add more complicated nested boolean test

stelligent · Mar 12, 2018 · 3a40a18 · 3a40a18
1 parent 1fa6ef1
commit 3a40a18
Show file tree

Hide file tree

Showing 2 changed files with 80 additions and 0 deletions.
diff --git a/example-files/rules/aws-config.yml b/example-files/rules/aws-config.yml
@@ -18,3 +18,18 @@ Rules:
         key: provisionedThroughput.readCapacityUnits
         op: present
     severity: NON_COMPLIANT
+  - id: SG1
+    message: Security group should not allow ingress from 0.0.0.0/0
+    resource: AWS::EC2::SecurityGroup
+    filters:
+      - not:
+          - and:
+              - type: value
+                key: ipPermissions[].fromPort[]
+                op: contains
+                value: "22"
+              - type: value
+                key: ipPermissions[].ipRanges[]
+                op: contains
+                value: 0.0.0.0/0
+    severity: NON_COMPLIANT
diff --git a/filter_test.go b/filter_test.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/json"
 	"testing"
 )
 
@@ -296,3 +297,67 @@ func TestNestedNot(t *testing.T) {
 		t.Error("Expecting nested boolean to return FAILURE")
 	}
 }
+
+func TestNestedBooleans(t *testing.T) {
+	rule := Rule{
+		Id:       "TEST1",
+		Message:  "Do not allow access to port 22 from 0.0.0.0/0",
+		Severity: "NOT_COMPLIANT",
+		Resource: "aws_instance",
+		Filters: []Filter{
+			Filter{
+				Not: []Filter{
+					Filter{
+						And: []Filter{
+							Filter{
+								Type:  "value",
+								Key:   "ipPermissions[].fromPort[]",
+								Op:    "contains",
+								Value: "22",
+							},
+							Filter{
+								Type:  "value",
+								Key:   "ipPermissions[].ipRanges[]",
+								Op:    "contains",
+								Value: "0.0.0.0/0",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	resource := TerraformResource{
+		Id:         "a_test_resource",
+		Type:       "aws_instance",
+		Properties: map[string]interface{}{},
+		Filename:   "test.tf",
+	}
+	rulesJSON := `{
+            "description": "2017-12-03T03:14:29.856Z",
+            "groupName": "test-8246",
+            "ipPermissions": [
+                {
+                    "fromPort": 22,
+                    "ipProtocol": "tcp",
+                    "toPort": 22,
+                    "ipv4Ranges": [
+                        {
+                            "cidrIp": "0.0.0.0/0"
+                        }
+                    ],
+                    "ipRanges": [
+                        "0.0.0.0/0"
+                    ]
+                }
+            ]
+        }`
+	err := json.Unmarshal([]byte(rulesJSON), &resource.Properties)
+	if err != nil {
+		t.Error("Error parsing resource JSON")
+	}
+	status := applyFilter(rule, rule.Filters[0], resource, testLogging)
+	if status != "NOT_COMPLIANT" {
+		t.Error("Expecting nested boolean to return NOT_COMPLIANT")
+	}
+}