Refactor rules name and fix whitelist (#108)

* fix_rules_name: refactor name rules

* fix_rules_name: generate DEFAULT_RULES using code

* fix_rules_name: update version

* fix_rules_name: fix tests and format

* fix_rules_name: use tupple

* fix_rules_name: use tupple

* fix_rules_name: update changelog

* fix_rules_name: fix typo

* fix_rules_name: update_changelog:

CHANGELOG.md

@@ -1,6 +1,15 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [0.15.0] - 2020-03-24
+### Improvements
+- Generate DEFAULT_RULES and BASE_CLASSES using code instead of hardcoding
+### Fixed
+- Whitelist did not work if it didn't have the `Rule` prefix
+### Breaking changes
+- Sufix `KMSKeyWildcardPrincipal` and `SecurityGroupIngressOpenToWorld` with `Rule`
+- Sufix whitelist constant `FullWildcardPrincipal` and `PartialWildcardPrincipal` with `Rule`
+
 ## [0.14.2] - 2020-03-04
 ### Improvements
 - Update dependencies

cfripper/__version__.py

@@ -1,3 +1,3 @@
-VERSION = (0, 14, 2)
+VERSION = (0, 15, 0)
 
 __version__ = ".".join(map(str, VERSION))

cfripper/rules/__init__.py

@@ -23,14 +23,14 @@
 from cfripper.rules.ebs_volume_has_sse import EBSVolumeHasSSERule
 from cfripper.rules.hardcoded_RDS_password import HardcodedRDSPasswordRule
 from cfripper.rules.iam_roles import IAMRolesOverprivilegedRule, IAMRoleWildcardActionOnPolicyRule
-from cfripper.rules.kms_key_wildcard_principal import KMSKeyWildcardPrincipal
+from cfripper.rules.kms_key_wildcard_principal import KMSKeyWildcardPrincipalRule
 from cfripper.rules.managed_policy_on_user import ManagedPolicyOnUserRule
 from cfripper.rules.policy_on_user import PolicyOnUserRule
 from cfripper.rules.privilege_escalation import PrivilegeEscalationRule
 from cfripper.rules.s3_bucket_policy import S3BucketPolicyPrincipalRule
 from cfripper.rules.s3_public_access import S3BucketPublicReadAclAndListStatementRule, S3BucketPublicReadWriteAclRule
 from cfripper.rules.security_group import (
-    SecurityGroupIngressOpenToWorld,
+    SecurityGroupIngressOpenToWorldRule,
     SecurityGroupMissingEgressRule,
     SecurityGroupOpenToWorldRule,
 )
@@ -44,32 +44,35 @@
 from cfripper.rules.wildcard_principals import FullWildcardPrincipalRule, PartialWildcardPrincipalRule
 
 DEFAULT_RULES = {
-    "CloudFormationAuthenticationRule": CloudFormationAuthenticationRule,
-    "CrossAccountTrustRule": CrossAccountTrustRule,
-    "EBSVolumeHasSSERule": EBSVolumeHasSSERule,
-    "FullWildcardPrincipal": FullWildcardPrincipalRule,
-    "HardcodedRDSPasswordRule": HardcodedRDSPasswordRule,
-    "IAMRolesOverprivilegedRule": IAMRolesOverprivilegedRule,
-    "IAMRoleWildcardActionOnPolicyRule": IAMRoleWildcardActionOnPolicyRule,
-    "KMSKeyCrossAccountTrustRule": KMSKeyCrossAccountTrustRule,
-    "KMSKeyWildcardPrincipal": KMSKeyWildcardPrincipal,
-    "ManagedPolicyOnUserRule": ManagedPolicyOnUserRule,
-    "PartialWildcardPrincipal": PartialWildcardPrincipalRule,
-    "PolicyOnUserRule": PolicyOnUserRule,
-    "PrivilegeEscalationRule": PrivilegeEscalationRule,
-    "S3BucketPolicyPrincipalRule": S3BucketPolicyPrincipalRule,
-    "S3BucketPolicyWildcardActionRule": S3BucketPolicyWildcardActionRule,
-    "S3BucketPublicReadAclAndListStatementRule": S3BucketPublicReadAclAndListStatementRule,
-    "S3BucketPublicReadWriteAclRule": S3BucketPublicReadWriteAclRule,
-    "S3CrossAccountTrustRule": S3CrossAccountTrustRule,
-    "SecurityGroupIngressOpenToWorld": SecurityGroupIngressOpenToWorld,
-    "SecurityGroupMissingEgressRule": SecurityGroupMissingEgressRule,
-    "SecurityGroupOpenToWorldRule": SecurityGroupOpenToWorldRule,
-    "SNSTopicPolicyNotPrincipalRule": SNSTopicPolicyNotPrincipalRule,
-    "SNSTopicPolicyWildcardActionRule": SNSTopicPolicyWildcardActionRule,
-    "SQSQueuePolicyNotPrincipalRule": SQSQueuePolicyNotPrincipalRule,
-    "SQSQueuePolicyPublicRule": SQSQueuePolicyPublicRule,
-    "SQSQueuePolicyWildcardActionRule": SQSQueuePolicyWildcardActionRule,
+    rule.__name__: rule
+    for rule in (
+        CloudFormationAuthenticationRule,
+        CrossAccountTrustRule,
+        EBSVolumeHasSSERule,
+        FullWildcardPrincipalRule,
+        HardcodedRDSPasswordRule,
+        IAMRolesOverprivilegedRule,
+        IAMRoleWildcardActionOnPolicyRule,
+        KMSKeyCrossAccountTrustRule,
+        KMSKeyWildcardPrincipalRule,
+        ManagedPolicyOnUserRule,
+        PartialWildcardPrincipalRule,
+        PolicyOnUserRule,
+        PrivilegeEscalationRule,
+        S3BucketPolicyPrincipalRule,
+        S3BucketPolicyWildcardActionRule,
+        S3BucketPublicReadAclAndListStatementRule,
+        S3BucketPublicReadWriteAclRule,
+        S3CrossAccountTrustRule,
+        SecurityGroupIngressOpenToWorldRule,
+        SecurityGroupMissingEgressRule,
+        SecurityGroupOpenToWorldRule,
+        SNSTopicPolicyNotPrincipalRule,
+        SNSTopicPolicyWildcardActionRule,
+        SQSQueuePolicyNotPrincipalRule,
+        SQSQueuePolicyPublicRule,
+        SQSQueuePolicyWildcardActionRule,
+    )
 }
 
