-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New wildcard principal rules to understand generic resources (#212)
* created new wildcard principal rules to understand generic resources * PR suggestions - update version Co-authored-by: Ramon <ramon.guimera@skyscanner.net>
- Loading branch information
Showing
7 changed files
with
369 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
VERSION = (1, 5, 3) | ||
VERSION = (1, 6, 0) | ||
|
||
__version__ = ".".join(map(str, VERSION)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
import pytest | ||
|
||
from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk | ||
from cfripper.model.result import Failure | ||
from cfripper.rules import GenericResourceFullWildcardPrincipalRule | ||
from tests.utils import compare_lists_of_failures, get_cfmodel_from | ||
|
||
|
||
@pytest.fixture() | ||
def good_template(): | ||
return get_cfmodel_from("rules/FullWilcardPrincipalRule/good_template.json").resolve() | ||
|
||
|
||
@pytest.fixture() | ||
def bad_template(): | ||
return get_cfmodel_from("rules/FullWilcardPrincipalRule/bad_template.json").resolve() | ||
|
||
|
||
def test_no_failures_are_raised(good_template): | ||
rule = GenericResourceFullWildcardPrincipalRule(None) | ||
result = rule.invoke(good_template) | ||
|
||
assert result.valid | ||
assert compare_lists_of_failures(result.failures, []) | ||
|
||
|
||
def test_failures_are_raised(bad_template): | ||
rule = GenericResourceFullWildcardPrincipalRule(None) | ||
result = rule.invoke(bad_template) | ||
|
||
assert not result.valid | ||
assert compare_lists_of_failures( | ||
result.failures, | ||
[ | ||
Failure( | ||
rule_mode=RuleMode.BLOCKING, | ||
rule="GenericResourceFullWildcardPrincipalRule", | ||
reason="PolicyA should not allow wildcards in principals (principal: '*')", | ||
granularity=RuleGranularity.RESOURCE, | ||
risk_value=RuleRisk.HIGH, | ||
actions=None, | ||
resource_ids={"PolicyA"}, | ||
) | ||
], | ||
) | ||
|
||
|
||
def test_rule_supports_filter_config(bad_template, default_allow_all_config): | ||
rule = GenericResourceFullWildcardPrincipalRule(default_allow_all_config) | ||
result = rule.invoke(bad_template) | ||
|
||
assert result.valid | ||
assert compare_lists_of_failures(result.failures, []) |
113 changes: 113 additions & 0 deletions
113
tests/rules/test_GenericResourcePartialWildcardPrincipal.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,113 @@ | ||
from pytest import fixture | ||
|
||
from cfripper.config.config import Config | ||
from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk | ||
from cfripper.model.result import Failure | ||
from cfripper.rules import GenericResourcePartialWildcardPrincipalRule | ||
from tests.utils import compare_lists_of_failures, get_cfmodel_from | ||
|
||
|
||
@fixture() | ||
def good_template(): | ||
return get_cfmodel_from("rules/PartialWildcardPrincipalRule/good_template.json").resolve() | ||
|
||
|
||
@fixture() | ||
def bad_template(): | ||
return get_cfmodel_from("rules/PartialWildcardPrincipalRule/bad_template.json").resolve() | ||
|
||
|
||
@fixture() | ||
def intra_account_root_access(): | ||
return get_cfmodel_from("rules/PartialWildcardPrincipalRule/intra_account_root_access.yml").resolve() | ||
|
||
|
||
@fixture() | ||
def aws_elb_allow_template(): | ||
return get_cfmodel_from("rules/PartialWildcardPrincipalRule/aws_elb_template.yml").resolve( | ||
extra_params={"AWS::Region": "ap-southeast-1"} | ||
) | ||
|
||
|
||
def test_no_failures_are_raised(good_template): | ||
rule = GenericResourcePartialWildcardPrincipalRule(None) | ||
result = rule.invoke(good_template) | ||
|
||
assert result.valid | ||
assert compare_lists_of_failures(result.failures, []) | ||
|
||
|
||
def test_failures_are_raised(bad_template): | ||
rule = GenericResourcePartialWildcardPrincipalRule(None) | ||
result = rule.invoke(bad_template) | ||
|
||
assert not result.valid | ||
assert compare_lists_of_failures( | ||
result.failures, | ||
[ | ||
Failure( | ||
granularity=RuleGranularity.RESOURCE, | ||
reason="PolicyA should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123445:12345*')", | ||
risk_value=RuleRisk.MEDIUM, | ||
rule="GenericResourcePartialWildcardPrincipalRule", | ||
rule_mode=RuleMode.BLOCKING, | ||
actions=None, | ||
resource_ids={"PolicyA"}, | ||
), | ||
Failure( | ||
granularity=RuleGranularity.RESOURCE, | ||
reason="PolicyA should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123445:root')", | ||
risk_value=RuleRisk.MEDIUM, | ||
rule="GenericResourcePartialWildcardPrincipalRule", | ||
rule_mode=RuleMode.BLOCKING, | ||
actions=None, | ||
resource_ids={"PolicyA"}, | ||
), | ||
], | ||
) | ||
|
||
|
||
def test_failures_for_correct_account_ids(intra_account_root_access): | ||
rule = GenericResourcePartialWildcardPrincipalRule(Config(aws_account_id="123456789012")) | ||
result = rule.invoke(intra_account_root_access) | ||
|
||
assert not result.valid | ||
assert compare_lists_of_failures( | ||
result.failures, | ||
[ | ||
Failure( | ||
granularity=RuleGranularity.RESOURCE, | ||
reason="AccLoadBalancerAccessLogBucketPolicy should not allow wildcard in principals or account-wide principals (principal: 'arn:aws:iam::123456789012:root')", | ||
risk_value=RuleRisk.MEDIUM, | ||
rule="GenericResourcePartialWildcardPrincipalRule", | ||
rule_mode=RuleMode.BLOCKING, | ||
actions=None, | ||
resource_ids={"AccLoadBalancerAccessLogBucketPolicy"}, | ||
), | ||
Failure( | ||
granularity=RuleGranularity.RESOURCE, | ||
reason="AccLoadBalancerAccessLogBucketPolicy should not allow wildcard in principals or account-wide principals (principal: '987654321012')", | ||
risk_value=RuleRisk.MEDIUM, | ||
rule="GenericResourcePartialWildcardPrincipalRule", | ||
rule_mode=RuleMode.BLOCKING, | ||
actions=None, | ||
resource_ids={"AccLoadBalancerAccessLogBucketPolicy"}, | ||
), | ||
], | ||
) | ||
|
||
|
||
def test_aws_elb_allow_template(aws_elb_allow_template): | ||
rule = GenericResourcePartialWildcardPrincipalRule(None) | ||
result = rule.invoke(aws_elb_allow_template) | ||
|
||
assert result.valid | ||
assert compare_lists_of_failures(result.failures, []) | ||
|
||
|
||
def test_rule_supports_filter_config(bad_template, default_allow_all_config): | ||
rule = GenericResourcePartialWildcardPrincipalRule(default_allow_all_config) | ||
result = rule.invoke(bad_template) | ||
|
||
assert result.valid | ||
assert compare_lists_of_failures(result.failures, []) |
Oops, something went wrong.