def remove_failures_of_whitelisted_actions(config: Config, result: Result):
if not result.failed_rules:
return
clean_failures = []
for failure in result.failed_rules:
if failure.granularity != RuleGranularity.ACTION:
clean_failures.append(failure)
continue
if not failure.actions:
logger.warning(f"Failure with action granularity doesn't have actions: {failure}")
continue
whitelisted_actions = {
action
for action in failure.actions
if any(
[
re.match(whitelisted_action_regex, action)
for whitelisted_action_regex in config.get_whitelisted_actions(failure.rule)
]
)
}
failure.actions = failure.actions - whitelisted_actions
if failure.actions:
clean_failures.append(failure)
result.failed_rules = clean_failures
def test_stack_to_action_whitelist_stack_without_resources(self, mock_rule_to_action_whitelist):
mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
config = Config(
stack_name="stack_without_whitelisted_resources",
rules=mock_rules,
stack_whitelist={},
rule_to_action_whitelist=mock_rule_to_action_whitelist
)
assert config.get_whitelisted_actions("SecurityGroupOpenToWorldRule") == []
def test_stack_to_action_whitelist_normal_behavior(self, mock_rule_to_action_whitelist):
mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
config = Config(
stack_name="stack_2",
rules=mock_rules,
stack_whitelist={},
rule_to_action_whitelist=mock_rule_to_action_whitelist
)
assert config.get_whitelisted_actions("RuleThatUsesActionWhitelists") == [
"s3:GetItem",
"kms:*",
"dynamodb:CreateTable",
]
