Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implemented custom reader, increasing test coverage for validate command. #334

Merged
merged 14 commits into from
Feb 23, 2023
Merged

Implemented custom reader, increasing test coverage for validate command. #334

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
03eee95
init commit for reader + more unit tests for validate
joshfried-aws Feb 16, 2023
94633ff
init commit for reader + more unit tests for validate
joshfried-aws Feb 16, 2023
00145b1
temp
joshfried-aws Feb 21, 2023
30a66b5
temp2
joshfried-aws Feb 21, 2023
e85dfc4
rebasing
joshfried-aws Feb 21, 2023
a589242
clippy lints for validate
joshfried-aws Feb 21, 2023
9a49057
more tests for validate
joshfried-aws Feb 21, 2023
8cd02f9
adding thiserror license to attributions
joshfried-aws Feb 21, 2023
aa0f062
removing useless code
joshfried-aws Feb 21, 2023
549acf3
renaming tests
joshfried-aws Feb 21, 2023
3d6ffbb
fix failing test
joshfried-aws Feb 21, 2023
971cf37
fixes as per comments
joshfried-aws Feb 22, 2023
c8f217d
attribution update
joshfried-aws Feb 22, 2023
c795a3f
moved get_reader fn to utils
joshfried-aws Feb 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
26 changes: 25 additions & 1 deletion ATTRIBUTION
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1660,4 +1660,28 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
THE SOFTWARE.

joshfried-aws marked this conversation as resolved.
Show resolved Hide resolved
Permission is hereby granted, free of charge, to any
person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the
Software without restriction, including without
limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software
is furnished to do so, subject to the following
conditions:

