def match(self, resource, info): if info is None: return False k = self.data.get('key') if '.' not in k: vf = ValueFilter(self.data) vf.annotate = False return vf(info) # access key matching prefix, sk = k.split('.', 1) vf = ValueFilter(self.matcher_config) vf.annotate = False # annotation merging with previous respecting block operators k_matched = [] for v in info.get(prefix, ()): if vf.match(v): k_matched.append(v) for k in k_matched: k['c7n:match-type'] = 'credential' self.merge_annotation(resource, self.matched_annotation_key, k_matched) return bool(k_matched)
def match(self, info): if info is None: return False k = self.data.get('key') if '.' not in k: vf = ValueFilter(self.data) vf.annotate = False return vf(info) prefix, sk = k.split('.', 1) vf = ValueFilter(self.matcher_config) vf.annotate = False for v in info.get(prefix, ()): if vf.match(v): return True
def process(self, resources, event=None): filters = [] for f in self.data.get('eval_filters', ()): vf = ValueFilter(f) vf.annotate = False filters.append(vf) resource_model = self.manager.get_model() resource_map = self.get_resource_map(filters, resource_model, resources) # Avoid static/import time dep on boto in filters package from c7n.resources.aws import Arn results = [] for arn, r in zip(self.manager.get_arns(resources), resources): # many aws provided rules are inconsistent in their # treatment of resource ids, some use arns, some use names # as identifiers for the same resource type. security # hub in particular is bad at consistency. rid = None if arn in resource_map: rid = arn elif r[resource_model.id] in resource_map: rid = r[resource_model.id] if arn == r[resource_model.id] and not rid: rid = Arn.parse(arn).resource if rid not in resource_map: rid = None if rid is None: continue r[self.annotation_key] = resource_map[rid] results.append(r) return results
def process(self, resources, event=None): client = local_session(self.manager.session_factory).client('ecr') for r in resources: if self.policy_annotation in r: continue try: r[self.policy_annotation] = json.loads( client.get_lifecycle_policy( repositoryName=r['repositoryName']).get( 'lifecyclePolicyText', '')) except client.exceptions.LifecyclePolicyNotFoundException: r[self.policy_annotation] = {} state = self.data.get('state', False) matchers = [] for matcher in self.data.get('match', []): vf = ValueFilter(matcher) vf.annotate = False matchers.append(vf) results = [] for r in resources: found = False for rule in r[self.policy_annotation].get('rules', []): found = True for m in matchers: if not m(rule): found = False if found and state: results.append(r) if not found and not state: results.append(r) return results
def process_cidrs(self, perm): found = False if 'IpRanges' in perm and 'Cidr' in self.data: match_range = self.data['Cidr'] match_range['key'] = 'CidrIp' vf = ValueFilter(match_range) vf.annotate = False for ip_range in perm.get('IpRanges', []): found = vf(ip_range) if found: break return found
def process(self, resources, event=None): self.vfilters = [] fattrs = list(sorted(self.attrs.intersection(self.data.keys()))) for f in fattrs: fv = self.data.get(f) if isinstance(fv, dict): fv['key'] = f else: fv = {f: fv} vf = ValueFilter(fv) vf.annotate = False self.vfilters.append(vf) return super(SGPermission, self).process(resources, event)
def process(self, resources, event=None): filters = [] for f in self.data.get('eval_filters', ()): vf = ValueFilter(f) vf.annotate = False filters.append(vf) resource_model = self.manager.get_model() resource_map = self.get_resource_map(filters, resource_model, resources) results = [] for r in resources: if r[resource_model.id] not in resource_map: continue r[self.annotation_key] = resource_map[r[resource_model.id]] results.append(r) return results
def process_cidrs(self, perm): found = None if 'Cidr' in self.data: ip_perms = perm.get('IpRanges', []) if not ip_perms: return False match_range = self.data['Cidr'] match_range['key'] = 'CidrIp' vf = ValueFilter(match_range) vf.annotate = False for ip_range in ip_perms: found = vf(ip_range) if found: break else: found = False return found
def process(self, resources, event=None): client = local_session(self.manager.session_factory).client('es') results = [] for r in resources: if self.annotation_key not in r: r[self.annotation_key] = {} try: if "inbound" in self.data: inbound = self.manager.retry( client.describe_inbound_cross_cluster_search_connections, Filters=[{'Name': 'destination-domain-info.domain-name', 'Values': [r['DomainName']]}]) inbound.pop('ResponseMetadata') r[self.annotation_key]["inbound"] = inbound if "outbound" in self.data: outbound = self.manager.retry( client.describe_outbound_cross_cluster_search_connections, Filters=[{'Name': 'source-domain-info.domain-name', 'Values': [r['DomainName']]}]) outbound.pop('ResponseMetadata') r[self.annotation_key]["outbound"] = outbound except client.exceptions.ResourceNotFoundExecption: continue matchFound = False r[self.matched_key] = {} for direction in r[self.annotation_key]: matcher = self.data.get(direction) valueFilter = ValueFilter(matcher) valueFilter.annotate = False matched = [] for conn in r[self.annotation_key][direction]['CrossClusterSearchConnections']: if valueFilter(conn): matched.append(conn) matchFound = True r[self.matched_key][direction] = matched if matchFound: results.append(r) return results