Skip to content

Commit 3847b59

Browse files
kddejongkddejong
authored
Allow ICMP to have fromport other than -1 with to port -1 (#3482)
1 parent 39d6fee commit 3847b59

File tree

2 files changed

+124
-54
lines changed

2 files changed

+124
-54
lines changed

Diff for: src/cfnlint/data/schemas/extensions/aws_ec2_securitygroup/all_to_and_from_ports.json

+93-50
Original file line numberDiff line numberDiff line change
@@ -1,60 +1,103 @@
11
{
2-
"allOf": [
3-
{
4-
"if": {
5-
"properties": {
6-
"ToPort": {
7-
"enum": [
8-
-1,
9-
"-1"
10-
]
11-
}
2+
"else": {
3+
"allOf": [
4+
{
5+
"if": {
6+
"properties": {
7+
"ToPort": {
8+
"enum": [
9+
-1,
10+
"-1"
11+
]
12+
}
13+
},
14+
"required": [
15+
"ToPort"
16+
]
1217
},
13-
"required": [
14-
"ToPort"
15-
]
18+
"then": {
19+
"properties": {
20+
"FromPort": {
21+
"enum": [
22+
-1,
23+
"-1"
24+
]
25+
}
26+
},
27+
"required": [
28+
"FromPort"
29+
]
30+
}
1631
},
17-
"then": {
18-
"properties": {
19-
"FromPort": {
20-
"enum": [
21-
-1,
22-
"-1"
23-
]
24-
}
32+
{
33+
"if": {
34+
"properties": {
35+
"FromPort": {
36+
"enum": [
37+
-1,
38+
"-1"
39+
]
40+
}
41+
},
42+
"required": [
43+
"FromPort"
44+
]
2545
},
26-
"required": [
27-
"FromPort"
46+
"then": {
47+
"properties": {
48+
"ToPort": {
49+
"enum": [
50+
-1,
51+
"-1"
52+
]
53+
}
54+
},
55+
"required": [
56+
"ToPort"
57+
]
58+
}
59+
}
60+
]
61+
},
62+
"if": {
63+
"properties": {
64+
"IpProtocol": {
65+
"enum": [
66+
"1",
67+
"icmp"
2868
]
2969
}
3070
},
31-
{
32-
"if": {
33-
"properties": {
34-
"FromPort": {
35-
"enum": [
36-
-1,
37-
"-1"
38-
]
39-
}
40-
},
41-
"required": [
42-
"FromPort"
43-
]
71+
"required": [
72+
"IpProtocol"
73+
]
74+
},
75+
"then": {
76+
"if": {
77+
"properties": {
78+
"FromPort": {
79+
"enum": [
80+
-1,
81+
"-1"
82+
]
83+
}
4484
},
45-
"then": {
46-
"properties": {
47-
"ToPort": {
48-
"enum": [
49-
-1,
50-
"-1"
51-
]
52-
}
53-
},
54-
"required": [
55-
"ToPort"
56-
]
57-
}
85+
"required": [
86+
"FromPort"
87+
]
88+
},
89+
"then": {
90+
"properties": {
91+
"ToPort": {
92+
"enum": [
93+
-1,
94+
"-1"
95+
]
96+
}
97+
},
98+
"required": [
99+
"ToPort"
100+
]
58101
}
59-
]
102+
}
60103
}

Diff for: test/unit/rules/resources/ec2/test_sg_all_to_and_from_ports.py

+31-4
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ def rule():
4040
},
4141
[],
4242
),
43+
(
44+
{
45+
"IpProtocol": 1,
46+
"ToPort": -1,
47+
"FromPort": 8,
48+
},
49+
[],
50+
),
4351
(
4452
{
4553
"ToPort": -1,
@@ -56,7 +64,7 @@ def rule():
5664
"properties": {"FromPort": {"enum": [-1, "-1"]}},
5765
"required": ["FromPort"],
5866
},
59-
schema_path=deque(["allOf", 0, "then", "required"]),
67+
schema_path=deque(["else", "allOf", 0, "then", "required"]),
6068
)
6169
],
6270
),
@@ -76,7 +84,7 @@ def rule():
7684
"properties": {"ToPort": {"enum": [-1, "-1"]}},
7785
"required": ["ToPort"],
7886
},
79-
schema_path=deque(["allOf", 1, "then", "required"]),
87+
schema_path=deque(["else", "allOf", 1, "then", "required"]),
8088
)
8189
],
8290
),
@@ -95,7 +103,7 @@ def rule():
95103
instance=5,
96104
schema={"enum": [-1, "-1"]},
97105
schema_path=deque(
98-
["allOf", 0, "then", "properties", "FromPort", "enum"]
106+
["else", "allOf", 0, "then", "properties", "FromPort", "enum"]
99107
),
100108
)
101109
],
@@ -115,11 +123,30 @@ def rule():
115123
instance=5,
116124
schema={"enum": [-1, "-1"]},
117125
schema_path=deque(
118-
["allOf", 1, "then", "properties", "ToPort", "enum"]
126+
["else", "allOf", 1, "then", "properties", "ToPort", "enum"]
119127
),
120128
)
121129
],
122130
),
131+
(
132+
{
133+
"IpProtocol": "icmp",
134+
"ToPort": 8,
135+
"FromPort": -1,
136+
},
137+
[
138+
ValidationError(
139+
("Both ['FromPort', 'ToPort'] must " "be -1 when one is -1"),
140+
rule=SecurityGroupAllToAndFromPorts(),
141+
path=deque(["ToPort"]),
142+
validator="enum",
143+
validator_value=[-1, "-1"],
144+
instance=5,
145+
schema={"enum": [-1, "-1"]},
146+
schema_path=deque(["then", "then", "properties", "ToPort", "enum"]),
147+
)
148+
],
149+
),
123150
],
124151
)
125152
def test_backup_lifecycle(instance, expected, rule, validator):

0 commit comments

Comments
 (0)