Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def test_with_non_existing_exemption():
whitelist = {"test_project": {"test_service": {"test_stack": ["MISSING"]}}}
default_rules = ["IAMRolesOverprivilegedRule", "SecurityGroupOpenToWorldRule"]
cfg = Config(
project_name="test_project",
service_name="test_service",
stack_name="test_stack",
rules=default_rules,
stack_whitelist=whitelist,
)
assert set(cfg.rules) == set(default_rules)
def test_filter_do_not_report_anything(single_security_group_one_cidr_ingress):
mock_config = Config(
rules=["EC2SecurityGroupMissingEgressRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"EC2SecurityGroupMissingEgressRule": RuleConfig(
filters=[
Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "mockstack"]},)
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(single_security_group_one_cidr_ingress, mock_config)
assert result.valid
def test_kms_cross_account_failure(principal):
rule = KMSKeyCrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml").resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
failed_rule = result.failed_rules[0]
assert failed_rule.reason == (
f"KMSKey has forbidden cross-account policy allow with {principal} for an KMS Key Policy"
)
def test_stack_to_action_whitelist_stack_without_resources(mock_rule_to_action_whitelist):
mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
config = Config(
stack_name="stack_without_whitelisted_resources",
rules=mock_rules,
stack_whitelist={},
rule_to_action_whitelist=mock_rule_to_action_whitelist,
)
assert config.get_whitelisted_actions("SecurityGroupOpenToWorldRule") == []
def test_invalid_managed_policy_template(iam_managed_policy_bad_template):
rule = IAMRoleWildcardActionOnPolicyRule(Config(aws_account_id="123456789"))
result = rule.invoke(iam_managed_policy_bad_template)
assert not result.valid
assert len(result.failed_monitored_rules) == 0
assert len(result.failed_rules) == 1
assert result.failed_rules[0].rule == "IAMRoleWildcardActionOnPolicyRule"
assert (
result.failed_rules[0].reason
== "IAM role CreateTestDBPolicy3 should not allow a `*` action on its AWS::IAM::ManagedPolicy"
)
def test_kms_cross_account_success(principal):
rule = KMSKeyCrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["999999999"]))
model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml").resolve(extra_params={"Principal": principal})
result = rule.invoke(model)
assert result.valid
def test_s3_bucket_cross_account_from_aws_service(s3_bucket_cross_account_from_aws_service):
rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(s3_bucket_cross_account_from_aws_service)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_exist_function_and_property_exists(template_cross_account_role_with_name):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{
"and": [
{"exists": {"ref": "resource.Properties.RoleName"}},
{"regex": ["^prefix-.*$", {"ref": "resource.Properties.RoleName"}]},
]
},
def test_report_format_is_the_one_expected(template_one_role):
rule = CrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(template_one_role)
assert not result.valid
assert result.failed_rules == [
Failure(
rule="CrossAccountTrustRule",
reason=(
"RootRole has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/"
"someuser@bla.com"
),
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.MEDIUM,
resource_ids={"RootRole"},
actions=set(),
granularity=RuleGranularity.RESOURCE,
),
def test_stack_to_resource_whitelist_stack_not_in_whitelist(mock_rule_to_resource_whitelist):
mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
config = Config(
stack_name="stack_without_whitelisted_resources",
rules=mock_rules,
stack_whitelist={},
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
assert config.get_whitelisted_resources("SecurityGroupOpenToWorldRule") == []