From e087f2e1b684d7dd7473aca4583b6acd2153b61d Mon Sep 17 00:00:00 2001 From: StylusFrost <43682773+StylusFrost@users.noreply.github.com> Date: Tue, 30 Aug 2022 14:58:50 +0200 Subject: [PATCH] fix(check_network_acl): check with all rules together (#1350) --- ...c2_networkacl_allow_ingress_tcp_port_22.py | 14 +- ..._networkacl_allow_ingress_tcp_port_3389.py | 11 +- ...ess_from_internet_to_tcp_ftp_port_20_21.py | 4 +- .../aws/services/ec2/lib/network_acls.py | 100 +- .../aws/services/ec2/lib/network_acls_test.py | 1106 +++++++++++++++++ 5 files changed, 1192 insertions(+), 43 deletions(-) create mode 100644 providers/aws/services/ec2/lib/network_acls_test.py diff --git a/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py b/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py index 6101b60b..1a60d4cf 100644 --- a/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py +++ b/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py @@ -9,20 +9,10 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check): tcp_protocol = "6" check_port = 22 for network_acl in ec2_client.network_acls: - public = False report = Check_Report(self.metadata) report.region = network_acl.region - for entry in network_acl.entries: - # For IPv4 - if "CidrBlock" in entry: - public = check_network_acl(entry, tcp_protocol, check_port, "IPv4") - # For IPv6 - if "Ipv6CidrBlock" in entry: - public = check_network_acl(entry, tcp_protocol, check_port, "IPv6") - # If some entry allows it, that ACL is not securely configured - if public: - break - if not public: + # If some entry allows it, that ACL is not securely configured + if not check_network_acl(network_acl.entries, tcp_protocol, check_port): report.status = "PASS" report.status_extended = f"Network ACL {network_acl.id} has not SSH port 22 open to the Internet." report.resource_id = network_acl.id diff --git a/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py b/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py index 57bfbc38..2c17dbb2 100644 --- a/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py +++ b/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py @@ -9,17 +9,10 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check): tcp_protocol = "6" check_port = 3389 for network_acl in ec2_client.network_acls: - public = False report = Check_Report(self.metadata) report.region = network_acl.region - for entry in network_acl.entries: - # For IPv4 - if "CidrBlock" in entry: - public = check_network_acl(entry, tcp_protocol, check_port, "IPv4") - # For IPv6 - if "Ipv6CidrBlock" in entry: - public = check_network_acl(entry, tcp_protocol, check_port, "IPv6") - if not public: + # If some entry allows it, that ACL is not securely configured + if not check_network_acl(network_acl.entries, tcp_protocol, check_port): report.status = "PASS" report.status_extended = f"Network ACL {network_acl.id} has not Microsoft RDP port 3389 open to the Internet." report.resource_id = network_acl.id diff --git a/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py b/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py index 45291e95..4ef52b2d 100644 --- a/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py +++ b/providers/aws/services/ec2/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21/ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21.py @@ -1,6 +1,6 @@ from lib.check.models import Check, Check_Report -from providers.aws.services.ec2.ec2_service import check_security_group, ec2_client - +from providers.aws.services.ec2.ec2_service import ec2_client +from providers.aws.services.ec2.lib.security_groups import check_security_group class ec2_securitygroup_allow_ingress_from_internet_to_tcp_ftp_port_20_21(Check): def execute(self): diff --git a/providers/aws/services/ec2/lib/network_acls.py b/providers/aws/services/ec2/lib/network_acls.py index a37a2c66..1e066c9f 100644 --- a/providers/aws/services/ec2/lib/network_acls.py +++ b/providers/aws/services/ec2/lib/network_acls.py @@ -1,27 +1,87 @@ +from re import T from typing import Any -################## Network ACLs -# Check if the network acls ingress rule has public access to the check_ports using the protocol -def check_network_acl(entry: Any, protocol: str, port: str, ip_version: str) -> bool: - # For IPv4 - if ip_version == "IPv4": - entry_value = "CidrBlock" - public_ip = "0.0.0.0/0" - # For IPv6 - elif ip_version == "IPv6": - entry_value = "Ipv6CidrBlock" - public_ip = "::/0" +# Network ACLs +# Check if the network acls rules has ingress public access to the check_ports using the protocol +def check_network_acl(rules: Any, protocol: str, port: str) -> bool: - if ( - entry[entry_value] == public_ip - and entry["RuleAction"] == "allow" - and not entry["Egress"] - ): - if entry["Protocol"] == "-1" or ( - entry["PortRange"]["From"] == port - and entry["PortRange"]["To"] == port - and entry["Protocol"] == protocol + # Spliting IPv6 from IPv4 rules + rules_IPv6 = list( + filter(lambda rule: rule.get("CidrBlock") is None and not rule["Egress"], rules)) + + # For IPv6 + # Rules must order by RuleNumber + for rule in sorted(rules_IPv6, key=lambda rule: rule["RuleNumber"]): + if ( + rule["Ipv6CidrBlock"] == "::/0" + and rule["RuleAction"] == "deny" + and ( + rule["Protocol"] == "-1" + or + ( + rule["Protocol"] == protocol + and + rule["PortRange"]["From"] <= port <= rule["PortRange"]["To"] + ) + ) + ): + # Exist IPv6 deny for this port + break + + if ( + rule["Ipv6CidrBlock"] == "::/0" + and rule["RuleAction"] == "allow" + and ( + rule["Protocol"] == "-1" + or + ( + rule["Protocol"] == protocol + and + rule["PortRange"]["From"] <= port <= rule["PortRange"]["To"] + ) + ) + ): + # Exist IPv6 allow for this port + return True + + # There are not IPv6 Public access here + + # Spliting IPv4 from IPv6 rules + rules_IPv4 = list(filter(lambda rule: rule.get("Ipv6CidrBlock") is None and not rule["Egress"], rules)) + + # For IPv4 + # Rules must order by RuleNumber + for rule in sorted(rules_IPv4, key=lambda rule: rule["RuleNumber"]): + if ( + rule["CidrBlock"] == "0.0.0.0/0" + and rule["RuleAction"] == "deny" + and ( + rule["Protocol"] == "-1" + or + ( + rule["Protocol"] == protocol + and + rule["PortRange"]["From"] <= port <= rule["PortRange"]["To"] + ) + ) + ): + + # Exist IPv4 deny for this port and if exist IPv6 there are not IPv6 Public access here + return False + + if ( + rule["CidrBlock"] == "0.0.0.0/0" + and rule["RuleAction"] == "allow" + and ( + rule["Protocol"] == "-1" + or + ( + rule["Protocol"] == protocol + and + rule["PortRange"]["From"] <= port <= rule["PortRange"]["To"] + ) + ) ): return True diff --git a/providers/aws/services/ec2/lib/network_acls_test.py b/providers/aws/services/ec2/lib/network_acls_test.py new file mode 100644 index 00000000..b987828b --- /dev/null +++ b/providers/aws/services/ec2/lib/network_acls_test.py @@ -0,0 +1,1106 @@ +from providers.aws.services.ec2.lib.network_acls import check_network_acl + +default_deny_entry_ingress_IPv4 = { + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": "-1", + "RuleAction": 'deny', + "RuleNumber": 32767} + +default_deny_entry_ingress_IPv6 = { + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": "-1", + "RuleAction": 'deny', + "RuleNumber": 32768} + +default_deny_entry_egress_IPv4 = { + "CidrBlock": '0.0.0.0/0', + "Egress": True, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": "-1", + "RuleAction": 'deny', + "RuleNumber": 32767} + +default_deny_entry_egress_IPv6 = { + "Ipv6CidrBlock": '::/0', + "Egress": True, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": "-1", + "RuleAction": 'deny', + "RuleNumber": 32768} + +allow_all_entry_ingress_IPv4 = { + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": "-1", + "RuleAction": 'allow', + "RuleNumber": 32766} + +allow_all_entry_ingress_IPv6 = { + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": "-1", + "RuleAction": 'allow', + "RuleNumber": 32766} + + +class Test_Network_Acls_IPv4_Only: + def test_check_IPv4_only_ingress_port_default_entries_deny(self): + check_port = 22 + tcp_protocol = "-1" + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_only_ingress_port_with_allow_port(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_only_ingress_port_with_deny_port(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_only_ingress_port_with_deny_port_in_range(self): + check_port = 22 + port_from = 21 + port_to = 24 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_only_ingress_port_with_deny_port_out_range(self): + check_port = 22 + port_from = 31 + port_to = 34 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_only_ingress_port_with_deny_port_order_incorrect(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 102}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 101}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_only_ingress_port_with_deny_port_order_correct(self): + + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 101}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 102}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_only_ingress_port_with_allow_port_but_egress(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": True, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + +class Test_Network_Acls_IPv4_IPv6: + def