How to use the cfripper.model.enums.RuleMode function in cfripper
To help you get started, we’ve selected a few cfripper examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Skyscanner / cfripper / tests / rules / test_CrossAccountTrustRule.py View on Github 
def test_filter_works_as_expected(template_two_roles_dict, expected_result_two_roles):
config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{"eq": [{"ref": "config.stack_name"}, "mockstack"]},
{"eq": [{"ref": "logical_id"}, "RootRoleOne"]},
]
},
)
],
)
},
)
rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
processor = RuleProcessor(*rules)
result = processor.process_cf_template(template_two_roles_dict, config)
assert not result.validdef test_exist_function_and_property_does_not_exist(template_cross_account_role_no_name):
mock_config = Config(
rules=["CrossAccountTrustRule"],
aws_account_id="123456789",
stack_name="mockstack",
rules_config={
"CrossAccountTrustRule": RuleConfig(
filters=[
Filter(
rule_mode=RuleMode.WHITELISTED,
eval={
"and": [
{
"and": [
{"exists": {"ref": "resource.Properties.RoleName"}},
{"regex": ["^prefix-.*$", {"ref": "resource.Properties.RoleName"}]},
]
},
{"eq": [{"ref": "principal"}, "arn:aws:iam::999999999:role/someuser@bla.com"]},
]
},
),
]
)
},
)if isinstance(resource, S3BucketPolicy):
for statement in resource.Properties.PolicyDocument._statement_as_list():
if statement.Effect == "Allow":
for principal in statement.get_principal_list():
account_id = get_account_id_from_principal(principal)
if account_id not in self.valid_principals:
if statement.Condition and statement.Condition.dict():
logger.warning(
f"Not adding {type(self).__name__} failure in {logical_id} "
f"because there are conditions: {statement.Condition}"
)
elif "GETATT" in principal or "UNDEFINED_" in principal:
self.add_failure(
type(self).__name__,
self.REASON.format(logical_id, principal),
rule_mode=RuleMode.DEBUG,
)
else:
self.add_failure(type(self).__name__, self.REASON.format(logical_id, principal))Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
"""
from ..config.regex import REGEX_FULL_WILDCARD_PRINCIPAL
from ..model.enums import RuleMode, RuleRisk
from .GenericWildcardPrincipalRule import GenericWildcardPrincipalRule
class FullWildcardPrincipalRule(GenericWildcardPrincipalRule):
REASON_WILCARD_PRINCIPAL = "{} should not allow wildcards in principals (principal: '{}')"
RULE_MODE = RuleMode.BLOCKING
RISK_VALUE = RuleRisk.HIGH
FULL_REGEX = REGEX_FULL_WILDCARD_PRINCIPAL
cfripper
Library and CLI tool for analysing CloudFormation templates and check them for security compliance.
Package Health Score
84 / 100Popular cfripper functions
- cfripper.config.config.Config
- cfripper.config.filter.Filter
- cfripper.config.rule_config.RuleConfig
- cfripper.model.enums.RuleGranularity
- cfripper.model.enums.RuleGranularity.RESOURCE
- cfripper.model.enums.RuleMode
- cfripper.model.enums.RuleMode.BLOCKING
- cfripper.model.enums.RuleMode.MONITOR
- cfripper.model.enums.RuleRisk
- cfripper.model.enums.RuleRisk.HIGH
- cfripper.model.result.Failure
- cfripper.model.result.Result
- cfripper.model.rule.Rule
- cfripper.model.utils.convert_json_or_yaml_to_dict
- cfripper.rule_processor.RuleProcessor
- cfripper.rules.base_rules.Rule
- cfripper.rules.DEFAULT_RULES
- cfripper.rules.DEFAULT_RULES.get
- cfripper.rules.DEFAULT_RULES.keys
- cfripper.rules.SecurityGroupOpenToWorldRule.SecurityGroupOpenToWorldRule