def test_remove_failures_from_whitelisted_resources_failure_no_resources_is_removed(
mock_logger, mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failure = Failure(
rule="S3CrossAccountTrustRule",
reason=
"rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=None,
granularity=RuleGranularity.RESOURCE,
)
result.failed_rules = [failure]
RuleProcessor.remove_failures_of_whitelisted_resources(config=config,
result=result)
assert result.failed_rules == []
mock_logger.assert_called_once_with(
f"Failure with resource granularity doesn't have resources: {failure}")
def test_only_whitelisted_resources_are_removed(mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"rolething", "thenotwhitelistedthing", "anotherone"},
actions=None,
granularity=RuleGranularity.RESOURCE,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"thenotwhitelistedthing", "anotherone"},
actions=None,
granularity=RuleGranularity.RESOURCE,
)
]
def test_can_whitelist_resource_from_any_stack_if_granularity_is_resource():
whitelist_for_all_stacks = {
"S3CrossAccountTrustRule": {
".*": {"ProductionAccessTest"},
"otherstack": {"rolething"}
}
}
config = Config(stack_name="abcd",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=whitelist_for_all_stacks)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason=
"ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,
granularity=RuleGranularity.RESOURCE,
),
Failure(
rule="S3CrossAccountTrustRule",
reason=
"This one isn't whitelisted because granularity is ACTION and not RESOURCE",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,
granularity=RuleGranularity.ACTION,
),
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config,
result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason=
"This one isn't whitelisted because granularity is ACTION and not RESOURCE",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,
granularity=RuleGranularity.ACTION,
)
]
