Fix lib policies SecurityGroups and UnsafeTraffic

Correct wrong variable name in unprotected_ports rule. Reduce rule comment to 255 char limit in UnsafeTraffic policy. Change-Id: I1b0adff2740191ba0dd68d109ef9640041a40bd0
2017-07-31 14:49:51 -07:00 · 2017-07-31 14:49:51 -07:00 · 58d04ef53c
parent 211ca29f96
commit 58d04ef53c
2 changed files with 11 additions and 11 deletions
--- a/library/security_groups/security_groups.yaml
+++ b/library/security_groups/security_groups.yaml
@ -18,7 +18,7 @@ rules:
  -
    comment: "Ports not protected by a 'secure' security group."
    rule: >
-      unprotected_ports(sg_id) :-
+      unprotected_ports(port_id) :-
        neutronv2:ports(id=port_id), not protected_ports(port_id)
  -
    comment: "Servers with at least one unprotected port."
--- a/library/security_groups/unsafe_traffic.yaml
+++ b/library/security_groups/unsafe_traffic.yaml
@ -1,18 +1,11 @@
 ---
 name: UnsafeTraffic
-description: >
+description: |
  Specify blacklisted traffic types.
  Identify security groups that allow blacklisted traffic types.
  Warn on security groups labeled as secure but allow blacklisted traffic types.
-  
-rules:
-  -
-    comment: "User should customize this.  unsafe_traffic(direction, protocol, port)."
-    rule: unsafe_traffic('ingress', 'tcp', 22)
-  -
-    comment: |
-      Groups that allow unsafe traffic. Case: all specified. Written as 8 rules due to present
-      rule language restrictions. The desired meaning is summarized in this single pseudo-rule:
+  Written as 8 rules due to present rule language restrictions.
+  The desired meaning is summarized in this single pseudo-rule:
        groups_allow_unsafe_traffic(sg_id, rule_id) :-
          neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,
                                         protocol=rule_protocol, port_range_min=port_min, port_range_max=port_max),
@ -20,6 +13,13 @@ rules:
          (port_min <= unsafe_port OR port_min = 'None'),
          (unsafe_port <= port_max OR port_max = 'None'),
          (rule_protocol = unsafe_protocol OR rule_protocol = 'None')
+
+rules:
+  -
+    comment: "User should customize this.  unsafe_traffic(direction, protocol, port)."
+    rule: unsafe_traffic('ingress', 'tcp', 22)
+  -
+    comment: "Groups that allow unsafe traffic. Case: all specified"
    rule: >
      groups_allows_unsafe_traffic(sg_id, rule_id) :-
        neutronv2:security_group_rules(security_group_id=sg_id, id=rule_id, direction=direction,