def test_all_rules_valid(): for r in DEFAULT_RULES.values(): if r.RULE_MODE not in ["BLOCKING", "MONITOR", "DEBUG"]: assert False assert True
def test_debug_filter(template_cross_account_role_with_name, caplog): logging.disable(logging.NOTSET) caplog.set_level(logging.DEBUG) mock_config = Config( rules=["CrossAccountTrustRule"], aws_account_id="123456789", stack_name="mockstack", rules_filters=[ Filter( reason="Test reason", rule_mode=RuleMode.ALLOWED, eval={ "and": [ { "and": [ { "exists": { "ref": "resource.Properties.RoleName" } }, { "regex": [ "^prefix-.*$", { "ref": "resource.Properties.RoleName" } ] }, ] }, { "eq": [{ "ref": "principal" }, "arn:aws:iam::999999999:role/[email protected]"] }, ] }, rules={"CrossAccountTrustRule"}, debug=True, ), ], ) rules = [ DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules ] processor = RuleProcessor(*rules) processor.process_cf_template(template_cross_account_role_with_name, mock_config) for line in [ "Filter: Test reason", "ref(resource.Properties.RoleName) -> prefix-test-root-role", "exists(prefix-test-root-role) -> True", "ref(resource.Properties.RoleName) -> prefix-test-root-role", "regex(^prefix-.*$, prefix-test-root-role) -> True", "ref(principal) -> arn:aws:iam::999999999:role/[email protected]", "eq(arn:aws:iam::999999999:role/[email protected], arn:aws:iam::999999999:role/[email protected]) -> True", "Filter result: True", ]: assert line in caplog.text
def test_load_filters_work_with_several_rules(template_two_roles_dict, test_files_location): config = Config( rules=["CrossAccountTrustRule", "PartialWildcardPrincipalRule"], aws_account_id="123456789", stack_name="mockstack", ) config.load_rules_config_file( open( f"{test_files_location}/config/rules_config_CrossAccountTrustRule.py" )) config.add_filters_from_dir(f"{test_files_location}/filters") rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules] processor = RuleProcessor(*rules) result = processor.process_cf_template(template_two_roles_dict, config) assert not result.valid assert compare_lists_of_failures( result.failures, [ Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/[email protected]", risk_value=RuleRisk.MEDIUM, rule="CrossAccountTrustRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')", risk_value=RuleRisk.MEDIUM, rule="PartialWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')", risk_value=RuleRisk.MEDIUM, rule="PartialWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:root')", risk_value=RuleRisk.MEDIUM, rule="PartialWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::999999999:role/[email protected]')", risk_value=RuleRisk.MEDIUM, rule="PartialWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), Failure( granularity=RuleGranularity.RESOURCE, reason= "RootRoleTwo should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789:user/[email protected]')", risk_value=RuleRisk.MEDIUM, rule="PartialWildcardPrincipalRule", rule_mode=RuleMode.BLOCKING, actions=None, resource_ids={"RootRoleTwo"}, resource_types={"AWS::IAM::Role"}, ), ], )
def init_cfripper() -> Tuple[Config, RuleProcessor]: config = Config(rules=DEFAULT_RULES.keys()) rule_processor = RuleProcessor( *[DEFAULT_RULES.get(rule)(config) for rule in config.rules]) return config, rule_processor