Fixing Guard Rules (#63)

ammokhov · web-flow · commit 58bb37c241e7 · 2024-05-22T11:45:09.000-07:00
diff --git a/src/rpdk/guard_rail/rule_library/permissions/schema-linter-core-permission-rules.guard b/src/rpdk/guard_rail/rule_library/permissions/schema-linter-core-permission-rules.guard
@@ -12,16 +12,38 @@ rule ensure_resource_create_handler_exists_and_have_permissions {
     }
     >>
 
-    handlers.create.permissions.* {
-        this != %wildcard_notation
+    handlers.create.permissions exists
+    <<
+    {
+        "result": "NON_COMPLIANT",
+        "check_id": "PER002",
+        "message": "Resource create handler MUST have permissions list specified"
+    }
+    >>
+
+    when handlers.create.permissions exists {
+        handlers.create.permissions !empty
         <<
         {
             "result": "NON_COMPLIANT",
             "check_id": "PER002",
-            "message": "Resource MUST NOT specify wildcard permissions for create handler"
+            "message": "Resource create handler MUST have non-empty permissions"
         }
         >>
     }
+
+    when handlers.create.permissions !empty {
+        handlers.create.permissions.* {
+            this != %wildcard_notation
+            <<
+            {
+                "result": "NON_COMPLIANT",
+                "check_id": "PER002",
+                "message": "Resource MUST NOT specify wildcard permissions for create handler"
+            }
+            >>
+        }
+    }
 }
 
 rule ensure_resource_read_handler_exists_and_have_permissions {
@@ -34,16 +56,38 @@ rule ensure_resource_read_handler_exists_and_have_permissions {
     }
     >>
 
-    handlers.read.permissions.* {
-        this != %wildcard_notation
+    handlers.read.permissions exists
+    <<
+    {
+        "result": "NON_COMPLIANT",
+        "check_id": "PER004",
+        "message": "Resource read handler MUST have permissions list specified"
+    }
+    >>
+
+    when handlers.read.permissions exists {
+        handlers.read.permissions !empty
         <<
         {
             "result": "NON_COMPLIANT",
             "check_id": "PER004",
-            "message": "Resource MUST NOT specify wildcard permissions for read handler"
+            "message": "Resource read handler MUST have non-empty permissions"
         }
         >>
     }
+
+    when handlers.read.permissions !empty {
+        handlers.read.permissions.* {
+            this != %wildcard_notation
+            <<
+            {
+                "result": "NON_COMPLIANT",
+                "check_id": "PER004",
+                "message": "Resource MUST NOT specify wildcard permissions for read handler"
+            }
+            >>
+        }
+    }
 }
 
 rule ensure_resource_update_handler_exists_and_have_permissions {
@@ -102,16 +146,38 @@ rule ensure_resource_delete_handler_exists_and_have_permissions {
     }
     >>
 
-    handlers.delete.permissions.* {
-        this != %wildcard_notation
+    handlers.delete.permissions exists
+    <<
+    {
+        "result": "NON_COMPLIANT",
+        "check_id": "PER009",
+        "message": "Resource delete handler MUST have permissions list specified"
+    }
+    >>
+
+    when handlers.delete.permissions exists {
+        handlers.delete.permissions !empty
         <<
         {
             "result": "NON_COMPLIANT",
             "check_id": "PER009",
-            "message": "Resource MUST NOT specify wildcard permissions for delete handler"
+            "message": "Resource delete handler MUST have non-empty permissions"
         }
         >>
     }
+
+    when handlers.delete.permissions !empty {
+        handlers.delete.permissions.* {
+            this != %wildcard_notation
+            <<
+            {
+                "result": "NON_COMPLIANT",
+                "check_id": "PER009",
+                "message": "Resource MUST NOT specify wildcard permissions for delete handler"
+            }
+            >>
+        }
+    }
 }
 
 rule ensure_resource_list_handler_exists_and_have_permissions {
@@ -124,14 +190,36 @@ rule ensure_resource_list_handler_exists_and_have_permissions {
     }
     >>
 
