def test_update_remediation_status(self):
existing_ncr = {
'scanId': '111',
'accntId_rsrceId_rqrmntId': 'aaa#bbb#ccc'
}
ncr_table.put_item(Item=existing_ncr)
results = ncr_table.update_remediation_status(
existing_ncr, ncr_table.REMEDIATION_SUCCESS)
assert results is not False
def test_exclude_handler(self, exclusions_mock: Mock):
scan_id = scans_table.create_new_scan_id()
ncr = {
'scanId': scan_id,
'accntId_rsrceId_rqrmntId':
'12345678901_arn:aws:lambda:us-west-2:12345678901:function:test-function_requirementId01',
'accountId': '1234578901',
'accountName': 'TEST ACCOUNT NAME',
'requirementId': 'requirementId01',
'resourceId':
'arn:aws:lambda:us-west-2:12345678901:function:test-function',
'rqrmntId_accntId': 'requirementId01_12345678901',
}
ncr_table.put_item(Item=ncr)
exclusions_mock.return_value = [
{
'status': 'rejected',
'accountId': '*',
'requirementId': 'requirementId02',
'resourceId': '*',
'expirationDate': '2999/12/31'
},
{
'status': 'rejected',
'accountId': '1234578901',
'requirementId': 'requirementId01',
'resourceId': 'arn:aws:lambda:*',
'expirationDate': '2999/12/31'
},
{
'status': 'approved',
'accountId': '*',
'requirementId': 'requirementId01',
'resourceId': 'arn:aws:lambda:*',
'expirationDate': '2999/12/31',
'reason': 'inspected looks fine',
'type': 'justification',
},
]
event = {'openScan': {'scanId': scan_id}}
assert exclude.exclude_handler(event, {}) is None
updated_ncrs = sorted(
ncr_table.query_all(
KeyConditionExpression=Key('scanId').eq(scan_id)),
key=lambda x: x['requirementId'],
)
expected_ncrs = [
exclude.update_ncr_exclusion(
ncr, exclusions_mock.return_value[2],
self.exclusion_types_effective_initial)
]
assert updated_ncrs == expected_ncrs
def test_error_update_remediation_status_none(self):
existing_ncr = {
'scanId': '222',
'accntId_rsrceId_rqrmntId': 'xxx#yyy#zzz',
'remediated': None
}
ncr_table.put_item(Item=existing_ncr)
results = ncr_table.update_remediation_status(
existing_ncr, ncr_table.REMEDIATION_SUCCESS)
assert results is not False
def put_exclusions_for_user_handler(event, context):
latest_scan_id = event.get('scanId', '')
user_record = event.get('userRecord', {})
body = event.get('body', {})
ncr_id = body.get('ncrId', '')
update_request = body.get('exclusion', {})
scan_id, account_id, resource_id, requirement_id = split_ncr_id(ncr_id)
# input validation
if scan_id != latest_scan_id:
raise exceptions.HttpInvalidException(
'Can only exclude ncrs from latest scans')
if not update_request:
raise exceptions.HttpInvalidException('Must supply exclusion to put')
# data validation
requirement = requirements_table.get(requirement_id)
ncr = ncr_table.get_ncr(scan_id, account_id, resource_id, requirement_id)
current_exclusion = exclusions_table.get_exclusion(
account_id=account_id,
requirement_id=requirement_id,
resource_id=resource_id)
exclusion_type = requirement.get('exclusionType')
exclusion_types = config_table.get_config(config_table.EXCLUSIONS)
exclusion_config = exclusion_types.get(exclusion_type, {})
if not requirement:
raise exceptions.HttpNotFoundException(
f'Requirement not found: {requirement_id}')
if not ncr:
raise exceptions.HttpNotFoundException(f'NCR does not exist: {ncr_id}')
if not exclusion_config:
raise exceptions.HttpInvalidException(
f'Cannot find exclusion type: {exclusion_type}')
# authorization
if exclusions.is_wildcard_exclusion(current_exclusion):
raise exceptions.HttpForbiddenException(
'Wildcard exclusion applied to ncr')
allowed_actions = ncr_util.get_allowed_actions(user_record, account_id,
requirement,
current_exclusion)
prospective_exclusion = dict_merge(current_exclusion, update_request)
prospective_state = exclusions.get_state(prospective_exclusion)
if prospective_state in exclusions.REQUEST_EXCLUSION_STATES:
if not allowed_actions['requestExclusion']:
raise exceptions.HttpForbiddenException('Cannot requestExclusion')
if prospective_state in exclusions.REQUEST_EXCLUSION_CHANGE_STATES:
if not allowed_actions['requestExclusionChange']:
raise exceptions.HttpForbiddenException(
'Cannot requestExclusionChange')
# update
new_exclusion = exclusions.update_exclusion(current_exclusion,
update_request,
exclusion_config, False)
new_exclusion['accountId'] = account_id
new_exclusion['resourceId'] = resource_id
new_exclusion['requirementId'] = requirement_id
new_exclusion['type'] = exclusion_type
new_exclusion['exclusionId'] = exclusions_table.get_exclusion_id(
new_exclusion)
new_exclusion['lastModifiedByUser'] = user_record.get('email')
new_exclusion[
'rqrmntId_rsrceRegex'] = f'{new_exclusion["requirementId"]}#{new_exclusion["resourceId"]}'
exclusions_table.update_exclusion(new_exclusion, {})
if user_record.get('email'):
audit_table.put_audit_trail(
user_record['email'], audit_table.PUT_EXCLUSION_USER, {
'updateRequest': update_request,
'newExclusion': new_exclusion,
'deleteExclusion': {},
})
new_allowed_actions = ncr_util.get_allowed_actions(user_record, account_id,
requirement,
new_exclusion)
updated_ncr = update_ncr_exclusion(ncr, new_exclusion, exclusion_types)
logger.debug('Updated ncr: %s', json.dumps(updated_ncr, default=str))
ncr_table.put_item(Item=updated_ncr)
return {
'newExclusion': new_exclusion,
'newNcr': {
'ncrId': ncr_id,
'resource': updated_ncr,
'allowedActions': new_allowed_actions,
}
}