def test_only_whitelisted_resources_are_removed(mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"rolething", "thenotwhitelistedthing", "anotherone"},
actions=None,
granularity=RuleGranularity.RESOURCE,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason="Forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"thenotwhitelistedthing", "anotherone"},
actions=None,
granularity=RuleGranularity.RESOURCE,
)
]
def test_remove_failures_from_whitelisted_resources_only_removes_resource_granularity(mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failed_rules = [
{
"rule": "S3CrossAccountTrustRule",
"reason": "rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"resource_ids": {"rolething"},
"actions": None,
"granularity": RuleGranularity.ACTION,
},
{
"rule": "S3CrossAccountTrustRule",
"reason": "anotherthing has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"resource_ids": {"anotherthing"},
"actions": None,
"granularity": RuleGranularity.RESOURCE,
}
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == failed_rules
def test_can_whitelist_resource_from_any_stack_if_granularity_is_resource():
whitelist_for_all_stacks = {
"S3CrossAccountTrustRule": {
".*": {
"ProductionAccessTest",
},
"otherstack": {
"rolething",
}
},
}
config = Config(
stack_name="abcd",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=whitelist_for_all_stacks,
)
result = Result()
failed_rules = [
{
"rule": "S3CrossAccountTrustRule",
"reason": "ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"resource_ids": {"ProductionAccessTest"},
"actions": None,
"granularity": RuleGranularity.RESOURCE,
},
{
"rule": "S3CrossAccountTrustRule",
"reason": "This one isn't whitelisted because granularity is ACTION and not RESOURCE",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"resource_ids": {"ProductionAccessTest"},
"actions": None,
"granularity": RuleGranularity.ACTION,
},
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == [{
"rule": "S3CrossAccountTrustRule",
"reason": "This one isn't whitelisted because granularity is ACTION and not RESOURCE",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"resource_ids": {"ProductionAccessTest"},
"actions": None,
"granularity": RuleGranularity.ACTION,
}]
def test_remove_failures_from_whitelisted_resources_failure_no_resources_is_removed(mock_logger, mock_rule_to_resource_whitelist):
config = Config(
stack_name="otherstack",
rules=["S3CrossAccountTrustRule"],
rule_to_resource_whitelist=mock_rule_to_resource_whitelist,
)
result = Result()
failure = {
"rule": "S3CrossAccountTrustRule",
"reason": "rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
"rule_mode": RuleMode.BLOCKING,
"risk_value": RuleRisk.HIGH,
"actions": None,
"granularity": RuleGranularity.RESOURCE,
}
result.failed_rules = [failure]
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == []
mock_logger.assert_called_once_with(f"Failure with resource granularity doesn't have resources: {failure}")