def test_key_to_cel(): assert (C7N_Rewriter.key_to_cel("length(key)") == 'size(resource["key"])') assert ( C7N_Rewriter.key_to_cel("Key.Subkey") == 'resource["Key"]["Subkey"]') assert (C7N_Rewriter.key_to_cel("tag:TagName") == 'resource["Tags"].filter(x, x["Key"] == "TagName")[0]["Value"]') assert (C7N_Rewriter.key_to_cel("key") == 'resource["key"]')
def test_health_event_rewrite(): clause_0 = {"type": "health-event", "statuses": ["upcoming", "open"]} expected_0 = 'size(resource.get_health_events(["upcoming", "open"])) > 0' assert C7N_Rewriter.health_event_rewrite("directory", clause_0) == expected_0 clause_1 = "health-event" assert C7N_Rewriter.primitive("directory", clause_1) == expected_0
def test_security_group_rewrite(): clause_0 = { "key": "GroupId", "op": "in", "type": "security-group", "value": ["sg-12345678", "sg-23456789", "sg-34567890"] } expected = 'resource.SecurityGroups.map(sg, sg.GroupId.security_group()).exists(sg, [\'sg-12345678\', \'sg-23456789\', \'sg-34567890\'].contains(sg["GroupId"]))' assert C7N_Rewriter.type_security_group_rewrite("ec2", clause_0) == expected clause_1 = { "key": "GroupName", "op": "regex", "type": "security-group", "value": "^Enterprise-AllInstances-SG.*$" } expected = 'resource.SecurityGroups.map(sg, sg.GroupId.security_group()).exists(sg, sg["GroupName"].matches(\'^Enterprise-AllInstances-SG.*$\'))' assert C7N_Rewriter.type_security_group_rewrite("ec2", clause_1) == expected clause_2 = { "key": "tag:ASSET", "op": "eq", "type": "security-group", "value": "SPECIALASSETNAME" } expected = 'resource.SecurityGroups.map(sg, sg.GroupId.security_group()).exists(sg, sg["Tags"].filter(x, x["Key"] == "ASSET")[0]["Value"] == \'SPECIALASSETNAME\')' assert C7N_Rewriter.type_security_group_rewrite("ec2", clause_2) == expected
def test_type_vpc_rewrite(): clause_0 = { "key": "VpcId", "op": "not-in", "type": "vpc", "value_from": { "url": "s3://c7n-resources/some_list.json", "format": "json", "expr": 'not_null(offhours_exceptions."{account_id}".account, "[]")'. format(account_id="123456789012") } } expected = '! value_from("s3://c7n-resources/some_list.json", "json").jmes_path(\'not_null(offhours_exceptions."123456789012".account, \"[]\")\').contains(resource.VPCId)' assert C7N_Rewriter.type_vpc_rewrite("elb", clause_0) == expected clause_1 = { "key": "VpcId", "op": "not-equal", "type": "vpc", "value": "vpc-12ab34de" } expected = 'resource.VPCId != "vpc-12ab34de"' assert C7N_Rewriter.type_vpc_rewrite("elb", clause_1) == expected
def test_network_location_rewrite(): clause_0 = { 'compare': ['resource', 'security-group'], 'ignore': [ {'Description': 'New VPC Enterprise All Instances SG 2016'}, {'Description': 'Enterprise All Instances Security Group'}, {'Description': 'CoreServicesAccess-SG'}, {'tag:Asset': 'SomeAssetTag'}], 'key': 'tag:Asset', 'max-cardinality': 1, 'missing-ok': False, 'type': 'network-location' } expected_0 = ( '! (["New VPC Enterprise All Instances SG 2016", "Enterprise All Instances Security Group", "CoreServicesAccess-SG"].contains(Resource.Description) || ["SomeAssetTag"].contains(Resource.Tags["Asset"])) ' '&& (Resource.SecurityGroupId.security_group().Tags["Asset"] == Resource.Tags["Asset"]) ' '&& (size(Resource.SecurityGroupId.security_group()) == 1)' ) assert C7N_Rewriter.network_location_rewrite("ec2", clause_0) == expected_0 clause_1 = { 'compare': ['resource', 'subnet'], 'key': 'tag:Asset', 'max-cardinality': 1, 'missing-ok': False, 'type': 'network-location' } expected_1 = ( '(Resource.SubnetId.subnet().Tags["Asset"] == Resource.Tags["Asset"]) ' '&& (size(Resource.SubnetId.subnet()) == 1)' ) assert C7N_Rewriter.network_location_rewrite("ec2", clause_1) == expected_1
