def test_key_to_cel():
assert (C7N_Rewriter.key_to_cel("length(key)") == 'size(resource["key"])')
assert (
C7N_Rewriter.key_to_cel("Key.Subkey") == 'resource["Key"]["Subkey"]')
assert (C7N_Rewriter.key_to_cel("tag:TagName") ==
'resource["Tags"].filter(x, x["Key"] == "TagName")[0]["Value"]')
assert (C7N_Rewriter.key_to_cel("key") == 'resource["key"]')
def test_health_event_rewrite():
clause_0 = {"type": "health-event", "statuses": ["upcoming", "open"]}
expected_0 = 'size(resource.get_health_events(["upcoming", "open"])) > 0'
assert C7N_Rewriter.health_event_rewrite("directory",
clause_0) == expected_0
clause_1 = "health-event"
assert C7N_Rewriter.primitive("directory", clause_1) == expected_0
def test_security_group_rewrite():
clause_0 = {
"key": "GroupId",
"op": "in",
"type": "security-group",
"value": ["sg-12345678", "sg-23456789", "sg-34567890"]
}
expected = 'resource.SecurityGroups.map(sg, sg.GroupId.security_group()).exists(sg, [\'sg-12345678\', \'sg-23456789\', \'sg-34567890\'].contains(sg["GroupId"]))'
assert C7N_Rewriter.type_security_group_rewrite("ec2",
clause_0) == expected
clause_1 = {
"key": "GroupName",
"op": "regex",
"type": "security-group",
"value": "^Enterprise-AllInstances-SG.*$"
}
expected = 'resource.SecurityGroups.map(sg, sg.GroupId.security_group()).exists(sg, sg["GroupName"].matches(\'^Enterprise-AllInstances-SG.*$\'))'
assert C7N_Rewriter.type_security_group_rewrite("ec2",
clause_1) == expected
clause_2 = {
"key": "tag:ASSET",
"op": "eq",
"type": "security-group",
"value": "SPECIALASSETNAME"
}
expected = 'resource.SecurityGroups.map(sg, sg.GroupId.security_group()).exists(sg, sg["Tags"].filter(x, x["Key"] == "ASSET")[0]["Value"] == \'SPECIALASSETNAME\')'
assert C7N_Rewriter.type_security_group_rewrite("ec2",
clause_2) == expected
def test_type_vpc_rewrite():
clause_0 = {
"key": "VpcId",
"op": "not-in",
"type": "vpc",
"value_from": {
"url":
"s3://c7n-resources/some_list.json",
"format":
"json",
"expr":
'not_null(offhours_exceptions."{account_id}".account, "[]")'.
format(account_id="123456789012")
}
}
expected = '! value_from("s3://c7n-resources/some_list.json", "json").jmes_path(\'not_null(offhours_exceptions."123456789012".account, \"[]\")\').contains(resource.VPCId)'
assert C7N_Rewriter.type_vpc_rewrite("elb", clause_0) == expected
clause_1 = {
"key": "VpcId",
"op": "not-equal",
"type": "vpc",
"value": "vpc-12ab34de"
}
expected = 'resource.VPCId != "vpc-12ab34de"'
assert C7N_Rewriter.type_vpc_rewrite("elb", clause_1) == expected
def test_network_location_rewrite():
clause_0 = {
'compare': ['resource', 'security-group'],
'ignore': [
{'Description': 'New VPC Enterprise All Instances SG 2016'},
{'Description': 'Enterprise All Instances Security Group'},
{'Description': 'CoreServicesAccess-SG'},
{'tag:Asset': 'SomeAssetTag'}],
'key': 'tag:Asset',
'max-cardinality': 1,
'missing-ok': False,
'type': 'network-location'
}
expected_0 = (
'! (["New VPC Enterprise All Instances SG 2016", "Enterprise All Instances Security Group", "CoreServicesAccess-SG"].contains(Resource.Description) || ["SomeAssetTag"].contains(Resource.Tags["Asset"])) '
'&& (Resource.SecurityGroupId.security_group().Tags["Asset"] == Resource.Tags["Asset"]) '
'&& (size(Resource.SecurityGroupId.security_group()) == 1)'
)
assert C7N_Rewriter.network_location_rewrite("ec2", clause_0) == expected_0
clause_1 = {
'compare': ['resource', 'subnet'],
'key': 'tag:Asset',
'max-cardinality': 1,
'missing-ok': False,
'type': 'network-location'
}
expected_1 = (
'(Resource.SubnetId.subnet().Tags["Asset"] == Resource.Tags["Asset"]) '
'&& (size(Resource.SubnetId.subnet()) == 1)'
)
assert C7N_Rewriter.network_location_rewrite("ec2", clause_1) == expected_1
def test_cross_account_rewrite():
clause_0 = {
"type": "cross-account",
}
expected_0 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"])) > 0'
assert C7N_Rewriter.cross_account_rewrite("glacier", clause_0) == expected_0
clause_1 = {
"type": "cross-account",
"whitelist": ["permitted-account-01", "permitted-account-02"]
}
