def remove_failures_of_whitelisted_actions(config: Config, result: Result): if not result.failed_rules: return clean_failures = [] for failure in result.failed_rules: if failure.granularity != RuleGranularity.ACTION: clean_failures.append(failure) continue if not failure.actions: logger.warning(f"Failure with action granularity doesn't have actions: {failure}") continue whitelisted_actions = { action for action in failure.actions if any( [ re.match(whitelisted_action_regex, action) for whitelisted_action_regex in config.get_whitelisted_actions(failure.rule) ] ) } failure.actions = failure.actions - whitelisted_actions if failure.actions: clean_failures.append(failure) result.failed_rules = clean_failures
def test_stack_to_action_whitelist_stack_without_resources(self, mock_rule_to_action_whitelist): mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"] config = Config( stack_name="stack_without_whitelisted_resources", rules=mock_rules, stack_whitelist={}, rule_to_action_whitelist=mock_rule_to_action_whitelist ) assert config.get_whitelisted_actions("SecurityGroupOpenToWorldRule") == []
def test_stack_to_action_whitelist_normal_behavior(self, mock_rule_to_action_whitelist): mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"] config = Config( stack_name="stack_2", rules=mock_rules, stack_whitelist={}, rule_to_action_whitelist=mock_rule_to_action_whitelist ) assert config.get_whitelisted_actions("RuleThatUsesActionWhitelists") == [ "s3:GetItem", "kms:*", "dynamodb:CreateTable", ]