def test_check_fail_pipeline_disabled(monkeypatch, template_dir):
"""
GIVEN a valid template is passed in
WHEN `FAIL_PIPELINE_CFN` env var is `enabled` and `FailConformityPipeline` CFN parameter is `disabled`
THEN return `False` (pipeline won't fail even if issues are found)
"""
monkeypatch.setenv("FAIL_PIPELINE_CFN", "enabled")
template_name = f"{template_dir}/insecure-s3-bucket-disable-failure.json"
with open(template_name, "r") as f:
cfn_contents = json.load(f)
c = CcValidator()
fail_pipeline = c._check_fail_pipeline(cfn_contents)
assert fail_pipeline is False
def test_check_fail_pipeline_unset(monkeypatch, template_dir):
"""
GIVEN a valid template is passed in
WHEN `FAIL_PIPELINE_CFN` env var is `enabled` but `FailConformityPipeline` CFN parameter is not set
THEN return `True` (pipeline will fail when issues are found)
"""
monkeypatch.setenv("FAIL_PIPELINE_CFN", "enabled")
template_name = f"{template_dir}/insecure-s3-bucket.json"
with open(template_name, "r") as f:
cfn_contents = json.load(f)
c = CcValidator()
fail_pipeline = c._check_fail_pipeline(cfn_contents)
assert fail_pipeline is True
def test_check_fail_pipeline_invalid(monkeypatch, template_dir):
"""
GIVEN a valid template is passed in
WHEN `FAIL_PIPELINE_CFN` env var is `enabled` and but `FailConformityPipeline` CFN parameter is set to something other than "disabled"
THEN return `True` (pipeline will fail when issues are found)
"""
monkeypatch.setenv("FAIL_PIPELINE_CFN", "enabled")
template_name = f"{template_dir}/insecure-s3-bucket-disable-failure.json"
with open(template_name, "r") as f:
cfn_contents = json.load(f)
cfn_contents["Parameters"]["FailConformityPipeline"] = "x"
c = CcValidator()
fail_pipeline = c._check_fail_pipeline(cfn_contents)
assert fail_pipeline is True
