How to use the cfripper.config.config.Config function in cfripper

To help you get started, we’ve selected a few cfripper examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github Skyscanner / cfripper / tests / config / test_config.py View on Github external
def test_with_non_existing_exemption():
    whitelist = {"test_project": {"test_service": {"test_stack": ["MISSING"]}}}

    default_rules = ["IAMRolesOverprivilegedRule", "SecurityGroupOpenToWorldRule"]
    cfg = Config(
        project_name="test_project",
        service_name="test_service",
        stack_name="test_stack",
        rules=default_rules,
        stack_whitelist=whitelist,
    )

    assert set(cfg.rules) == set(default_rules)
github Skyscanner / cfripper / tests / rules / test_EC2SecurityGroupMissingEgressRule.py View on Github external
def test_filter_do_not_report_anything(single_security_group_one_cidr_ingress):
    mock_config = Config(
        rules=["EC2SecurityGroupMissingEgressRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "EC2SecurityGroupMissingEgressRule": RuleConfig(
                filters=[
                    Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "mockstack"]},)
                ],
            )
        },
    )
    rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
    processor = RuleProcessor(*rules)
    result = processor.process_cf_template(single_security_group_one_cidr_ingress, mock_config)

    assert result.valid
github Skyscanner / cfripper / tests / rules / test_CrossAccountTrustRule.py View on Github external
def test_kms_cross_account_failure(principal):
    rule = KMSKeyCrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["999999999"]))
    model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml").resolve(extra_params={"Principal": principal})
    result = rule.invoke(model)
    assert not result.valid
    assert len(result.failed_rules) == 1
    assert len(result.failed_monitored_rules) == 0
    failed_rule = result.failed_rules[0]
    assert failed_rule.reason == (
        f"KMSKey has forbidden cross-account policy allow with {principal} for an KMS Key Policy"
    )
github Skyscanner / cfripper / tests / config / test_config.py View on Github external
def test_stack_to_action_whitelist_stack_without_resources(mock_rule_to_action_whitelist):
    mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
    config = Config(
        stack_name="stack_without_whitelisted_resources",
        rules=mock_rules,
        stack_whitelist={},
        rule_to_action_whitelist=mock_rule_to_action_whitelist,
    )
    assert config.get_whitelisted_actions("SecurityGroupOpenToWorldRule") == []
github Skyscanner / cfripper / tests / rules / test_IAMRoleWildcardActionOnPolicyRule.py View on Github external
def test_invalid_managed_policy_template(iam_managed_policy_bad_template):
    rule = IAMRoleWildcardActionOnPolicyRule(Config(aws_account_id="123456789"))
    result = rule.invoke(iam_managed_policy_bad_template)

    assert not result.valid
    assert len(result.failed_monitored_rules) == 0
    assert len(result.failed_rules) == 1
    assert result.failed_rules[0].rule == "IAMRoleWildcardActionOnPolicyRule"
    assert (
        result.failed_rules[0].reason
        == "IAM role CreateTestDBPolicy3 should not allow a `*` action on its AWS::IAM::ManagedPolicy"
    )
github Skyscanner / cfripper / tests / rules / test_CrossAccountTrustRule.py View on Github external
def test_kms_cross_account_success(principal):
    rule = KMSKeyCrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["999999999"]))
    model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_basic.yml").resolve(extra_params={"Principal": principal})
    result = rule.invoke(model)
    assert result.valid
github Skyscanner / cfripper / tests / rules / test_S3CrossAccountTrustRule.py View on Github external
def test_s3_bucket_cross_account_from_aws_service(s3_bucket_cross_account_from_aws_service):
    rule = S3CrossAccountTrustRule(Config(aws_account_id="123456789"))
    result = rule.invoke(s3_bucket_cross_account_from_aws_service)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 0
github Skyscanner / cfripper / tests / config / test_filter.py View on Github external
def test_exist_function_and_property_exists(template_cross_account_role_with_name):
    mock_config = Config(
        rules=["CrossAccountTrustRule"],
        aws_account_id="123456789",
        stack_name="mockstack",
        rules_config={
            "CrossAccountTrustRule": RuleConfig(
                filters=[
                    Filter(
                        rule_mode=RuleMode.WHITELISTED,
                        eval={
                            "and": [
                                {
                                    "and": [
                                        {"exists": {"ref": "resource.Properties.RoleName"}},
                                        {"regex": ["^prefix-.*$", {"ref": "resource.Properties.RoleName"}]},
                                    ]
                                },
github Skyscanner / cfripper / tests / rules / test_CrossAccountTrustRule.py View on Github external
def test_report_format_is_the_one_expected(template_one_role):
    rule = CrossAccountTrustRule(Config(aws_account_id="123456789"))
    result = rule.invoke(template_one_role)

    assert not result.valid
    assert result.failed_rules == [
        Failure(
            rule="CrossAccountTrustRule",
            reason=(
                "RootRole has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/"
                "someuser@bla.com"
            ),
            rule_mode=RuleMode.BLOCKING,
            risk_value=RuleRisk.MEDIUM,
            resource_ids={"RootRole"},
            actions=set(),
            granularity=RuleGranularity.RESOURCE,
        ),
github Skyscanner / cfripper / tests / config / test_config.py View on Github external
def test_stack_to_resource_whitelist_stack_not_in_whitelist(mock_rule_to_resource_whitelist):
    mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
    config = Config(
        stack_name="stack_without_whitelisted_resources",
        rules=mock_rules,
        stack_whitelist={},
        rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
    )
    assert config.get_whitelisted_resources("SecurityGroupOpenToWorldRule") == []