How to use the cfripper.model.result.Failure function in cfripper
To help you get started, we’ve selected a few cfripper examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Skyscanner / cfripper / tests / model / test_rule_processor.py View on Github 
def test_can_whitelist_resource_from_any_stack_if_granularity_is_resource():
whitelist_for_all_stacks = {
"S3CrossAccountTrustRule": {".*": {"ProductionAccessTest"}, "otherstack": {"rolething"}}
}
config = Config(
stack_name="abcd", rules=["S3CrossAccountTrustRule"], rule_to_resource_whitelist=whitelist_for_all_stacks
)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason="ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,
granularity=RuleGranularity.RESOURCE,
),
Failure(
rule="S3CrossAccountTrustRule",
reason="This one isn't whitelisted because granularity is ACTION and not RESOURCE",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,
granularity=RuleGranularity.ACTION,def test_result_addition():
failure1 = Failure(
granularity=RuleGranularity.STACK, reason="reason1", risk_value="risk1", rule="rule1", rule_mode="mode1",
)
failure2 = Failure(
granularity=RuleGranularity.STACK, reason="reason2", risk_value="risk2", rule="rule2", rule_mode="mode2",
)
monitored_failure1 = Failure(
granularity=RuleGranularity.RESOURCE, reason="reason1", risk_value="risk1", rule="rule1", rule_mode="mode1",
)
monitored_failure2 = Failure(
granularity=RuleGranularity.RESOURCE, reason="reason2", risk_value="risk2", rule="rule2", rule_mode="mode2",
)
result1 = Result(failed_rules=[failure1], failed_monitored_rules=[monitored_failure1])
result2 = Result(failed_rules=[failure2], failed_monitored_rules=[monitored_failure2])
assert result1 + result2 == Result(
failed_rules=[failure1, failure2], failed_monitored_rules=[monitored_failure1, monitored_failure2]
)def test_only_whitelisted_resources_are_removed(mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"rolething", "thenotwhitelistedthing", "anotherone"},
actions=None,
granularity=RuleGranularity.RESOURCE,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",granularity=RuleGranularity.ACTION,
),
Failure(
rule="S3CrossAccountTrustRule",
reason="This one isn't whitelisted because granularity is STACK and not ACTION",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=set(),
granularity=RuleGranularity.STACK,
),
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason="This one isn't whitelisted because granularity is STACK and not ACTION",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=set(),
granularity=RuleGranularity.STACK,
)def test_remove_failures_from_whitelisted_resources_only_removes_resource_granularity(mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason="rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"rolething"},
actions=None,
granularity=RuleGranularity.ACTION,
),
Failure(
rule="S3CrossAccountTrustRule",
reason="anotherthing has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"anotherthing"},
actions=None,
granularity=RuleGranularity.RESOURCE,def test_remove_debug_rules():
original_failed_monitored_rules = [
Failure(
rule="a",
reason="something",
rule_mode=RuleMode.MONITOR,
granularity=RuleGranularity.STACK,
risk_value=RuleRisk.HIGH,
),
Failure(
rule="b",
reason="something",
rule_mode=RuleMode.DEBUG,
granularity=RuleGranularity.STACK,
risk_value=RuleRisk.MEDIUM,
),
Failure(
rule="c",
reason="something",def test_action_whitelist_keeps_non_whitelisted_actions():
whitelist_for_all_stacks = {"MockRule": {".*": {"s3:List"}}}
config = Config(stack_name="abcd", rules=["MockRule"], rule_to_action_whitelist=whitelist_for_all_stacks)
result = Result()
failed_rules = [
Failure(
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:ListBucket", "s3:GetBucket"},
granularity=RuleGranularity.ACTION,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,def test_remove_failures_from_whitelisted_actions_failure_no_actions_is_removed(
mock_logger, mock_rule_to_action_whitelist
):
config = Config(
stack_name="teststack",
rules=["S3CrossAccountTrustRule"],
rule_to_action_whitelist=mock_rule_to_action_whitelist,
)
result = Result()
failure = Failure(
rule="S3CrossAccountTrustRule",
reason="rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=set(),
granularity=RuleGranularity.ACTION,
)
result.failed_rules = [failure]
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == []
mock_logger.assert_called_once_with(f"Failure with action granularity doesn't have actions: {failure}")def test_remove_failures_from_whitelisted_resources_failure_no_resources_is_removed(
mock_logger, mock_rule_to_resource_whitelist
):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failure = Failure(
rule="S3CrossAccountTrustRule",
reason="rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=None,
granularity=RuleGranularity.RESOURCE,
)
result.failed_rules = [failure]
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == []
mock_logger.assert_called_once_with(f"Failure with resource granularity doesn't have resources: {failure}")def add_failure(
self, rule: str, reason: str, rule_mode: str, risk_value: str, granularity: str, resource_ids=None, actions=None
):
if resource_ids is None:
resource_ids = set()
if actions is None:
actions = set()
failure = Failure(
rule=rule,
reason=reason,
rule_mode=rule_mode,
risk_value=risk_value,
resource_ids=resource_ids,
actions=actions,
granularity=granularity,
)
if rule_mode is not RuleMode.BLOCKING:
self.add_failure_monitored_rule(failure=failure)
return
self.add_failure_blocking_rule(failure=failure)cfripper
Library and CLI tool for analysing CloudFormation templates and check them for security compliance.
Package Health Score
84 / 100Popular cfripper functions
- cfripper.config.config.Config
- cfripper.config.filter.Filter
- cfripper.config.rule_config.RuleConfig
- cfripper.model.enums.RuleGranularity
- cfripper.model.enums.RuleGranularity.RESOURCE
- cfripper.model.enums.RuleMode
- cfripper.model.enums.RuleMode.BLOCKING
- cfripper.model.enums.RuleMode.MONITOR
- cfripper.model.enums.RuleRisk
- cfripper.model.enums.RuleRisk.HIGH
- cfripper.model.result.Failure
- cfripper.model.result.Result
- cfripper.model.rule.Rule
- cfripper.model.utils.convert_json_or_yaml_to_dict
- cfripper.rule_processor.RuleProcessor
- cfripper.rules.base_rules.Rule
- cfripper.rules.DEFAULT_RULES
- cfripper.rules.DEFAULT_RULES.get
- cfripper.rules.DEFAULT_RULES.keys
- cfripper.rules.SecurityGroupOpenToWorldRule.SecurityGroupOpenToWorldRule