test_check_IPv4_IPv6_ingress_port_default_entries_deny_both(self): + check_port = 22 + tcp_protocol = "-1" + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_allow_port_IPv4(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_allow_port_IPV6(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_allow_port_both(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 101}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_IPv4(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_IPv6(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_both(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 100}) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 101}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_in_range_IPv4(self): + check_port = 22 + port_from = 21 + port_to = 24 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_in_range_IPv6(self): + check_port = 22 + port_from = 21 + port_to = 24 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_in_range_both(self): + check_port = 22 + port_from = 21 + port_to = 24 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 101}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_out_range_IPv4(self): + check_port = 22 + port_from = 31 + port_to = 34 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_out_range_IPv6(self): + check_port = 22 + port_from = 31 + port_to = 34 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_out_range_both(self): + check_port = 22 + port_from = 31 + port_to = 34 + tcp_protocol = "6" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 100}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "PortRange": { + "From": port_from, + "To": port_to + }, + "RuleNumber": 101}) + + # Allow All IPv4 + entries.append(allow_all_entry_ingress_IPv4) + + # Allow All IPv6 + entries.append(allow_all_entry_ingress_IPv6) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_order_incorrect_IPv4(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 102}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 101}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_order_incorrect_IPv6(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 102}) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 101}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_order_incorrect_both(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 102}) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 101}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 202}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 201}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == True + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_order_correct_IPv4(self): + + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 101}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 102}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_order_correct_IPv6(self): + + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 101}) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 102}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_deny_port_order_correct_both(self): + + check_port = 22 + tcp_protocol = "-1" + + entries = [] + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 101}) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 102}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'deny', + "RuleNumber": 201}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": False, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 202}) + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_allow_port_but_egress_IPv4(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": True, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_allow_port_but_egress_IPv6(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": True, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False + + def test_check_IPv4_IPv6_ingress_port_with_allow_port_but_egress_both(self): + check_port = 22 + tcp_protocol = "-1" + + entries = [] + + # Default IPv4 Ingress Deny + entries.append(default_deny_entry_ingress_IPv4) + + # Default IPv4 Egress Deny + entries.append(default_deny_entry_egress_IPv4) + + # Default IPv6 Ingress Deny + entries.append(default_deny_entry_ingress_IPv6) + + # Default IPv6 Egress Deny + entries.append(default_deny_entry_egress_IPv6) + + entries.append({ + "Ipv6CidrBlock": '::/0', + "Egress": True, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 100}) + + entries.append({ + "CidrBlock": '0.0.0.0/0', + "Egress": True, + "NetworkAclId": "acl-072d520d07e1c1471", + "Protocol": tcp_protocol, + "RuleAction": 'allow', + "RuleNumber": 101}) + + assert check_network_acl(entries, + tcp_protocol, check_port) == False