diff --git a/assertion/contains.go b/assertion/contains.go index 72ac455..3cc35c6 100644 --- a/assertion/contains.go +++ b/assertion/contains.go @@ -10,6 +10,9 @@ func interfaceListContains(v []interface{}, key, value string) (MatchResult, err if stringElement == value { return matches() } + if strings.Contains(stringElement, value) { + return matches() + } } } return doesNotMatch("%v does not contain %v", key, value) @@ -20,6 +23,9 @@ func stringListContains(v []string, key, value string) (MatchResult, error) { if stringElement == value { return matches() } + if strings.Contains(stringElement, value) { + return matches() + } } return doesNotMatch("%v does not contain %v", key, value) } diff --git a/assertion/contains_test.go b/assertion/contains_test.go index 66eee47..4afd7e5 100644 --- a/assertion/contains_test.go +++ b/assertion/contains_test.go @@ -1,6 +1,7 @@ package assertion import ( + "github.com/stretchr/testify/assert" "testing" ) @@ -21,3 +22,17 @@ func TestDoesNotContainWithNonJSONType(t *testing.T) { t.Errorf("Expecting doesNotContain to return an error for non JSON encodable data") } } + +func TestContainsWithString(t *testing.T) { + s := "s3:Get*" + match, err := contains(s, "Action", "*") + assert.Nil(t, err, "Expecting no error from contains") + assert.True(t, match.Match, "Expecting match for string") +} + +func TestContainsWithSliceOfStrings(t *testing.T) { + s := []string{"s3:Get*"} + match, err := contains(s, "Action", "*") + assert.Nil(t, err, "Expecting no error from contains") + assert.True(t, match.Match, "Expecting match for string") +} diff --git a/assertion/match_test.go b/assertion/match_test.go index e865808..7d1a86b 100644 --- a/assertion/match_test.go +++ b/assertion/match_test.go @@ -67,7 +67,7 @@ func TestIsMatch(t *testing.T) { "containsTrueForString": {"Foo", "contains", "oo", "", true}, "containsFalseForString": {"Foo", "contains", "aa", "", false}, "containsTrueForSlice": {sliceOfTags, "contains", "Bar", "", true}, - "containsFalseForSubstring": {sliceOfTags, "contains", "oo", "", false}, + "containsFalseForSubstring": {sliceOfTags, "contains", "abc", "", false}, "containsTrueForSliceOfStrings": {stringSlice, "contains", "One", "", true}, "containsFalseForSliceOfStrings": {stringSlice, "contains", "Three", "", false}, "containsTrueForInt": {1, "contains", "1", "", true}, @@ -75,7 +75,7 @@ func TestIsMatch(t *testing.T) { "notContainsFalseForString": {"Foo", "does-not-contain", "oo", "", false}, "notContainsTrueForString": {"Foo", "does-not-contain", "aa", "", true}, "notContainsFalseForSlice": {sliceOfTags, "does-not-contain", "Bar", "", false}, - "notContainsTrueForSubstring": {sliceOfTags, "does-not-contain", "oo", "", true}, + "notContainsTrueForSubstring": {sliceOfTags, "does-not-contain", "abc", "", true}, "regexTrueForEndOfString": {"Foo", "regex", "o$", "", true}, "regexFalseForEndOfString": {"Bar", "regex", "o$", "", false}, "regExTrueForBeginningOfString": {"Foo", "regex", "^F", "", true}, diff --git a/cli/assets/terraform.yml b/cli/assets/terraform.yml index 6f0d0ac..a41d1a1 100644 --- a/cli/assets/terraform.yml +++ b/cli/assets/terraform.yml @@ -275,6 +275,24 @@ rules: - iam - policy + - id: IAM_POLICY_WILDCARD_RESOURCE + message: Should not use wildcard resource in IAM policy + resource: aws_iam_policy + severity: WARNING + assertions: + - none: + key: policy.Statement[] + expressions: + - key: Effect + op: eq + value: Allow + - key: Resource + op: contains + value: "*" + tags: + - iam + - policy + - id: ELB_ACCESS_LOGGING message: ELB should enable access logging resource: aws_elb @@ -478,7 +496,7 @@ rules: - iam - id: IAM_USER_POLICY_ATTACHMENT - message: IAM should not have policies attached (make user a member of a group instead) + message: IAM user should not have policies attached (make user a member of a group instead) resource: aws_iam_user_policy_attachment severity: FAILURE assertions: