How to use the parliament.finding.severity.INVALID function in parliament

To help you get started, we’ve selected a few parliament examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github duo-labs / cloudmapper / parliament / statement.py View on Github external
if operator_type_requirement is None:
            self.add_finding(
                "Unknown operator in condition: {}".format(operator),
                severity.INVALID,
                location={"location": condition_block},
            )

        if operator_type_requirement == "Bool":
            value = list(condition_block.values())[0]
            if value != "true" and value != "false":
                self.add_finding(
                    "Null operation requires being matched against true or false but given {}".format(
                        condition_block
                    ),
                    severity.INVALID,
                    location={"location": condition_block},
                )
                return False

        for key in condition_block:
            # The key here from the example is "s3:prefix"
            condition_type = get_global_key_type(key)
            if condition_type:
                # This is a global key, like aws:CurrentTime
                # Check if the values match the type (ex. must all be Date values)
                if not is_value_in_correct_format_for_type(
                    condition_type, make_list(condition_block[key])
                ):
                    self.add_finding(
                        "Type mismatch: {} requires a value of type {} but given {}".format(
                            key, condition_type, condition_block[key]
github duo-labs / cloudmapper / parliament / statement.py View on Github external
op = documented_operator.lower()
            if operator.lower() in [
                op,
                op + "ifexists",
                "forallvalues:" + op,
                "foranyvalue:" + op,
                "forallvalues:" + op + "ifexists",
                "foranyvalue:" + op + "ifexists",
            ]:
                operator_type_requirement = OPERATORS[documented_operator]
                break

        if operator_type_requirement is None:
            self.add_finding(
                "Unknown operator in condition: {}".format(operator),
                severity.INVALID,
                location={"location": condition_block},
            )

        if operator_type_requirement == "Bool":
            value = list(condition_block.values())[0]
            if value != "true" and value != "false":
                self.add_finding(
                    "Null operation requires being matched against true or false but given {}".format(
                        condition_block
                    ),
                    severity.INVALID,
                    location={"location": condition_block},
                )
                return False

        for key in condition_block:
github duo-labs / cloudmapper / parliament / policy.py View on Github external
location={"string": element},
                )
                return False

        # Check Version
        if "Version" not in self.policy_json:
            self.add_finding(
                "Policy does not contain a Version element", severity.MALFORMED
            )
            return False
        self.version = self.policy_json["Version"]

        if self.version not in ["2012-10-17", "2008-10-17"]:
            self.add_finding(
                "Unknown Version used. Version must be either 2012-10-17 or 2008-10-17",
                severity.INVALID,
                location={"string": self.version},
            )
        elif self.version != "2012-10-17":
            # TODO I should have a check so that if an older version is being used,
            # and a variable is detected, it should be marked as higher severity.
            self.add_finding(
                "Older version used. Variables will not be allowed.",
                severity.LOW,
                location={"string": self.version},
            )

        # Check Statements
        if "Statement" not in self.policy_json:
            self.add_finding(
                "Policy does not contain a Statement element", severity.MALFORMED
            )
github duo-labs / cloudmapper / parliament / statement.py View on Github external
)

                if condition_type is not None:
                    # if operator_type_requirement.lower() == 'string' and condition_type.lower() = 'arn':
                    #     # Ignore these.
                    #     pass
                    if operator_type_requirement != translate_documentation_types(
                        condition_type
                    ):
                        self.add_finding(
                            "Type mismatch: {} requires a value of type {} but given {}".format(
                                operator,
                                operator_type_requirement,
                                translate_documentation_types(condition_type),
                            ),
                            severity.INVALID,
                            location={"location": condition_block},
                        )

            # Check for known bad pattern
            if operator.lower() == "bool":
                if key.lower() == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
                    condition_block[key]
                ):
                    self.add_finding(
                        'Bad patttern: The condition {"Bool": {"aws:MultiFactorAuthPresent":"false"}} is bad because aws:MultiFactorAuthPresent may not exist so it does not enforce MFA. You likely want to use a Deny with BoolIfExists.',
                        severity.MEDIUM,
                        location={"location": condition_block},
                    )
            elif operator.lower() == "null":
                if key.lower == "aws:MultiFactorAuthPresent".lower() and "false" in make_list(
                    condition_block[key]
github duo-labs / cloudmapper / parliament / statement.py View on Github external
if condition_type is None:
                        raise Exception(
                            "Action condition not found in service definition for {}".format(
                                condition
                            )
                        )

                    if not is_value_in_correct_format_for_type(
                        condition_type, make_list(condition_block[key])
                    ):
                        self.add_finding(
                            "Type mismatch: {} requires a value of type {} but given {}".format(
                                key, condition_type, condition_block[key]
                            ),
                            severity.INVALID,
                            location={"location": condition_block},
                        )

                if condition_type is not None:
                    # if operator_type_requirement.lower() == 'string' and condition_type.lower() = 'arn':
                    #     # Ignore these.
                    #     pass
                    if operator_type_requirement != translate_documentation_types(
                        condition_type
                    ):
                        self.add_finding(
                            "Type mismatch: {} requires a value of type {} but given {}".format(
                                operator,
                                operator_type_requirement,
                                translate_documentation_types(condition_type),
                            ),