-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add S3BucketPublicReadAclRule rule (#185)
* Add S3BucketPublicReadAclRule rule * PR suggestions Co-authored-by: Carles Lopez <carles.lopez@skyscanner.net>
- Loading branch information
1 parent
3a98d56
commit 46c8975
Showing
6 changed files
with
101 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
VERSION = (1, 0, 5) | ||
VERSION = (1, 0, 6) | ||
|
||
__version__ = ".".join(map(str, VERSION)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
from pytest import fixture | ||
|
||
from cfripper.config.config import Config | ||
from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk | ||
from cfripper.model.result import Failure | ||
from cfripper.rules import S3BucketPublicReadAclRule | ||
from tests.utils import compare_lists_of_failures, get_cfmodel_from | ||
|
||
|
||
@fixture() | ||
def bad_template(): | ||
return get_cfmodel_from("rules/S3BucketPublicReadAclRule/bad_template.json").resolve() | ||
|
||
|
||
def test_failures_are_raised(bad_template): | ||
rule = S3BucketPublicReadAclRule(Config()) | ||
result = rule.invoke(bad_template) | ||
|
||
assert not result.valid | ||
assert compare_lists_of_failures( | ||
result.failures, | ||
[ | ||
Failure( | ||
granularity=RuleGranularity.RESOURCE, | ||
reason="S3 Bucket S3Bucket should not have a public-read acl", | ||
risk_value=RuleRisk.HIGH, | ||
rule="S3BucketPublicReadAclRule", | ||
rule_mode=RuleMode.BLOCKING, | ||
actions=None, | ||
resource_ids={"S3Bucket"}, | ||
) | ||
], | ||
) | ||
|
||
|
||
def test_rule_supports_filter_config(bad_template, default_allow_all_config): | ||
rule = S3BucketPublicReadAclRule(default_allow_all_config) | ||
result = rule.invoke(bad_template) | ||
|
||
assert result.valid | ||
assert compare_lists_of_failures(result.failures, []) |
11 changes: 11 additions & 0 deletions
11
tests/test_templates/rules/S3BucketPublicReadAclRule/bad_template.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"Resources": { | ||
"S3Bucket": { | ||
"Type": "AWS::S3::Bucket", | ||
"Properties": { | ||
"BucketName": "fakebucketfakebucket", | ||
"AccessControl": "PublicRead" | ||
} | ||
} | ||
} | ||
} |