def test_cross_account_rewrite(): clause_0 = { "type": "cross-account", } expected_0 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"])) > 0' assert C7N_Rewriter.cross_account_rewrite("glacier", clause_0) == expected_0 clause_1 = { "type": "cross-account", "whitelist": ["permitted-account-01", "permitted-account-02"] } expected_1 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"]).filter(acct, ! acct in ["permitted-account-01", "permitted-account-02"])) > 0' assert C7N_Rewriter.cross_account_rewrite("glacier", clause_1) == expected_1 clause_2 = { "type": "cross-account", "whitelist_from": { "expr": "accounts.*.accountNumber", "url": "http://server/path/to/data.json" } } expected_2 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"]).filter(acct, ! acct in json_from("http://server/path/to/data.json", "json").jmes_path("accounts.*.accountNumber"))) > 0' assert C7N_Rewriter.cross_account_rewrite("glacier", clause_2) == expected_2 clause_3 = { "type": "cross-account", "whitelist_from": { "expr": "accounts.*.account", "url": "http://server/path/to/data.json" }, "whitelist_orgids": ["o-rhymjmbbe"] } expected_3 = 'size(Resource.map(r, r["VaultName"])["policy"]["Policy"]).filter(acct, ! acct in json_from("http://server/path/to/data.json", "json").jmes_path("accounts.*.account")).filter(p, ! p.attr in ["o-rhymjmbbe"])) > 0' assert C7N_Rewriter.cross_account_rewrite("glacier", clause_3) == expected_3
def test_type_value_rewrite_error(mock_key_to_cel): clause = {"key": "key", "op": "in", "nope": {"url": "url"}} with raises(ValueError): C7N_Rewriter.type_value_rewrite(sentinel.resource, clause) clause = {"key": "key", "value": "nope"} with raises(ValueError): C7N_Rewriter.type_value_rewrite(sentinel.resource, clause)
def test_tag_count_rewrite(): clause_0 = {"type": "tag-count", "op": "gte", "count": 8} expected = 'size(resource["Tags"].filter(x, ! matches(x.Key, "^aws:.*"))) >= 8' assert C7N_Rewriter.type_tag_count_rewrite("elb", clause_0) == expected clause_1 = {"type": "tag-count", "op": "gte", "count": 8} expected = 'size(resource["Tags"].filter(x, ! matches(x.Key, "^aws:.*"))) >= 8' assert C7N_Rewriter.type_tag_count_rewrite("elb", clause_1) == expected
def test_is_logging_rewrite(): clause_0 = {"type": "is-logging"} expected_0 = 'resource.get_access_log().exists(a, a["Enabled"])' assert C7N_Rewriter.is_logging_rewrite("elb", clause_0) == expected_0 clause_1 = "is-logging" assert C7N_Rewriter.primitive("elb", clause_1) == expected_0 clause_2 = {"type": "is-logging"} expected_2 = 'resource.get_load_balancer().get("access_logs.s3.enabled")' assert C7N_Rewriter.is_logging_rewrite("app-elb", clause_2) == expected_2 with raises(ValueError): C7N_Rewriter.is_logging_rewrite("nope", clause_2)
def test_value_to_cel_boolean(): assert C7N_Rewriter.value_to_cel("key", "eq", "true") == "key" assert C7N_Rewriter.value_to_cel("key", "eq", True) == "key" assert C7N_Rewriter.value_to_cel("key", "eq", "false") == "! key" assert C7N_Rewriter.value_to_cel("key", "eq", False) == "! key" assert C7N_Rewriter.value_to_cel("key", "ne", "true") == "! key" assert C7N_Rewriter.value_to_cel("key", "ne", True) == "! key" assert C7N_Rewriter.value_to_cel("key", "ne", "false") == "key" assert C7N_Rewriter.value_to_cel("key", "ne", False) == "key" with raises(ValueError): C7N_Rewriter.value_to_cel("key", "nope", "true")
def test_type_kms_key_rewrite(): clause_0 = { "key": "c7n:AliasName", "op": "regex", "type": "kms-key", "value": "^(alias/enterprise/sns/encrypted)" } expected = 'Resource.KmsKeyId.kms_key()["Aliases"][0]["AliasName"].matches("^(alias/enterprise/sns/encrypted)")' assert C7N_Rewriter.type_kms_key_rewrite("efs", clause_0) == expected clause_1 = { "key": "AliasName", "op": "regex", "type": "kms-key", "value": "^(alias/aws/)" } expected = 'Resource.KmsKeyId.kms_key()["AliasName"].matches("^(alias/aws/)")' assert C7N_Rewriter.type_kms_key_rewrite("efs", clause_1) == expected