expected_1 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"]).filter(acct, ! acct in ["permitted-account-01", "permitted-account-02"])) > 0'
assert C7N_Rewriter.cross_account_rewrite("glacier", clause_1) == expected_1
clause_2 = {
"type": "cross-account",
"whitelist_from": {
"expr": "accounts.*.accountNumber",
"url": "http://server/path/to/data.json"
}
}
expected_2 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"]).filter(acct, ! acct in json_from("http://server/path/to/data.json", "json").jmes_path("accounts.*.accountNumber"))) > 0'
assert C7N_Rewriter.cross_account_rewrite("glacier", clause_2) == expected_2
clause_3 = {
"type": "cross-account",
"whitelist_from": {
"expr": "accounts.*.account",
"url": "http://server/path/to/data.json"
},
"whitelist_orgids": ["o-rhymjmbbe"]
}
expected_3 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"]).filter(acct, ! acct in json_from("http://server/path/to/data.json", "json").jmes_path("accounts.*.account")).filter(p, ! p.attr in ["o-rhymjmbbe"])) > 0'
assert C7N_Rewriter.cross_account_rewrite("glacier", clause_3) == expected_3
def test_type_value_rewrite_error(mock_key_to_cel):
clause = {"key": "key", "op": "in", "nope": {"url": "url"}}
with raises(ValueError):
C7N_Rewriter.type_value_rewrite(sentinel.resource, clause)
clause = {"key": "key", "value": "nope"}
with raises(ValueError):
C7N_Rewriter.type_value_rewrite(sentinel.resource, clause)
def test_tag_count_rewrite():
clause_0 = {"type": "tag-count", "op": "gte", "count": 8}
expected = 'size(resource["Tags"].filter(x, ! matches(x.Key, "^aws:.*"))) >= 8'
assert C7N_Rewriter.type_tag_count_rewrite("elb", clause_0) == expected
clause_1 = {"type": "tag-count", "op": "gte", "count": 8}
expected = 'size(resource["Tags"].filter(x, ! matches(x.Key, "^aws:.*"))) >= 8'
assert C7N_Rewriter.type_tag_count_rewrite("elb", clause_1) == expected
def test_is_logging_rewrite():
clause_0 = {"type": "is-logging"}
expected_0 = 'resource.get_access_log().exists(a, a["Enabled"])'
assert C7N_Rewriter.is_logging_rewrite("elb", clause_0) == expected_0
clause_1 = "is-logging"
assert C7N_Rewriter.primitive("elb", clause_1) == expected_0
clause_2 = {"type": "is-logging"}
expected_2 = 'resource.get_load_balancer().get("access_logs.s3.enabled")'
assert C7N_Rewriter.is_logging_rewrite("app-elb", clause_2) == expected_2
with raises(ValueError):
C7N_Rewriter.is_logging_rewrite("nope", clause_2)
def test_value_to_cel_boolean():
assert C7N_Rewriter.value_to_cel("key", "eq", "true") == "key"
assert C7N_Rewriter.value_to_cel("key", "eq", True) == "key"
assert C7N_Rewriter.value_to_cel("key", "eq", "false") == "! key"
assert C7N_Rewriter.value_to_cel("key", "eq", False) == "! key"
assert C7N_Rewriter.value_to_cel("key", "ne", "true") == "! key"
assert C7N_Rewriter.value_to_cel("key", "ne", True) == "! key"
assert C7N_Rewriter.value_to_cel("key", "ne", "false") == "key"
assert C7N_Rewriter.value_to_cel("key", "ne", False) == "key"
with raises(ValueError):
C7N_Rewriter.value_to_cel("key", "nope", "true")
def test_type_kms_key_rewrite():
clause_0 = {
"key": "c7n:AliasName", "op": "regex", "type": "kms-key",
"value": "^(alias/enterprise/sns/encrypted)"
}
expected = 'Resource.KmsKeyId.kms_key()["Aliases"][0]["AliasName"].matches("^(alias/enterprise/sns/encrypted)")'
assert C7N_Rewriter.type_kms_key_rewrite("efs", clause_0) == expected
clause_1 = {
"key": "AliasName", "op": "regex", "type": "kms-key", "value": "^(alias/aws/)"
}
expected = 'Resource.KmsKeyId.kms_key()["AliasName"].matches("^(alias/aws/)")'
assert C7N_Rewriter.type_kms_key_rewrite("efs", clause_1) == expected
def test_logical_connector_not_1(mock_type_value_rewrite):
not_1 = {"not": [{"type": "value"}]}
assert (C7N_Rewriter.logical_connector(
sentinel.resource, not_1) == f"! ({str(sentinel.rewritten)})")
assert mock_type_value_rewrite.mock_calls == [
call(sentinel.resource, {'type': 'value'})
]
def test_value_from_to_cel():
value_from_1 = {"url": "url://path"}
expected_1 = 'value_from("url://path").contains(key)'
assert C7N_Rewriter.value_from_to_cel("key", "in", value_from_1) == expected_1
