def it_condition_have_proto_protocol_and_port_port_for_cidr( _step_obj, condition, proto, port, cidr): searching_for = dict(port=port, protocol=proto, cidr_blocks=cidr) for sg in _step_obj.context.stash: if sg['type'] != 'aws_security_group': raise TerraformComplianceInternalFailure( 'This method can only be used for aws_security_group resources ' 'for now. You tried to used it on {}'.format(sg['type'])) sg_obj = SecurityGroup(searching_for, sg['values'], address=sg['address']) if condition == 'must only': sg_obj.must_only_have() elif condition == 'must': sg_obj.must_have() elif condition == 'must not': sg_obj.must_not_have() else: raise TerraformComplianceInternalFailure( 'You can only use "must have", "must not have" and "must only have"' 'conditions on this step for now.' 'You tried to use "{}"'.format(condition)) result, message = sg_obj.validate() if result is False: Error(_step_obj, message) return True
def test_must_only_have_port_tcp_80_81_with_ALL_cidr_success(self): self.sg_given['port'] = '80-81' sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/81 port is not defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_only_have_port_some_ports_are_over_configured(self): self.sg_in_conf[0]['from_port'] = 79 self.sg_in_conf[0]['to_port'] = 81 self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0'] self.sg_in_conf[1]['from_port'] = 80 self.sg_in_conf[1]['to_port'] = 80 self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0'] sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() result, error = sg.validate() self.assertFalse(result) self.assertEqual( 'tcp/(81,79) ports are defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_only_have_port_not_match_multiple_errors_given(self): self.sg_in_conf[0]['from_port'] = 22 self.sg_in_conf[0]['to_port'] = 23 self.sg_in_conf[0]['cidr_blocks'] = ['192.168.0.0/16', '0.0.0.0/0'] self.sg_in_conf[1]['from_port'] = 443 self.sg_in_conf[1]['to_port'] = 444 self.sg_in_conf[1]['cidr_blocks'] = ['0.0.0.0/0'] sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() result, error = sg.validate() self.assertFalse(result) self.assertTrue( 'tcp/80 port is not defined within 0.0.0.0/0 network in test_sg.', error) self.assertTrue( 'tcp/(443,444,22,23) ports are defined within 0.0.0.0/0 network in test_sg.', error) self.assertTrue( 'None of the ports given defined within 0.0.0.0/0 network in test_sg.', error)
def test_must_only_have_port_tcp_80_with_ALL_cidr_success(self): sg = SecurityGroup(self.sg_given, self.sg_in_conf) sg.must_only_have() self.assertTrue(sg.validate())