Skip to content

Commit

Permalink
Fix opa fmt
Browse files Browse the repository at this point in the history
  • Loading branch information
romulets committed Dec 23, 2024
1 parent b94ab14 commit dbe743a
Show file tree
Hide file tree
Showing 610 changed files with 1,225 additions and 1,226 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_enabled_mfa as audit
import future.keywords.if

# Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password.
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_access_keys_use as audit
import future.keywords.if

# Do not setup access keys during initial user setup for all IAM users that have a console password.
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.validate_credentials as audit
import future.keywords.if

# Ensure credentials unused for 45 days or greater are disabled
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

# Ensure that there is only a single active access key per user.
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.verify_keys_rotation as audit
import future.keywords.if

# Ensure access keys are rotated every 90 days or less
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

# Ensure IAM Users Receive Permissions Only Through Groups
finding = result if {
finding := result if {
# filter
data_adapter.is_iam_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(inline_policies, attached_policies) = test_data.generate_iam_user_with_policies(inline_policies, attached_policies)
rule_input(inline_policies, attached_policies) := test_data.generate_iam_user_with_policies(inline_policies, attached_policies)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,4 @@ policy_is_permissive if {
statement.Effect == "Allow"
"*" in common.ensure_array(statement.Action)
"*" in common.ensure_array(statement.Resource)
} else = false
} else := false
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
import data.lib.test
import future.keywords.if

generate_input(statements) = {
generate_input(statements) := {
"subType": "aws-policy",
"resource": {"document": {"Statement": statements}},
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import future.keywords.if
import future.keywords.in

# Ensure a support role has been created to manage incidents with AWS Support
finding = result if {
finding := result if {
# filter
data_adapter.is_aws_support_access

Expand All @@ -22,4 +22,4 @@ aws_support_has_attached_roles if {
# a sanity test.
some role in data_adapter.roles
role.RoleId != ""
} else = false
} else := false
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
import data.lib.test
import future.keywords.if

generate_input(roles) = {
generate_input(roles) := {
"subType": "aws-policy",
"resource": {
"Arn": "arn:aws:iam::aws:policy/AWSSupportAccess",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.every
import future.keywords.if

default rule_evaluation = false
default rule_evaluation := false

finding = result if {
finding := result if {
data_adapter.is_server_certificate

result := common.generate_result_without_expected(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,16 @@ import data.compliance.lib.common
import data.lib.test
import future.keywords.if

generate_certificate_resource(certificates) = {
generate_certificate_resource(certificates) := {
"subType": "aws-iam-server-certificate",
"resource": {"certificates": certificates},
}

generate_expiration(expiration) = {"Expiration": expiration}
generate_expiration(expiration) := {"Expiration": expiration}

last_year = common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0))
last_year := common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0))

next_year = common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0))
next_year := common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0))

test_violation if {
# fails when an expired certificate exists
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import future.keywords.if
import future.keywords.in

# Ensure that IAM Access analyzer is enabled for all regions
finding = result if {
finding := result if {
# filter
data_adapter.is_access_analyzers

Expand All @@ -24,4 +24,4 @@ analyzer_exists if {
analyzer.Region == region
analyzer.Status == "ACTIVE"
}
} else = false
} else := false
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
import data.lib.test
import future.keywords.if

generate_input(analyzers, regions) = {
generate_input(analyzers, regions) := {
"type": "identity-management",
"subType": "aws-access-analyzers",
"resource": {
Expand All @@ -13,7 +13,7 @@ generate_input(analyzers, regions) = {
},
}

analyzer(arn, status, region) = {
analyzer(arn, status, region) := {
"Arn": arn,
"CreatedAt": "2023-01-09T15:06:39Z",
"Name": "Analyzer",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

# Ensure no 'root' user account access key exists.
finding = result if {
finding := result if {
# filter
data_adapter.is_root_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)
rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

