def test_remediate_false_requirement(self): result = ncr_util.get_allowed_actions(sample_records.REGULAR_USER, '123123123123', {}, {}) assert result == { 'remediate': False, 'requestExclusion': False, 'requestExclusionChange': False, }
def prepare_allowed_actions_output(output, resource, user, account, requirement): """ Method to build the allowedActions section of the output. :param output: The output to append the allowedActions to. :param resource: a dict representing the resource to configure the id from. :param user: a dict representing the user which the dict is being built for. :param account: a string representing the account. :param requirement: a dict representing the requirement. :returns dict: A dict combining the output parameter passed in and the generated allowedActions dict. """ output['allowedActions'] = ncr_util.get_allowed_actions( user, account, requirement, resource.get('exclusion', {})) return output
def test_request_exclusion_change_false_permissions(self): result = ncr_util.get_allowed_actions(sample_records.REGULAR_USER, '123123123123', {}, {}) assert not result['requestExclusionChange']
def test_request_exclusion_change_true(self): result = ncr_util.get_allowed_actions(sample_records.REGULAR_USER, '123123123123', {}, {'status': 'approved'}) assert result['requestExclusionChange']
def test_request_exclusion_true(self): result = ncr_util.get_allowed_actions(sample_records.REGULAR_USER, '123123123123', {}, {}) assert result['requestExclusion']
def put_exclusions_for_user_handler(event, context): latest_scan_id = event.get('scanId', '') user_record = event.get('userRecord', {}) body = event.get('body', {}) ncr_id = body.get('ncrId', '') update_request = body.get('exclusion', {}) scan_id, account_id, resource_id, requirement_id = split_ncr_id(ncr_id) # input validation if scan_id != latest_scan_id: raise exceptions.HttpInvalidException( 'Can only exclude ncrs from latest scans') if not update_request: raise exceptions.HttpInvalidException('Must supply exclusion to put') # data validation requirement = requirements_table.get(requirement_id) ncr = ncr_table.get_ncr(scan_id, account_id, resource_id, requirement_id) current_exclusion = exclusions_table.get_exclusion( account_id=account_id, requirement_id=requirement_id, resource_id=resource_id) exclusion_type = requirement.get('exclusionType') exclusion_types = config_table.get_config(config_table.EXCLUSIONS) exclusion_config = exclusion_types.get(exclusion_type, {}) if not requirement: raise exceptions.HttpNotFoundException( f'Requirement not found: {requirement_id}') if not ncr: raise exceptions.HttpNotFoundException(f'NCR does not exist: {ncr_id}') if not exclusion_config: raise exceptions.HttpInvalidException( f'Cannot find exclusion type: {exclusion_type}') # authorization if exclusions.is_wildcard_exclusion(current_exclusion): raise exceptions.HttpForbiddenException( 'Wildcard exclusion applied to ncr') allowed_actions = ncr_util.get_allowed_actions(user_record, account_id, requirement, current_exclusion) prospective_exclusion = dict_merge(current_exclusion, update_request) prospective_state = exclusions.get_state(prospective_exclusion) if prospective_state in exclusions.REQUEST_EXCLUSION_STATES: if not allowed_actions['requestExclusion']: raise exceptions.HttpForbiddenException('Cannot requestExclusion') if prospective_state in exclusions.REQUEST_EXCLUSION_CHANGE_STATES: if not allowed_actions['requestExclusionChange']: raise exceptions.HttpForbiddenException( 'Cannot requestExclusionChange') # update new_exclusion = exclusions.update_exclusion(current_exclusion, update_request, exclusion_config, False) new_exclusion['accountId'] = account_id new_exclusion['resourceId'] = resource_id new_exclusion['requirementId'] = requirement_id new_exclusion['type'] = exclusion_type new_exclusion['exclusionId'] = exclusions_table.get_exclusion_id( new_exclusion) new_exclusion['lastModifiedByUser'] = user_record.get('email') new_exclusion[ 'rqrmntId_rsrceRegex'] = f'{new_exclusion["requirementId"]}#{new_exclusion["resourceId"]}' exclusions_table.update_exclusion(new_exclusion, {}) if user_record.get('email'): audit_table.put_audit_trail( user_record['email'], audit_table.PUT_EXCLUSION_USER, { 'updateRequest': update_request, 'newExclusion': new_exclusion, 'deleteExclusion': {}, }) new_allowed_actions = ncr_util.get_allowed_actions(user_record, account_id, requirement, new_exclusion) updated_ncr = update_ncr_exclusion(ncr, new_exclusion, exclusion_types) logger.debug('Updated ncr: %s', json.dumps(updated_ncr, default=str)) ncr_table.put_item(Item=updated_ncr) return { 'newExclusion': new_exclusion, 'newNcr': { 'ncrId': ncr_id, 'resource': updated_ncr, 'allowedActions': new_allowed_actions, } }