-BASE_CLASSES = {"CrossAccountCheckingRule": CrossAccountCheckingRule, "PrincipalCheckingRule": PrincipalCheckingRule}
+BASE_CLASSES = {rule.__name__: rule for rule in (CrossAccountCheckingRule, PrincipalCheckingRule)}

cfripper/rules/kms_key_wildcard_principal.py

@@ -12,7 +12,7 @@
 CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
-__all__ = ["KMSKeyWildcardPrincipal"]
+__all__ = ["KMSKeyWildcardPrincipalRule"]
 import logging
 import re
 from typing import Dict, Optional
@@ -27,7 +27,7 @@
 logger = logging.getLogger(__file__)
 
 
-class KMSKeyWildcardPrincipal(Rule):
+class KMSKeyWildcardPrincipalRule(Rule):
     """
     Check for wildcards in principals in KMS Policies.
     """

cfripper/rules/security_group.py

@@ -12,7 +12,7 @@
 CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
-__all__ = ["SecurityGroupOpenToWorldRule", "SecurityGroupIngressOpenToWorld", "SecurityGroupMissingEgressRule"]
+__all__ = ["SecurityGroupOpenToWorldRule", "SecurityGroupIngressOpenToWorldRule", "SecurityGroupMissingEgressRule"]
 
 from typing import Dict, Optional
 
@@ -86,7 +86,7 @@ def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result:
         return result
 
 
-class SecurityGroupIngressOpenToWorld(SecurityGroupOpenToWorldRule):
+class SecurityGroupIngressOpenToWorldRule(SecurityGroupOpenToWorldRule):
     """
     Checks if a security group has a CIDR open to world on ingress.
 

tests/rules/test_SecurityGroupIngressOpenToWorld.py

@@ -15,7 +15,7 @@
 from pytest import fixture
 
 from cfripper.config.config import Config
-from cfripper.rules import SecurityGroupIngressOpenToWorld
+from cfripper.rules import SecurityGroupIngressOpenToWorldRule
 from tests.utils import get_cfmodel_from
 
 
@@ -25,13 +25,13 @@ def bad_template():
 
 
 def test_failures_are_raised(bad_template):
-    rule = SecurityGroupIngressOpenToWorld(Config())
+    rule = SecurityGroupIngressOpenToWorldRule(Config())
     result = rule.invoke(bad_template)
 
     assert not result.valid
     assert len(result.failed_rules) == 2
     assert len(result.failed_monitored_rules) == 0
-    assert result.failed_rules[0].rule == "SecurityGroupIngressOpenToWorld"
+    assert result.failed_rules[0].rule == "SecurityGroupIngressOpenToWorldRule"
     assert result.failed_rules[0].reason == "Port 46 open to the world in security group 'securityGroupIngress1'"
-    assert result.failed_rules[1].rule == "SecurityGroupIngressOpenToWorld"
+    assert result.failed_rules[1].rule == "SecurityGroupIngressOpenToWorldRule"
     assert result.failed_rules[1].reason == "Port 46 open to the world in security group 'securityGroupIngress2'"