value_from_2 = {"url": "url://path", "format": "json"}
expected_2 = 'value_from("url://path", "json").contains(key)'
assert C7N_Rewriter.value_from_to_cel("key", "in", value_from_2) == expected_2
value_from_3 = {"url": "url://path", "expr": "jmespath"}
expected_3 = 'value_from("url://path").jmes_path(\'jmespath\').contains(key)'
assert C7N_Rewriter.value_from_to_cel("key", "in", value_from_3) == expected_3
value_from_4 = {"url": "url://path", "expr": "jmespath"}
expected_4 = 'value_from("url://path").jmes_path(\'jmespath\').contains(key)'
assert C7N_Rewriter.value_from_to_cel("key", None, value_from_4) == expected_4
def test_offhour_rewrite():
clause_2 = {
"type": "offhour", "weekends": False, "default_tz": "pt",
"tag": "datetime", "opt-out": True, "offhour": 20
}
expected_2 = 'Resource.Tags.exists(x, x.key=="datetime") ? false : (Now.getDayOfWeek("pt") in [0, 1, 2, 3, 4, 5, 6] && Now.getHours("pt") == 20)'
assert C7N_Rewriter.offhour_rewrite("efs", clause_2) == expected_2
def test_primitive_absent(mock_type_value_rewrite):
clause = {"tag:aws:autoscaling:groupName": "absent"}
assert C7N_Rewriter.primitive(sentinel.resource,
clause) == str(sentinel.rewritten)
assert mock_type_value_rewrite.mock_calls == [
call(sentinel.resource, clause)
]
def test_type_value_from_rewrite(mock_key_to_cel, mock_value_from_to_cel):
clause = {"key": "key", "op": "in", "value_from": {"url": "url"}}
assert C7N_Rewriter.type_value_rewrite(sentinel.resource, clause) == str(sentinel.rewritten)
assert mock_key_to_cel.mock_calls == [call("key")]
assert mock_value_from_to_cel.mock_calls == [
call(str(sentinel.rewritten), "in", {"url": "url"})
]
def test_primitive_mark_for_op(mock_type_marked_for_op_rewrite):
assert C7N_Rewriter.primitive(sentinel.resource,
{"type": "marked-for-op"}) == str(
sentinel.rewritten)
assert mock_type_marked_for_op_rewrite.mock_calls == [
call(sentinel.resource, {'type': 'marked-for-op'})
]
def test_logical_connector_list(mock_type_value_rewrite):
assert C7N_Rewriter.logical_connector(sentinel.resource, [{
"type": "value"
}]) == str(sentinel.rewritten)
assert mock_type_value_rewrite.mock_calls == [
call(sentinel.resource, {'type': 'value'})
]
def test_subnet_rewrite():
clause_0 = {
"key": "SubnetId", "op": "in", "type": "subnet-group",
"value_from": {"format": "txt", "url": "s3://path-to-resource/subnets.txt"},
"value_type": "normalize",
}
expected = 'value_from("s3://path-to-resource/subnets.txt", "txt").map(v, normalize(v)).contains(Resource.SubnetId.subnet().SubnetID)'
assert C7N_Rewriter.type_subnet_rewrite("asg", clause_0) == expected
def test_marked_for_op_rewrite(mock_key_to_cel):
clause = {"op": "terminate", "skew": 4, "tag": "c7n-tag-compliance", "type": "marked-for-op"}
expected = (
'Resource["Tags"].marked_key("c7n-tag-compliance").action == "terminate" '
'&& Now >= Resource["Tags"].marked_key("c7n-tag-compliance").action_date '
'- duration("4d0h")'
)
assert C7N_Rewriter.type_marked_for_op_rewrite(sentinel.resource, clause) == expected
def test_type_value_rewrite(mock_key_to_cel, mock_value_to_cel):
clause = {"key": "key", "op": "eq", "value": 42}
assert C7N_Rewriter.type_value_rewrite(sentinel.resource,
clause) == str(sentinel.rewritten)
assert mock_key_to_cel.mock_calls == [call("key")]
assert mock_value_to_cel.mock_calls == [
call(str(sentinel.rewritten), "eq", 42, None)
]
def test_type_value_rewrite_emptu(mock_key_to_cel, mock_value_to_cel):
clause = {"key": "key", "value": "empty"}
assert C7N_Rewriter.type_value_rewrite(sentinel.resource,
clause) == str(sentinel.rewritten)
assert mock_key_to_cel.mock_calls == [call("key")]
assert mock_value_to_cel.mock_calls == [
call(str(sentinel.rewritten), "__absent__", None)
]
def test_waf_enabled_rewrite():
clause_0 = {
"type": "waf-enabled",
"state": False,
"web-acl": "WebACL to allow or restrict by IP"
}
expected_0 = '! resource.web_acls().contains("WebACL to allow or restrict by IP")'
assert C7N_Rewriter.waf_enabled_rewrite("distribution",
clause_0) == expected_0
def test_logical_connector_or(mock_type_value_rewrite):