-    handlers.list.permissions.* {
-        this != %wildcard_notation
+    handlers.list.permissions exists
+    <<
+    {
+        "result": "NON_COMPLIANT",
+        "check_id": "PER011",
+        "message": "Resource list handler MUST have permissions list specified"
+    }
+    >>
+
+    when handlers.list.permissions exists {
+        handlers.list.permissions !empty
         <<
         {
             "result": "NON_COMPLIANT",
             "check_id": "PER011",
-            "message": "Resource MUST NOT specify wildcard permissions for list handler"
+            "message": "Resource list handler MUST have non-empty permissions"
         }
         >>
     }
+
+    when handlers.list.permissions !empty {
+        handlers.list.permissions.* {
+            this != %wildcard_notation
+            <<
+            {
+                "result": "NON_COMPLIANT",
+                "check_id": "PER011",
+                "message": "Resource MUST NOT specify wildcard permissions for list handler"
+            }
+            >>
+        }
+    }
 }
diff --git a/tests/integ/data/sample-schema.json b/tests/integ/data/sample-schema.json
@@ -135,16 +135,16 @@
             "permissions": [
                 "kms:CreateKey",
                 "kms:EnableKeyRotation",
-                "kms:DisableKey",
-                "kms:TagResource"
+                "kms:DisableKey*",
+                "kms:TagResource*"
             ]
         },
         "read": {
             "permissions": [
                 "kms:DescribeKey",
                 "kms:GetKeyPolicy",
-                "kms:GetKeyRotationStatus",
-                "kms:ListResourceTags"
+                "kms:GetKeyRotationStatus*",
+                "kms:ListResourceTags*"
             ]
         },
         "update": {
@@ -156,20 +156,20 @@
                 "kms:EnableKeyRotation",
                 "kms:PutKeyPolicy",
                 "kms:TagResource",
-                "kms:UntagResource",
-                "kms:UpdateKeyDescription"
+                "kms:UntagResource*",
+                "kms:UpdateKeyDescription*"
             ]
         },
         "delete": {
             "permissions": [
-                "kms:DescribeKey",
-                "kms:ScheduleKeyDeletion"
+                "kms:DescribeKey*",
+                "kms:ScheduleKeyDeletion*"
             ]
         },
         "list": {
             "permissions": [
-                "kms:ListKeys",
-                "kms:DescribeKey"
+                "kms:ListKeys*",
+                "kms:DescribeKey*"
             ]
         }
     }
diff --git a/tests/integ/runner/test_integ_runner.py b/tests/integ/runner/test_integ_runner.py
@@ -64,6 +64,66 @@
                         path="",
                     )
                 },
+                "ensure_resource_create_handler_exists_and_have_permissions": {
+                    GuardRuleResult(
+                        check_id="PER002",
+                        message="Resource MUST NOT specify wildcard permissions for create handler",
+                        path="/handlers/create/permissions/3",
+                    ),
+                    GuardRuleResult(
+                        check_id="PER002",
+                        message="Resource MUST NOT specify wildcard permissions for create handler",
+                        path="/handlers/create/permissions/2",
+                    ),
+                },
+                "ensure_resource_update_handler_exists_and_have_permissions": {
+                    GuardRuleResult(
+                        check_id="PER007",
+                        message="Resource MUST NOT specify wildcard permissions for update handler",
+                        path="/handlers/update/permissions/7",
+                    ),
+                    GuardRuleResult(
+                        check_id="PER007",
+                        message="Resource MUST NOT specify wildcard permissions for update handler",
+                        path="/handlers/update/permissions/8",
+                    ),
+                },
+                "ensure_resource_read_handler_exists_and_have_permissions": {
+                    GuardRuleResult(
+                        check_id="PER004",
+                        message="Resource MUST NOT specify wildcard permissions for read handler",
+                        path="/handlers/read/permissions/2",
+                    ),
+                    GuardRuleResult(
+                        check_id="PER004",
+                        message="Resource MUST NOT specify wildcard permissions for read handler",
+                        path="/handlers/read/permissions/3",
+                    ),
+                },
+                "ensure_resource_delete_handler_exists_and_have_permissions": {
+                    GuardRuleResult(
+                        check_id="PER009",
+                        message="Resource MUST NOT specify wildcard permissions for delete handler",
+                        path="/handlers/delete/permissions/1",
+                    ),
+                    GuardRuleResult(
+                        check_id="PER009",
+                        message="Resource MUST NOT specify wildcard permissions for delete handler",
+                        path="/handlers/delete/permissions/0",
+                    ),
+                },
+                "ensure_resource_list_handler_exists_and_have_permissions": {
+                    GuardRuleResult(
+                        check_id="PER011",
+                        message="Resource MUST NOT specify wildcard permissions for list handler",
+                        path="/handlers/list/permissions/1",
+                    ),
+                    GuardRuleResult(
+                        check_id="PER011",
+                        message="Resource MUST NOT specify wildcard permissions for list handler",
+                        path="/handlers/list/permissions/0",
+                    ),
+                },
             },
             {
                 "ensure_properties_do_not_support_multitype": {