The above copyright notice and this permission notice
shall be included in all copies or substantial portions
of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR
IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
132 changes: 132 additions & 0 deletions guard/resources/validate/output-dir/payload_verbose_json_non_compliant.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
[
{
"eval_type": "Rule",
"context": "S3_BUCKET_PUBLIC_READ_PROHIBITED",
"msg": "DEFAULT MESSAGE(FAIL)",
"from": null,
"to": null,
"status": "FAIL",
"comparator": null,
"children": [
{
"eval_type": "Condition",
"context": "S3_BUCKET_PUBLIC_READ_PROHIBITED",
"msg": "DEFAULT MESSAGE(PASS)",
"from": null,
"to": null,
"status": "PASS",
"comparator": null,
"children": [
{
"eval_type": "Clause",
"context": " %s3_bucket_public_read_prohibited not EMPTY ",
"msg": "DEFAULT MESSAGE(PASS)",
"from": {
"path": "/Resources/MyBucket",
"value": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
}
}
},
"to": null,
"status": "PASS",
"comparator": [
"Empty",
true
],
"children": []
}
]
},
{
"eval_type": "Clause",
"context": " %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration EXISTS ",
"msg": "(DEFAULT: NO_MESSAGE)",
"from": {
"path": "",
"value": {
"Resources": {
"MyBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
}
}
}
}
},
"to": null,
"status": "FAIL",
"comparator": [
"Exists",
false
],
"children": []
},
{
"eval_type": "Clause",
"context": " %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicAcls EQUALS true",
"msg": "Attempting to retrieve array index or key from map at path = /Resources/MyBucket/Properties[L:13,C:6] , Type was not an array/object map, Remaining Query = PublicAccessBlockConfiguration.BlockPublicAcls",
"from": null,
"to": null,
"status": "FAIL",
"comparator": null,
"children": []
},
{
"eval_type": "Clause",
"context": " %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicPolicy EQUALS true",
"msg": "Attempting to retrieve array index or key from map at path = /Resources/MyBucket/Properties[L:13,C:6] , Type was not an array/object map, Remaining Query = PublicAccessBlockConfiguration.BlockPublicPolicy",
"from": null,
"to": null,
"status": "FAIL",
"comparator": null,
"children": []
},
{
"eval_type": "Clause",
"context": " %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.IgnorePublicAcls EQUALS true",
"msg": "Attempting to retrieve array index or key from map at path = /Resources/MyBucket/Properties[L:13,C:6] , Type was not an array/object map, Remaining Query = PublicAccessBlockConfiguration.IgnorePublicAcls",
"from": null,
"to": null,
"status": "FAIL",
"comparator": null,
"children": []
},
{
"eval_type": "Clause",
"context": " %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets EQUALS true",
"msg": "Attempting to retrieve array index or key from map at path = /Resources/MyBucket/Properties[L:13,C:6] , Type was not an array/object map, Remaining Query = PublicAccessBlockConfiguration.RestrictPublicBuckets",
"from": null,
"to": null,
"status": "FAIL",
"comparator": null,
"children": []
}
]
}
]
105 changes: 105 additions & 0 deletions guard/resources/validate/output-dir/payload_verbose_non_compliant.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
STDIN Status = FAIL
FAILED rules
s3_bucket_public_read_prohibited.guard/S3_BUCKET_PUBLIC_READ_PROHIBITED FAIL
---
Evaluating data STDIN against rules s3_bucket_public_read_prohibited.guard
Number of non-compliant resources 1
Resource = MyBucket {
Type = AWS::S3::Bucket
Rule = S3_BUCKET_PUBLIC_READ_PROHIBITED {
ALL {
Check = %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration EXISTS {
RequiredPropertyError {
PropertyPath = /Resources/MyBucket/Properties[L:13,C:6]
MissingProperty = PublicAccessBlockConfiguration
Reason = Could not find key PublicAccessBlockConfiguration inside struct at path /Resources/MyBucket/Properties[L:13,C:6]
Code:
11. # BlockPublicPolicy: true
12. # IgnorePublicAcls: true
13. # RestrictPublicBuckets: true
14. BucketEncryption:
15. ServerSideEncryptionConfiguration:
16. - ServerSideEncryptionByDefault:
}
}
Check = %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicAcls EQUALS true {
RequiredPropertyError {
PropertyPath = /Resources/MyBucket/Properties[L:13,C:6]
MissingProperty = PublicAccessBlockConfiguration.BlockPublicAcls
Reason = Could not find key PublicAccessBlockConfiguration inside struct at path /Resources/MyBucket/Properties[L:13,C:6]
Code:
11. # BlockPublicPolicy: true
12. # IgnorePublicAcls: true
13. # RestrictPublicBuckets: true
14. BucketEncryption:
15. ServerSideEncryptionConfiguration:
16. - ServerSideEncryptionByDefault:
}
}
Check = %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicPolicy EQUALS true {
RequiredPropertyError {
PropertyPath = /Resources/MyBucket/Properties[L:13,C:6]
MissingProperty = PublicAccessBlockConfiguration.BlockPublicPolicy