# Ensure MFA is enabled for the 'root' user account.
finding = result if {
finding := result if {
# filter
data_adapter.is_root_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)
rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_hardware_mfa as audit
import future.keywords.if

# Ensure hardware MFA is enabled for the 'root' user account.
finding = result if {
finding := result if {
# filter
data_adapter.is_root_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)
rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import future.keywords.if

# Eliminate use of the 'root' user for administrative and daily tasks
# daily interpret as a day (24h)
finding = result if {
finding := result if {
# filter
data_adapter.is_root_user

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_iam_user
}

rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)
rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ import data.compliance.lib.common
import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

default rule_evaluation = false
default rule_evaluation := false

finding = result if {
finding := result if {
# filter
data_adapter.is_pwd_policy

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_pwd_policy
}

rule_input(pwd_len, reuse_count) = test_data.generate_password_policy(pwd_len, reuse_count)
rule_input(pwd_len, reuse_count) := test_data.generate_password_policy(pwd_len, reuse_count)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ import data.compliance.lib.common
import data.compliance.policy.aws_iam.data_adapter
import future.keywords.if

default rule_evaluation = false
default rule_evaluation := false

# Ensure that the number of previous passwords that IAM users are prevented from reusing is 24.
finding = result if {
finding := result if {
# filter
data_adapter.is_pwd_policy

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_pwd_policy
}

rule_input(pwd_len, reuse_count) = test_data.generate_password_policy(pwd_len, reuse_count)
rule_input(pwd_len, reuse_count) := test_data.generate_password_policy(pwd_len, reuse_count)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_1

import data.compliance.policy.aws_s3.ensure_encryption_at_rest as audit

finding = audit.finding
finding := audit.finding
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ test_not_evaluated if {
not_eval with input as rule_input("my bucket", null)
}

rule_input(name, sse_algorithm) = test_data.generate_s3_bucket(name, sse_algorithm, null, null, null, null)
rule_input(name, sse_algorithm) := test_data.generate_s3_bucket(name, sse_algorithm, null, null, null, null)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_2

import data.compliance.policy.aws_s3.ensure_bucket_policy_deny_http as audit

finding = audit.finding
finding := audit.finding
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ test_not_evaluated if {
not_eval with input as test_data.s3_bucket_without_policy
}

rule_input(effect, principal, action, is_secure_transport) = test_data.generate_s3_bucket("Bucket", "", [test_data.generate_s3_bucket_policy_statement(effect, principal, action, is_secure_transport)], null, null, null)
rule_input(effect, principal, action, is_secure_transport) := test_data.generate_s3_bucket("Bucket", "", [test_data.generate_s3_bucket_policy_statement(effect, principal, action, is_secure_transport)], null, null, null)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_3

import data.compliance.policy.aws_s3.ensure_mfa_delete_enabled as audit

finding = audit.finding
finding := audit.finding
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ test_not_evaluated if {
not_eval with input as test_data.generate_s3_bucket("Bucket", "", null, null, null, null)
}

rule_input(enabled, mfa_delete) = test_data.generate_s3_bucket("Bucket", "", null, test_data.generate_s3_bucket_versioning(enabled, mfa_delete), null, null)
rule_input(enabled, mfa_delete) := test_data.generate_s3_bucket("Bucket", "", null, test_data.generate_s3_bucket_versioning(enabled, mfa_delete), null, null)

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ package compliance.cis_aws.rules.cis_2_1_5

import data.compliance.policy.aws_s3.ensure_block_public_access as audit

finding = audit.finding
finding := audit.finding
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ test_not_evaluated if {
not_eval with input as test_data.not_evaluated_s3_bucket
}

rule_input(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets, account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets) = test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets), test_data.generate_s3_public_access_block_configuration(account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets))
rule_input(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets, account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets) := test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets), test_data.generate_s3_public_access_block_configuration(account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets))

eval_fail if {
test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter
Expand Down
Loading

0 comments on commit dbe743a

Please sign in to comment.