def test_remove_failures_from_whitelisted_resources_failure_no_resources_is_removed( mock_logger, mock_rule_to_resource_whitelist): config = Config( stack_name="otherstack", rules=["S3CrossAccountTrustRule"], rule_to_resource_whitelist=mock_rule_to_resource_whitelist, ) result = Result() failure = Failure( rule="S3CrossAccountTrustRule", reason= "rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, actions=None, granularity=RuleGranularity.RESOURCE, ) result.failed_rules = [failure] RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result) assert result.failed_rules == [] mock_logger.assert_called_once_with( f"Failure with resource granularity doesn't have resources: {failure}")
def test_only_whitelisted_resources_are_removed(mock_rule_to_resource_whitelist): config = Config( stack_name="otherstack", rules=["S3CrossAccountTrustRule"], rule_to_resource_whitelist=mock_rule_to_resource_whitelist, ) result = Result() failed_rules = [ Failure( rule="S3CrossAccountTrustRule", reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"rolething", "thenotwhitelistedthing", "anotherone"}, actions=None, granularity=RuleGranularity.RESOURCE, ) ] result.failed_rules = failed_rules RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result) assert result.failed_rules == [ Failure( rule="S3CrossAccountTrustRule", reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"thenotwhitelistedthing", "anotherone"}, actions=None, granularity=RuleGranularity.RESOURCE, ) ]
def test_can_whitelist_resource_from_any_stack_if_granularity_is_resource(): whitelist_for_all_stacks = { "S3CrossAccountTrustRule": { ".*": {"ProductionAccessTest"}, "otherstack": {"rolething"} } } config = Config(stack_name="abcd", rules=["S3CrossAccountTrustRule"], rule_to_resource_whitelist=whitelist_for_all_stacks) result = Result() failed_rules = [ Failure( rule="S3CrossAccountTrustRule", reason= "ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"ProductionAccessTest"}, actions=None, granularity=RuleGranularity.RESOURCE, ), Failure( rule="S3CrossAccountTrustRule", reason= "This one isn't whitelisted because granularity is ACTION and not RESOURCE", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"ProductionAccessTest"}, actions=None, granularity=RuleGranularity.ACTION, ), ] result.failed_rules = failed_rules RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result) assert result.failed_rules == [ Failure( rule="S3CrossAccountTrustRule", reason= "This one isn't whitelisted because granularity is ACTION and not RESOURCE", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"ProductionAccessTest"}, actions=None, granularity=RuleGranularity.ACTION, ) ]