def test_logical_connector_not_1(mock_type_value_rewrite): not_1 = {"not": [{"type": "value"}]} assert (C7N_Rewriter.logical_connector( sentinel.resource, not_1) == f"! ({str(sentinel.rewritten)})") assert mock_type_value_rewrite.mock_calls == [ call(sentinel.resource, {'type': 'value'}) ]
def test_value_from_to_cel(): value_from_1 = {"url": "url://path"} expected_1 = 'value_from("url://path").contains(key)' assert C7N_Rewriter.value_from_to_cel("key", "in", value_from_1) == expected_1 value_from_2 = {"url": "url://path", "format": "json"} expected_2 = 'value_from("url://path", "json").contains(key)' assert C7N_Rewriter.value_from_to_cel("key", "in", value_from_2) == expected_2 value_from_3 = {"url": "url://path", "expr": "jmespath"} expected_3 = 'value_from("url://path").jmes_path(\'jmespath\').contains(key)' assert C7N_Rewriter.value_from_to_cel("key", "in", value_from_3) == expected_3 value_from_4 = {"url": "url://path", "expr": "jmespath"} expected_4 = 'value_from("url://path").jmes_path(\'jmespath\').contains(key)' assert C7N_Rewriter.value_from_to_cel("key", None, value_from_4) == expected_4
def test_offhour_rewrite(): clause_2 = { "type": "offhour", "weekends": False, "default_tz": "pt", "tag": "datetime", "opt-out": True, "offhour": 20 } expected_2 = 'Resource.Tags.exists(x, x.key=="datetime") ? false : (Now.getDayOfWeek("pt") in [0, 1, 2, 3, 4, 5, 6] && Now.getHours("pt") == 20)' assert C7N_Rewriter.offhour_rewrite("efs", clause_2) == expected_2
def test_primitive_absent(mock_type_value_rewrite): clause = {"tag:aws:autoscaling:groupName": "absent"} assert C7N_Rewriter.primitive(sentinel.resource, clause) == str(sentinel.rewritten) assert mock_type_value_rewrite.mock_calls == [ call(sentinel.resource, clause) ]
def test_type_value_from_rewrite(mock_key_to_cel, mock_value_from_to_cel): clause = {"key": "key", "op": "in", "value_from": {"url": "url"}} assert C7N_Rewriter.type_value_rewrite(sentinel.resource, clause) == str(sentinel.rewritten) assert mock_key_to_cel.mock_calls == [call("key")] assert mock_value_from_to_cel.mock_calls == [ call(str(sentinel.rewritten), "in", {"url": "url"}) ]
def test_primitive_mark_for_op(mock_type_marked_for_op_rewrite): assert C7N_Rewriter.primitive(sentinel.resource, {"type": "marked-for-op"}) == str( sentinel.rewritten) assert mock_type_marked_for_op_rewrite.mock_calls == [ call(sentinel.resource, {'type': 'marked-for-op'}) ]
def test_logical_connector_list(mock_type_value_rewrite): assert C7N_Rewriter.logical_connector(sentinel.resource, [{ "type": "value" }]) == str(sentinel.rewritten) assert mock_type_value_rewrite.mock_calls == [ call(sentinel.resource, {'type': 'value'}) ]
def test_subnet_rewrite(): clause_0 = { "key": "SubnetId", "op": "in", "type": "subnet-group", "value_from": {"format": "txt", "url": "s3://path-to-resource/subnets.txt"}, "value_type": "normalize", } expected = 'value_from("s3://path-to-resource/subnets.txt", "txt").map(v, normalize(v)).contains(Resource.SubnetId.subnet().SubnetID)' assert C7N_Rewriter.type_subnet_rewrite("asg", clause_0) == expected
def test_marked_for_op_rewrite(mock_key_to_cel): clause = {"op": "terminate", "skew": 4, "tag": "c7n-tag-compliance", "type": "marked-for-op"} expected = ( 'Resource["Tags"].marked_key("c7n-tag-compliance").action == "terminate" ' '&& Now >= Resource["Tags"].marked_key("c7n-tag-compliance").action_date ' '- duration("4d0h")' ) assert C7N_Rewriter.type_marked_for_op_rewrite(sentinel.resource, clause) == expected
