GenericWildcardPrincipalRule( Config(aws_account_id="123456789", aws_principals=["999999999"])) model = get_cfmodel_from( "rules/CrossAccountTrustRule/kms_basic.yml").resolve( extra_params={"Principal": "arn:aws:iam::*:*"}) result = rule.invoke(model) assert result.valid assert compare_lists_of_failures(result.failures, [])
def test_wildcard_principal_rule_is_whitelisted_retrieved_correctly( mock_rule_to_resource_whitelist): mock_rules = [ "RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule" ] config = Config( stack_name="test_stack", rules=mock_rules, stack_whitelist={}, rule_to_resource_whitelist=mock_rule_to_resource_whitelist, ) wildcard_principal_rule = GenericWildcardPrincipalRule(config=config) assert wildcard_principal_rule.resource_is_whitelisted( logical_id="resource_1") is True
def test_failures_are_raised(bad_template): rule = GenericWildcardPrincipalRule(None) result = rule.invoke(bad_template) assert not result.valid assert len(result.failed_rules) == 3 assert len(result.failed_monitored_rules) == 0 assert result.failed_rules[0].rule == "GenericWildcardPrincipalRule" assert ( result.failed_rules[0].reason == "PolicyA should not allow wildcard in principals or account-wide principals " "(principal: 'somewhatrestricted:*')") assert result.failed_rules[1].rule == "GenericWildcardPrincipalRule" assert result.failed_rules[ 1].reason == "PolicyA contains an unknown principal: 123445" assert result.failed_rules[2].rule == "GenericWildcardPrincipalRule" assert ( result.failed_rules[2].reason == "PolicyA should not allow wildcard in principals or account-wide principals " "(principal: 'arn:aws:iam::123445:*')")
def test_no_failures_are_raised(good_template): rule = GenericWildcardPrincipalRule(None) result = rule.invoke(good_template) assert result.valid assert compare_lists_of_failures(result.failures, [])