def test_remove_debug_rules():
original_failed_monitored_rules = [
Failure(
rule="a",
reason="something",
rule_mode=RuleMode.MONITOR,
granularity=RuleGranularity.STACK,
risk_value=RuleRisk.HIGH,
),
Failure(
rule="b",
reason="something",
rule_mode=RuleMode.DEBUG,
granularity=RuleGranularity.STACK,
risk_value=RuleRisk.MEDIUM,
),
Failure(
rule="c",
reason="something",
rule_mode=RuleMode.MONITOR,
granularity=RuleGranularity.STACK,
risk_value=RuleRisk.LOW,
),
]
list_with_no_debug_rules = [
original_failed_monitored_rules[0], original_failed_monitored_rules[2]
]
processed_list = RuleProcessor.remove_debug_rules(
rules=original_failed_monitored_rules)
assert list_with_no_debug_rules == processed_list
def handler(event, context):
"""
Main entry point of the Lambda function.
:param event: {
"stack_template_url": String,
"project": String,
"stack": {
"name": String,
},
"event": String,
"region": String,
"account": {
"name": String,
"id": String,
},
"user_agent": String,
}
:param context:
:return:
"""
setup_logging()
if not event.get("stack_template_url") and not event.get("stack",
{}).get("name"):
raise ValueError(
"Invalid event type: no parameter 'stack_template_url' or 'stack::name' in request."
)
template = get_template(event)
if not template:
# In case of an invalid script log a warning and return early
result = Result()
result.add_exception(
TypeError(
f"Malformed Event - could not parse!! Event: {str(event)}"))
logger.exception(
f"Malformed Event - could not parse!! Event: {str(event)}")
return {
"valid": True,
"reason": "",
"failed_rules": [],
"exceptions": [x.args[0] for x in result.exceptions]
}
# Process Rules
config = Config(
project_name=event.get("project"),
service_name=event.get("serviceName"),
stack_name=event.get("stack", {}).get("name"),
rules=DEFAULT_RULES.keys(),
event=event.get("event"),
template_url=event.get("stack_template_url", "N/A"),
aws_region=event.get("region", "N/A"),
aws_account_name=event.get("account", {}).get("name", "N/A"),
aws_account_id=event.get("account", {}).get("id", "N/A"),
aws_user_agent=event.get("user_agent", "N/A"),
)
logger.info("Scan started for: {}; {}; {};".format(config.project_name,
config.service_name,
config.stack_name))
rules = [DEFAULT_RULES.get(rule)(config) for rule in config.rules]
processor = RuleProcessor(*rules)
# TODO get AWS variables/parameters and pass them to resolve
cfmodel = pycfmodel.parse(template).resolve()
result = processor.process_cf_template(cfmodel, config)
perform_logging(result, config, event)
return {
"valid":
result.valid,
"reason":
",".join(
["{}-{}".format(r.rule, r.reason) for r in result.failed_rules]),
"failed_rules": [
failure.serializable()
for failure in RuleProcessor.remove_debug_rules(
rules=result.failed_rules)
],
"exceptions": [x.args[0] for x in result.exceptions],
"warnings": [
failure.serializable()
for failure in RuleProcessor.remove_debug_rules(
rules=result.failed_monitored_rules)
],
}
def test_remove_debug_rules_no_rules():
processed_list = RuleProcessor.remove_debug_rules(rules=[])
assert [] == processed_list
