def test_action_whitelist_keeps_non_whitelisted_actions():
whitelist_for_all_stacks = {"MockRule": {".*": {"s3:List"}}}
config = Config(stack_name="abcd",
rules=["MockRule"],
rule_to_action_whitelist=whitelist_for_all_stacks)
result = Result()
failed_rules = [
Failure(
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:ListBucket", "s3:GetBucket"},
granularity=RuleGranularity.ACTION,
)
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config,
result=result)
assert result.failed_rules == [
Failure(
rule="MockRule",
reason="MockRule is invalid for some actions",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:GetBucket"},
granularity=RuleGranularity.ACTION,
)
]
def test_remove_failures_from_whitelisted_actions_failure_no_actions_is_removed(
mock_logger, mock_rule_to_action_whitelist):
config = Config(
stack_name="teststack",
rules=["S3CrossAccountTrustRule"],
rule_to_action_whitelist=mock_rule_to_action_whitelist,
)
result = Result()
failure = Failure(
rule="S3CrossAccountTrustRule",
reason=
"rolething has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=set(),
granularity=RuleGranularity.ACTION,
)
result.failed_rules = [failure]
RuleProcessor.remove_failures_of_whitelisted_actions(config=config,
result=result)
assert result.failed_rules == []
mock_logger.assert_called_once_with(
f"Failure with action granularity doesn't have actions: {failure}")
def test_can_whitelist_action_from_any_stack_if_granularity_is_action():
whitelist_for_all_stacks = {
"S3CrossAccountTrustRule": {
".*": {"s3:ListBucket"}
}
}
config = Config(stack_name="abcd",
rules=["S3CrossAccountTrustRule"],
rule_to_action_whitelist=whitelist_for_all_stacks)
result = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason=
"ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions={"s3:ListBucket"},
granularity=RuleGranularity.ACTION,
),
Failure(
rule="S3CrossAccountTrustRule",
reason=
"This one isn't whitelisted because granularity is STACK and not ACTION",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=set(),
granularity=RuleGranularity.STACK,
),
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config,
result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason=
"This one isn't whitelisted because granularity is STACK and not ACTION",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
actions=set(),
granularity=RuleGranularity.STACK,
)
]
def test_remove_failures_from_whitelisted_actions_only_removes_action_granularity(
mock_rule_to_action_whitelist):
config = Config(
stack_name="teststack",
rules=["S3CrossAccountTrustRule"],
rule_to_action_whitelist=mock_rule_to_action_whitelist,
)
result = Result()
failed_rules = [
Failure(
rule="WildcardResourceRule",
reason=
"rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"BucketAccessPolicy"},
actions={"s3:Get*"},
granularity=RuleGranularity.ACTION,
),
Failure(
rule="WildcardResourceRule",
reason=
"rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids=set(),
actions=set(),
granularity=RuleGranularity.STACK,
),
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_actions(config=config,
result=result)
assert result.failed_rules == [
Failure(
rule="WildcardResourceRule",
reason=
"rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids=set(),
actions=set(),
granularity=RuleGranularity.STACK,
)
]
def test_remove_failures_from_whitelisted_actions_uses_whitelist(
mock_rule_to_action_whitelist):
config = Config(stack_name="teststack",
rules=["WildcardResourceRule"],
rule_to_action_whitelist=mock_rule_to_action_whitelist)
result = Result()
result.failed_rules = [
Failure(
rule="WildcardResourceRule",
reason=
"rolething is using a wildcard resource in BucketAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"BucketAccessPolicy"},
actions={"s3:Get*"},
granularity=RuleGranularity.ACTION,
),
Failure(
rule="WildcardResourceRule",
reason=
"rolething is using a wildcard resource in DynamoAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"DynamoAccessPolicy"},
actions={"dynamodb:Get"},
granularity=RuleGranularity.ACTION,
),
]
RuleProcessor.remove_failures_of_whitelisted_actions(config=config,
result=result)
assert result.failed_rules == [
Failure(
rule="WildcardResourceRule",
reason=
"rolething is using a wildcard resource in DynamoAccessPolicy",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"DynamoAccessPolicy"},
actions={"dynamodb:Get"},
granularity=RuleGranularity.ACTION,
)
]
