Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def expected_result_two_roles():
return [
Failure(
rule="CrossAccountTrustRule",
reason=(
"RootRoleOne has forbidden cross-account trust relationship with "
"arn:aws:iam::999999999:role/someuser@bla.com"
),
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.MEDIUM,
resource_ids={"RootRoleOne"},
actions=set(),
granularity=RuleGranularity.RESOURCE,
),
Failure(
rule="CrossAccountTrustRule",
reason=(
"RootRoleTwo has forbidden cross-account trust relationship with "
"arn:aws:iam::999999999:role/someuser@bla.com"
),
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.MEDIUM,
resource_ids={"RootRoleTwo"},
actions=set(),
granularity=RuleGranularity.RESOURCE,
def test_s3_read_plus_list(s3_read_plus_list):
rule = S3BucketPublicReadAclAndListStatementRule(None)
result = rule.invoke(s3_read_plus_list)
assert not result.valid
assert len(result.failed_rules) == 2
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "S3BucketPublicReadAclAndListStatementRule"
assert (
result.failed_rules[0].reason
== "S3 Bucket S3BucketPolicy should not have a public read acl and list bucket statement"
)
assert result.failed_rules[0].rule_mode == RuleMode.BLOCKING
def test_only_whitelisted_resources_are_removed(mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"rolething", "thenotwhitelistedthing", "anotherone"},
actions=None,
granularity=RuleGranularity.RESOURCE,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"thenotwhitelistedthing", "anotherone"},
def test_report_format_is_the_one_expected(template_one_role):
rule = CrossAccountTrustRule(Config(aws_account_id="123456789"))
result = rule.invoke(template_one_role)
assert not result.valid
assert result.failed_rules == [
Failure(
rule="CrossAccountTrustRule",
reason=(
"RootRole has forbidden cross-account trust relationship with arn:aws:iam::999999999:role/"
"someuser@bla.com"
),
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.MEDIUM,
resource_ids={"RootRole"},
actions=set(),
granularity=RuleGranularity.RESOURCE,
),
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:ListBucket", "s3:GetBucket"},
granularity=RuleGranularity.ACTION,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:GetBucket"},
granularity=RuleGranularity.ACTION,
)
def test_result_valid_after_removing_failures():
result = Result()
result.add_failure(
rule="mock_rule",
reason="mock_reason",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
granularity=RuleGranularity.STACK,
)
# Result has a blocking failure, so it should be invalid
assert result.valid is False
result.failed_rules = []
# Result has no failures, so it should be valid
assert result.valid is True
under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
"""
from abc import ABC, abstractmethod
from typing import Optional, Set
from pycfmodel.model.cf_model import CFModel
from ..config.config import Config
from .enums import RuleGranularity, RuleMode, RuleRisk
from .result import Result
class Rule(ABC):
RULE_MODE = RuleMode.BLOCKING
RISK_VALUE = RuleRisk.MEDIUM
GRANULARITY = RuleGranularity.STACK
def __init__(self, config: Optional[Config], result: Result):
self._config = config if config else Config()
self._result = result
@abstractmethod
def invoke(self, cfmodel: CFModel):
pass
def add_failure(
self,
rule: str,
reason: str,
granularity: Optional[RuleGranularity] = None,
import logging
from abc import ABC, abstractmethod
from typing import Dict, List, Optional, Set
from pycfmodel.model.cf_model import CFModel
from cfripper.config.config import Config
from cfripper.config.rule_config import RuleConfig
from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk
from cfripper.model.result import Failure, Result
logger = logging.getLogger(__file__)
class Rule(ABC):
RULE_MODE = RuleMode.BLOCKING
RISK_VALUE = RuleRisk.MEDIUM
GRANULARITY = RuleGranularity.STACK
def __init__(self, config: Optional[Config]):
self._config = config if config else Config()
@property
def rule_config(self) -> RuleConfig:
return self._config.get_rule_config(self.__class__.__name__)
@property
def rule_mode(self) -> RuleMode:
return self.rule_config.rule_mode or self.RULE_MODE
@property
def risk_value(self) -> RuleRisk:
class FullWildcardPrincipalRule(GenericWildcardPrincipalRule):
"""
Checks for any wildcard principals defined in any statements.
Risk:
It might allow other AWS identities to escalate privileges.
Fix:
Where possible, restrict the access to only the required resources.
For example, instead of `Principal: "*"`, include a list of the roles that need access.
"""
REASON_WILCARD_PRINCIPAL = "{} should not allow wildcards in principals (principal: '{}')"
RULE_MODE = RuleMode.BLOCKING
RISK_VALUE = RuleRisk.HIGH
FULL_REGEX = REGEX_FULL_WILDCARD_PRINCIPAL
def valid(self) -> bool:
return not bool([rule for rule in self.failed_rules if rule.rule_mode == RuleMode.BLOCKING])