def test_type_value_rewrite(mock_key_to_cel, mock_value_to_cel): clause = {"key": "key", "op": "eq", "value": 42} assert C7N_Rewriter.type_value_rewrite(sentinel.resource, clause) == str(sentinel.rewritten) assert mock_key_to_cel.mock_calls == [call("key")] assert mock_value_to_cel.mock_calls == [ call(str(sentinel.rewritten), "eq", 42, None) ]
def test_type_value_rewrite_emptu(mock_key_to_cel, mock_value_to_cel): clause = {"key": "key", "value": "empty"} assert C7N_Rewriter.type_value_rewrite(sentinel.resource, clause) == str(sentinel.rewritten) assert mock_key_to_cel.mock_calls == [call("key")] assert mock_value_to_cel.mock_calls == [ call(str(sentinel.rewritten), "__absent__", None) ]
def test_waf_enabled_rewrite(): clause_0 = { "type": "waf-enabled", "state": False, "web-acl": "WebACL to allow or restrict by IP" } expected_0 = '! resource.web_acls().contains("WebACL to allow or restrict by IP")' assert C7N_Rewriter.waf_enabled_rewrite("distribution", clause_0) == expected_0
def test_logical_connector_or(mock_type_value_rewrite): # Note the singleton or; this is common. assert C7N_Rewriter.logical_connector(sentinel.resource, {"or": [{ "type": "value" }]}) == str(sentinel.rewritten) assert mock_type_value_rewrite.mock_calls == [ call(sentinel.resource, {'type': 'value'}) ]
def test_onhour_rewrite(): clause_0 = { "default_tz": "et", "onhour": 7, "opt-out": True, "type": "onhour" } expected_0 = 'resource.Tags.exists(x, x.key=="maid_offhours") ? false : (now.getDayOfWeek("et") in [0, 1, 2, 3, 4] && now.getHours("et") == 7)' assert C7N_Rewriter.onhour_rewrite("efs", clause_0) == expected_0 clause_1 = { "default_tz": "et", "onhour": 7, "skip-days": ['2019-11-11', '2019-11-28', '2019-12-25', '2020-01-01'], "tag": "custodian_downtime", "type": "onhour" } expected_1 = '! getDate(now) in ["2019-11-11", "2019-11-28", "2019-12-25", "2020-01-01"].map(d, getDate(timestamp(d))) && resource.Tags.exists(x, x.key=="custodian_downtime") ? resource.Tags.key("custodian_downtime").resource_schedule().on.exists(s, now.getDayOfWeek(s.tz) in s.days && now.getHours(s.tz) == s.hour) || (now.getDayOfWeek("et") in [0, 1, 2, 3, 4] && now.getHours("et") == 7) : false' assert C7N_Rewriter.onhour_rewrite("efs", clause_1) == expected_1
def test_type_kms_alias_rewrite(): clause_0 = { "key": "AliasName", "op": "regex", "type": "kms-alias", "value": "^(alias/aws/)" } expected = 'resource.kms_alias().AliasName.matches("^(alias/aws/)")' assert C7N_Rewriter.type_kms_alias_rewrite("elb", clause_0) == expected
def test_event_rewrite(): clause = { "key": "detail.responseElements.functionName", "op": "regex", "type": "event", "value": "^(custodian-.*)" } expected = ( 'Event.detail.responseElements.functionName.matches("^(custodian-.*)")' ) assert C7N_Rewriter.type_event_rewrite(sentinel.resource, clause) == expected
def test_tag_absent(mock_key_to_cel, mock_value_to_cel): clause = {"tag:aws:autoscaling:groupName": "absent"} assert C7N_Rewriter.type_value_rewrite(sentinel.resource, clause) == str(sentinel.rewritten) assert mock_key_to_cel.mock_calls == [ call("tag:aws:autoscaling:groupName") ] assert mock_value_to_cel.mock_calls == [ call(str(sentinel.rewritten), "__absent__", None) ]
def test_type_credential_rewrite(): clause_0 = { "key": "access_keys.last_rotated", "op": "gte", "type": "credential", "value": 55, "value_type": "age" } expected = 'now - duration("55d") >= timestamp(resource.credentials().access_keys.last_rotated)' assert C7N_Rewriter.type_credential_rewrite("elb", clause_0) == expected
def test_image_rewrite(): clause = { "key": "Name", "op": "regex", "type": "image", "value": "(?!WIN.*)" } expected = ('resource.image().Name.matches("(?!WIN.*)")') assert C7N_Rewriter.type_image_rewrite(sentinel.resource, clause) == expected