How to use the cfripper.config.filter.Filter function in cfripper
To help you get started, we’ve selected a few cfripper examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Skyscanner / cfripper / tests / rules / test_EC2SecurityGroupMissingEgressRule.py View on Github 
def test_filter_do_not_report_anything(single_security_group_one_cidr_ingress):
mock_config = Config(
rules=["EC2SecurityGroupMissingEgressRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"EC2SecurityGroupMissingEgressRule": RuleConfig(
filters=[
Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "mockstack"]},)
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(single_security_group_one_cidr_ingress, mock_config)
assert result.valid (Filter(eval={"and": [True, True]}), {}, True),
(Filter(eval={"and": [False, True]}), {}, False),
(Filter(eval={"and": [True, False]}), {}, False),
(Filter(eval={"and": [False, False]}), {}, False),
(Filter(eval={"in": ["a", ["a"]]}), {}, True),
(Filter(eval={"in": ["b", ["a", "b"]]}), {}, True),
(Filter(eval={"in": ["c", ["a", "b", "c"]]}), {}, True),
(Filter(eval={"in": ["d", ["a"]]}), {}, False),
(Filter(eval={"in": ["e", ["a", "b"]]}), {}, False),
(Filter(eval={"in": ["f", ["a", "b", "c"]]}), {}, False),
(Filter(eval={"in": ["a", "a"]}), {}, True),
(Filter(eval={"in": ["b", "ab"]}), {}, True),
(Filter(eval={"in": ["b", "aba"]}), {}, True),
(Filter(eval={"in": ["b", "a"]}), {}, False),
(Filter(eval={"in": ["c", "ab"]}), {}, False),
(Filter(eval={"in": ["c", "aba"]}), {}, False),
(Filter(eval={"regex": [r"^\d+$", "5"]}), {}, True),def test_exist_function_and_property_exists(template_cross_account_role_with_name):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{
"and": [
{"exists": {"ref": "resource.Properties.RoleName"}},
{"regex": ["^prefix-.*$", {"ref": "resource.Properties.RoleName"}]},
]
},
{"eq": [{"ref": "principal"}, "arn:aws:iam::999999999:role/someuser@bla.com"]},
]
},
),
]
)
},def test_filter_works_as_expected(template_two_roles_dict, expected_result_two_roles):
config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{"eq": [{"ref": "config.stack_name"}, "mockstack"]},
{"eq": [{"ref": "logical_id"}, "RootRoleOne"]},
]
},
)
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, config)def test_non_matching_filters_are_reported_normally(single_security_group_one_cidr_ingress):
mock_config = Config(
rules=["EC2SecurityGroupMissingEgressRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"EC2SecurityGroupMissingEgressRule": RuleConfig(
filters=[
Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "anotherstack"]})
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(single_security_group_one_cidr_ingress, mock_config)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "EC2SecurityGroupMissingEgressRule"
assert (
result.failed_rules[0].reason
== "Missing egress rule in sg means all traffic is allowed outbound. Make this explicit if it is desired configuration"
)def test_filter_do_not_report_anything(template_two_roles_dict):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "mockstack"]})
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, mock_config)
assert result.validdef test_non_matching_filters_are_reported_normally(template_two_roles_dict, expected_result_two_roles):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(rule_mode=RuleMode.WHITELISTED, eval={"eq": [{"ref": "config.stack_name"}, "anotherstack"]})
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(mock_config) for rule in mock_config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, mock_config)
assert not result.valid
assert result.failed_rules == expected_result_two_rolesdef test_exist_function_and_property_does_not_exist(template_cross_account_role_no_name):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{
"and": [
{"exists": {"ref": "resource.Properties.RoleName"}},
{"regex": ["^prefix-.*$", {"ref": "resource.Properties.RoleName"}]},
]
},
{"eq": [{"ref": "principal"}, "arn:aws:iam::999999999:role/someuser@bla.com"]},
]
},
),
]
)
},cfripper
Library and CLI tool for analysing CloudFormation templates and check them for security compliance.
Package Health Score
84 / 100Popular cfripper functions
- cfripper.config.config.Config
- cfripper.config.filter.Filter
- cfripper.config.rule_config.RuleConfig
- cfripper.model.enums.RuleGranularity
- cfripper.model.enums.RuleGranularity.RESOURCE
- cfripper.model.enums.RuleMode
- cfripper.model.enums.RuleMode.BLOCKING
- cfripper.model.enums.RuleMode.MONITOR
- cfripper.model.enums.RuleRisk
- cfripper.model.enums.RuleRisk.HIGH
- cfripper.model.result.Failure
- cfripper.model.result.Result
- cfripper.model.rule.Rule
- cfripper.model.utils.convert_json_or_yaml_to_dict
- cfripper.rule_processor.RuleProcessor
- cfripper.rules.base_rules.Rule
- cfripper.rules.DEFAULT_RULES
- cfripper.rules.DEFAULT_RULES.get
- cfripper.rules.DEFAULT_RULES.keys
- cfripper.rules.SecurityGroupOpenToWorldRule.SecurityGroupOpenToWorldRule