def test_action_whitelist_keeps_non_whitelisted_actions():
whitelist_for_all_stacks = {"MockRule": {".*": {"s3:List"}}}
config = Config(stack_name="abcd", rules=["MockRule"], rule_to_action_whitelist=whitelist_for_all_stacks)
result = Result()
failed_rules = [
Failure(
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:ListBucket", "s3:GetBucket"},
granularity=RuleGranularity.ACTION,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:GetBucket"},
granularity=RuleGranularity.ACTION,
)
]
def test_can_whitelist_action_from_any_stack_if_granularity_is_action():
whitelist_for_all_stacks = {
"S3CrossAccountTrustRule": {
".*": {
"s3:ListBucket",
},
},
}
config = Config(
stack_name="abcd",
rules=["S3CrossAccountTrustRule"],
rule_to_action_whitelist=whitelist_for_all_stacks,
)
result = Result()
failed_rules = [
{
"rule": "S3CrossAccountTrustRule",
"reason": "ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"actions": {"s3:ListBucket"},
"granularity": RuleGranularity.ACTION,
},
{
"rule": "S3CrossAccountTrustRule",
"reason": "This one isn't whitelisted because granularity is STACK and not ACTION",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"actions": None,
"granularity": RuleGranularity.STACK,
},
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == [{
"rule": "S3CrossAccountTrustRule",
"reason": "This one isn't whitelisted because granularity is STACK and not ACTION",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"actions": None,
"granularity": RuleGranularity.STACK,
}]
def test_remove_failures_from_whitelisted_actions_only_removes_action_granularity(mock_rule_to_action_whitelist):
config = Config(
stack_name="teststack",
rules=["S3CrossAccountTrustRule"],
rule_to_action_whitelist=mock_rule_to_action_whitelist,
)
result = Result()
failed_rules = [
Failure(
rule="WildcardResourceRule",
reason="rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"BucketAccessPolicy"},
actions={"s3:Get*"},
granularity=RuleGranularity.ACTION,
),
Failure(
rule="WildcardResourceRule",
reason="rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids=set(),
actions=set(),
granularity=RuleGranularity.STACK,
),
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="WildcardResourceRule",
reason="rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids=set(),
actions=set(),
granularity=RuleGranularity.STACK,
)
]
def test_remove_failures_from_whitelisted_actions_failure_no_actions_is_removed(mock_logger, mock_rule_to_action_whitelist):
config = Config(
stack_name="teststack",
rules=["S3CrossAccountTrustRule"],
rule_to_action_whitelist=mock_rule_to_action_whitelist,
)
result = Result()
failure = {
"rule": "S3CrossAccountTrustRule",
"reason": "rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"actions": set(),
"granularity": RuleGranularity.ACTION,
}
result.failed_rules = [failure]
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == []
mock_logger.assert_called_once_with(f"Failure with action granularity doesn't have actions: {failure}")
def test_remove_failures_from_whitelisted_actions_uses_whitelist(mock_rule_to_action_whitelist):
config = Config(
stack_name="teststack", rules=["WildcardResourceRule"], rule_to_action_whitelist=mock_rule_to_action_whitelist
)
result = Result()
result.failed_rules = [
Failure(
rule="WildcardResourceRule",
reason="rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"BucketAccessPolicy"},
actions={"s3:Get*"},
granularity=RuleGranularity.ACTION,
),
Failure(
rule="WildcardResourceRule",
reason="rolething is using a wildcard resource in DynamoAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"DynamoAccessPolicy"},
actions={"dynamodb:Get"},
granularity=RuleGranularity.ACTION,
),
]
RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="WildcardResourceRule",
reason="rolething is using a wildcard resource in DynamoAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"DynamoAccessPolicy"},
actions={"dynamodb:Get"},
granularity=RuleGranularity.ACTION,
)
]