示例#1
0
def test_all_rules_valid():
    for r in DEFAULT_RULES.values():
        if r.RULE_MODE not in ["BLOCKING", "MONITOR", "DEBUG"]:
            assert False
    assert True
示例#2
0
def test_debug_filter(template_cross_account_role_with_name, caplog):
    logging.disable(logging.NOTSET)
    caplog.set_level(logging.DEBUG)
    mock_config = Config(
        rules=["CrossAccountTrustRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_filters=[
            Filter(
                reason="Test reason",
                rule_mode=RuleMode.ALLOWED,
                eval={
                    "and": [
                        {
                            "and": [
                                {
                                    "exists": {
                                        "ref": "resource.Properties.RoleName"
                                    }
                                },
                                {
                                    "regex": [
                                        "^prefix-.*$", {
                                            "ref":
                                            "resource.Properties.RoleName"
                                        }
                                    ]
                                },
                            ]
                        },
                        {
                            "eq": [{
                                "ref": "principal"
                            }, "arn:aws:iam::999999999:role/[email protected]"]
                        },
                    ]
                },
                rules={"CrossAccountTrustRule"},
                debug=True,
            ),
        ],
    )

    rules = [
        DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules
    ]
    processor = RuleProcessor(*rules)
    processor.process_cf_template(template_cross_account_role_with_name,
                                  mock_config)

    for line in [
            "Filter: Test reason",
            "ref(resource.Properties.RoleName) -> prefix-test-root-role",
            "exists(prefix-test-root-role) -> True",
            "ref(resource.Properties.RoleName) -> prefix-test-root-role",
            "regex(^prefix-.*$, prefix-test-root-role) -> True",
            "ref(principal) -> arn:aws:iam::999999999:role/[email protected]",
            "eq(arn:aws:iam::999999999:role/[email protected], arn:aws:iam::999999999:role/[email protected]) -> True",
            "Filter result: True",
    ]:
        assert line in caplog.text
示例#3
0
def test_load_filters_work_with_several_rules(template_two_roles_dict,
                                              test_files_location):
    config = Config(
        rules=["CrossAccountTrustRule", "PartialWildcardPrincipalRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
    )
    config.load_rules_config_file(
        open(
            f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py"
        ))
    config.add_filters_from_dir(f"{test_files_location}/filters")
    rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(template_two_roles_dict, config)

    assert not result.valid
    assert compare_lists_of_failures(
        result.failures,
        [
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/[email protected]",
                risk_value=RuleRisk.MEDIUM,
                rule="CrossAccountTrustRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:root')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::999999999:role/[email protected]')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
            Failure(
                granularity=RuleGranularity.RESOURCE,
                reason=
                "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')",
                risk_value=RuleRisk.MEDIUM,
                rule="PartialWildcardPrincipalRule",
                rule_mode=RuleMode.BLOCKING,
                actions=None,
                resource_ids={"RootRoleTwo"},
                resource_types={"AWS::IAM::Role"},
            ),
        ],
    )
示例#4
0
def init_cfripper() -> Tuple[Config, RuleProcessor]:
    config = Config(rules=DEFAULT_RULES.keys())
    rule_processor = RuleProcessor(
        *[DEFAULT_RULES.get(rule)(config) for rule in config.rules])
    return config, rule_processor