# Note the singleton or; this is common.
assert C7N_Rewriter.logical_connector(sentinel.resource,
{"or": [{
"type": "value"
}]}) == str(sentinel.rewritten)
assert mock_type_value_rewrite.mock_calls == [
call(sentinel.resource, {'type': 'value'})
]
def test_onhour_rewrite():
clause_0 = {
"default_tz": "et",
"onhour": 7,
"opt-out": True,
"type": "onhour"
}
expected_0 = 'resource.Tags.exists(x, x.key=="maid_offhours") ? false : (now.getDayOfWeek("et") in [0, 1, 2, 3, 4] && now.getHours("et") == 7)'
assert C7N_Rewriter.onhour_rewrite("efs", clause_0) == expected_0
clause_1 = {
"default_tz": "et",
"onhour": 7,
"skip-days": ['2019-11-11', '2019-11-28', '2019-12-25', '2020-01-01'],
"tag": "custodian_downtime",
"type": "onhour"
}
expected_1 = '! getDate(now) in ["2019-11-11", "2019-11-28", "2019-12-25", "2020-01-01"].map(d, getDate(timestamp(d))) && resource.Tags.exists(x, x.key=="custodian_downtime") ? resource.Tags.key("custodian_downtime").resource_schedule().on.exists(s, now.getDayOfWeek(s.tz) in s.days && now.getHours(s.tz) == s.hour) || (now.getDayOfWeek("et") in [0, 1, 2, 3, 4] && now.getHours("et") == 7) : false'
assert C7N_Rewriter.onhour_rewrite("efs", clause_1) == expected_1
def test_type_kms_alias_rewrite():
clause_0 = {
"key": "AliasName",
"op": "regex",
"type": "kms-alias",
"value": "^(alias/aws/)"
}
expected = 'resource.kms_alias().AliasName.matches("^(alias/aws/)")'
assert C7N_Rewriter.type_kms_alias_rewrite("elb", clause_0) == expected
def test_event_rewrite():
clause = {
"key": "detail.responseElements.functionName", "op": "regex", "type": "event",
"value": "^(custodian-.*)"
}
expected = (
'Event.detail.responseElements.functionName.matches("^(custodian-.*)")'
)
assert C7N_Rewriter.type_event_rewrite(sentinel.resource, clause) == expected
def test_tag_absent(mock_key_to_cel, mock_value_to_cel):
clause = {"tag:aws:autoscaling:groupName": "absent"}
assert C7N_Rewriter.type_value_rewrite(sentinel.resource,
clause) == str(sentinel.rewritten)
assert mock_key_to_cel.mock_calls == [
call("tag:aws:autoscaling:groupName")
]
assert mock_value_to_cel.mock_calls == [
call(str(sentinel.rewritten), "__absent__", None)
]
def test_type_credential_rewrite():
clause_0 = {
"key": "access_keys.last_rotated",
"op": "gte",
"type": "credential",
"value": 55,
"value_type": "age"
}
expected = 'now - duration("55d") >= timestamp(resource.credentials().access_keys.last_rotated)'
assert C7N_Rewriter.type_credential_rewrite("elb", clause_0) == expected
def test_image_rewrite():
clause = {
"key": "Name",
"op": "regex",
"type": "image",
"value": "(?!WIN.*)"
}
expected = ('resource.image().Name.matches("(?!WIN.*)")')
assert C7N_Rewriter.type_image_rewrite(sentinel.resource,
clause) == expected