Reason = Could not find key PublicAccessBlockConfiguration inside struct at path /Resources/MyBucket/Properties[L:13,C:6]
Code:
11. # BlockPublicPolicy: true
12. # IgnorePublicAcls: true
13. # RestrictPublicBuckets: true
14. BucketEncryption:
15. ServerSideEncryptionConfiguration:
16. - ServerSideEncryptionByDefault:
}
}
Check = %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.IgnorePublicAcls EQUALS true {
RequiredPropertyError {
PropertyPath = /Resources/MyBucket/Properties[L:13,C:6]
MissingProperty = PublicAccessBlockConfiguration.IgnorePublicAcls
Reason = Could not find key PublicAccessBlockConfiguration inside struct at path /Resources/MyBucket/Properties[L:13,C:6]
Code:
11. # BlockPublicPolicy: true
12. # IgnorePublicAcls: true
13. # RestrictPublicBuckets: true
14. BucketEncryption:
15. ServerSideEncryptionConfiguration:
16. - ServerSideEncryptionByDefault:
}
}
Check = %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets EQUALS true {
Message {
Violation: S3 Bucket Public Write Access controls need to be restricted.
Fix: Set S3 Bucket PublicAccessBlockConfiguration properties for BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, RestrictPublicBuckets parameters to true.
}
RequiredPropertyError {
PropertyPath = /Resources/MyBucket/Properties[L:13,C:6]
MissingProperty = PublicAccessBlockConfiguration.RestrictPublicBuckets
Reason = Could not find key PublicAccessBlockConfiguration inside struct at path /Resources/MyBucket/Properties[L:13,C:6]
Code:
11. # BlockPublicPolicy: true
12. # IgnorePublicAcls: true
13. # RestrictPublicBuckets: true
14. BucketEncryption:
15. ServerSideEncryptionConfiguration:
16. - ServerSideEncryptionByDefault:
}
}
}
}
}
`- File(, Status=FAIL)[Context=File(rules=1)]
`- Rule(S3_BUCKET_PUBLIC_READ_PROHIBITED, Status=FAIL)[Context=S3_BUCKET_PUBLIC_READ_PROHIBITED]
|- Rule/When(Status=PASS)[Context=Rule#S3_BUCKET_PUBLIC_READ_PROHIBITED/When]
| `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block %s3_bucket_public_read_prohibited not EMPTY ]
| |- Filter/ConjunctionsBlock(Status=PASS)[Context=Filter/Map#1]
| | `- GuardClauseBlock(Status = PASS)[Context=GuardAccessClause#block Type EQUALS "AWS::S3::Bucket"]
| | `- GuardClauseValueCheck(Status=PASS)[Context= Type EQUALS "AWS::S3::Bucket"]
| `- GuardClauseValueCheck(Status=PASS)[Context= %s3_bucket_public_read_prohibited not EMPTY ]
|- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration EXISTS ]
| `- GuardClauseUnaryCheck(Status=FAIL, Comparison= EXISTS, Value-At=(unresolved, Path=/Resources/MyBucket/Properties[L:13,C:6] Value={"BucketEncryption":{"ServerSideEncryptionConfiguration":[{"ServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]},"VersioningConfiguration":{"Status":"Enabled"}}))[Context= %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration EXISTS ]
|- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicAcls EQUALS true]
| `- GuardClauseBinaryCheck(Status=FAIL, Comparison= EQUALS, from=(unresolved, Path=/Resources/MyBucket/Properties[L:13,C:6] Value={"BucketEncryption":{"ServerSideEncryptionConfiguration":[{"ServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]},"VersioningConfiguration":{"Status":"Enabled"}}), to=)[Context= %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicAcls EQUALS true]
|- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicPolicy EQUALS true]
| `- GuardClauseBinaryCheck(Status=FAIL, Comparison= EQUALS, from=(unresolved, Path=/Resources/MyBucket/Properties[L:13,C:6] Value={"BucketEncryption":{"ServerSideEncryptionConfiguration":[{"ServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]},"VersioningConfiguration":{"Status":"Enabled"}}), to=)[Context= %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.BlockPublicPolicy EQUALS true]
|- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.IgnorePublicAcls EQUALS true]
| `- GuardClauseBinaryCheck(Status=FAIL, Comparison= EQUALS, from=(unresolved, Path=/Resources/MyBucket/Properties[L:13,C:6] Value={"BucketEncryption":{"ServerSideEncryptionConfiguration":[{"ServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]},"VersioningConfiguration":{"Status":"Enabled"}}), to=)[Context= %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.IgnorePublicAcls EQUALS true]
`- GuardClauseBlock(Status = FAIL)[Context=GuardAccessClause#block %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets EQUALS true]
`- GuardClauseBinaryCheck(Status=FAIL, Comparison= EQUALS, from=(unresolved, Path=/Resources/MyBucket/Properties[L:13,C:6] Value={"BucketEncryption":{"ServerSideEncryptionConfiguration":[{"ServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]},"VersioningConfiguration":{"Status":"Enabled"}}), to=)[Context= %s3_bucket_public_read_prohibited[*].Properties.PublicAccessBlockConfiguration.RestrictPublicBuckets EQUALS true]