def test_action_whitelist_keeps_non_whitelisted_actions(): whitelist_for_all_stacks = {"MockRule": {".*": {"s3:List"}}} config = Config(stack_name="abcd", rules=["MockRule"], rule_to_action_whitelist=whitelist_for_all_stacks) result = Result() failed_rules = [ Failure( rule="MockRule", reason="MockRule is invalid for some actions", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, actions={"s3:ListBucket", "s3:GetBucket"}, granularity=RuleGranularity.ACTION, ) ] result.failed_rules = failed_rules RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result) assert result.failed_rules == [ Failure( rule="MockRule", reason="MockRule is invalid for some actions", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, actions={"s3:GetBucket"}, granularity=RuleGranularity.ACTION, ) ]
def test_remove_failures_from_whitelisted_actions_failure_no_actions_is_removed( mock_logger, mock_rule_to_action_whitelist): config = Config( stack_name="teststack", rules=["S3CrossAccountTrustRule"], rule_to_action_whitelist=mock_rule_to_action_whitelist, ) result = Result() failure = Failure( rule="S3CrossAccountTrustRule", reason= "rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, actions=set(), granularity=RuleGranularity.ACTION, ) result.failed_rules = [failure] RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result) assert result.failed_rules == [] mock_logger.assert_called_once_with( f"Failure with action granularity doesn't have actions: {failure}")
def test_can_whitelist_action_from_any_stack_if_granularity_is_action(): whitelist_for_all_stacks = { "S3CrossAccountTrustRule": { ".*": {"s3:ListBucket"} } } config = Config(stack_name="abcd", rules=["S3CrossAccountTrustRule"], rule_to_action_whitelist=whitelist_for_all_stacks) result = Result() failed_rules = [ Failure( rule="S3CrossAccountTrustRule", reason= "ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, actions={"s3:ListBucket"}, granularity=RuleGranularity.ACTION, ), Failure( rule="S3CrossAccountTrustRule", reason= "This one isn't whitelisted because granularity is STACK and not ACTION", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, actions=set(), granularity=RuleGranularity.STACK, ), ] result.failed_rules = failed_rules RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result) assert result.failed_rules == [ Failure( rule="S3CrossAccountTrustRule", reason= "This one isn't whitelisted because granularity is STACK and not ACTION", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, actions=set(), granularity=RuleGranularity.STACK, ) ]
def test_remove_failures_from_whitelisted_actions_only_removes_action_granularity( mock_rule_to_action_whitelist): config = Config( stack_name="teststack", rules=["S3CrossAccountTrustRule"], rule_to_action_whitelist=mock_rule_to_action_whitelist, ) result = Result() failed_rules = [ Failure( rule="WildcardResourceRule", reason= "rolething is using a wildcard resource in BucketAccessPolicy", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"BucketAccessPolicy"}, actions={"s3:Get*"}, granularity=RuleGranularity.ACTION, ), Failure( rule="WildcardResourceRule", reason= "rolething is using a wildcard resource in BucketAccessPolicy", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids=set(), actions=set(), granularity=RuleGranularity.STACK, ), ] result.failed_rules = failed_rules RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result) assert result.failed_rules == [ Failure( rule="WildcardResourceRule", reason= "rolething is using a wildcard resource in BucketAccessPolicy", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids=set(), actions=set(), granularity=RuleGranularity.STACK, ) ]
def test_remove_failures_from_whitelisted_actions_uses_whitelist( mock_rule_to_action_whitelist): config = Config(stack_name="teststack", rules=["WildcardResourceRule"], rule_to_action_whitelist=mock_rule_to_action_whitelist) result = Result() result.failed_rules = [ Failure( rule="WildcardResourceRule", reason= "rolething is using a wildcard resource in BucketAccessPolicy", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"BucketAccessPolicy"}, actions={"s3:Get*"}, granularity=RuleGranularity.ACTION, ), Failure( rule="WildcardResourceRule", reason= "rolething is using a wildcard resource in DynamoAccessPolicy", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"DynamoAccessPolicy"}, actions={"dynamodb:Get"}, granularity=RuleGranularity.ACTION, ), ] RuleProcessor.remove_failures_of_whitelisted_actions(config=config, result=result) assert result.failed_rules == [ Failure( rule="WildcardResourceRule", reason= "rolething is using a wildcard resource in DynamoAccessPolicy", rule_mode=RuleMode.BLOCKING, risk_value=RuleRisk.HIGH, resource_ids={"DynamoAccessPolicy"}, actions={"dynamodb:Get"}, granularity=RuleGranularity.ACTION, ) ]