-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(general): revert support multiple frameworks in one custom policy (…
- Loading branch information
1 parent
11f5e8a
commit 851eadb
Showing
4 changed files
with
25 additions
and
107 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,7 +7,7 @@ | |
CustomPoliciesIntegration | ||
from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration | ||
from checkov.common.checks_infra.checks_parser import GraphCheckParser | ||
from checkov.common.checks_infra.registry import Registry, get_all_graph_checks_registries, get_graph_checks_registry | ||
from checkov.common.checks_infra.registry import Registry, get_graph_checks_registry | ||
from checkov.common.models.enums import CheckResult | ||
from checkov.common.output.record import Record | ||
from checkov.common.output.report import Report | ||
|
@@ -19,10 +19,10 @@ | |
|
||
class TestCustomPoliciesIntegration(unittest.TestCase): | ||
def tearDown(self) -> None: | ||
get_graph_checks_registry("cloudformation").custom_policies_checks = [] | ||
get_graph_checks_registry("terraform").custom_policies_checks = [] | ||
get_graph_checks_registry("kubernetes").custom_policies_checks = [] | ||
get_graph_checks_registry("bicep").custom_policies_checks = [] | ||
get_graph_checks_registry("cloudformation").checks = [] | ||
get_graph_checks_registry("terraform").checks = [] | ||
get_graph_checks_registry("kubernetes").checks = [] | ||
get_graph_checks_registry("bicep").checks = [] | ||
|
||
def test_integration_valid(self): | ||
instance = BcPlatformIntegration() | ||
|
@@ -170,7 +170,7 @@ def test_policy_load(self): | |
registry = Registry(parser=GraphCheckParser(), checks_dir=str( | ||
Path(__file__).parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks")) | ||
checks = [parser.parse_raw_check(CustomPoliciesIntegration._convert_raw_check(p)) for p in policies] | ||
registry.custom_policies_checks = checks # simulate that the policy downloader will do | ||
registry.checks = checks # simulate that the policy downloader will do | ||
|
||
tf_runner = TerraformRunner(external_registries=[registry]) | ||
cfn_runner = CFNRunner(external_registries=[registry]) | ||
|
@@ -216,10 +216,10 @@ def test_pre_scan_with_cloned_checks(self): | |
instance.customer_run_config_response = mock_custom_policies_response() | ||
|
||
custom_policies_integration.pre_scan() | ||
cfn_registry = get_graph_checks_registry("cloudformation").custom_policies_checks | ||
tf_registry = get_graph_checks_registry("terraform").custom_policies_checks | ||
k8s_registry = get_graph_checks_registry("kubernetes").custom_policies_checks | ||
bicep_registry = get_graph_checks_registry("bicep").custom_policies_checks | ||
cfn_registry = get_graph_checks_registry("cloudformation").checks | ||
tf_registry = get_graph_checks_registry("terraform").checks | ||
k8s_registry = get_graph_checks_registry("kubernetes").checks | ||
bicep_registry = get_graph_checks_registry("bicep").checks | ||
self.assertEqual(1, len(custom_policies_integration.bc_cloned_checks)) | ||
self.assertEqual('kpande_AZR_1648821862291', tf_registry[0].id, cfn_registry[0].id) | ||
self.assertEqual('kpande_AZR_1648821862291', tf_registry[0].bc_id, cfn_registry[0].bc_id) | ||
|
@@ -228,25 +228,6 @@ def test_pre_scan_with_cloned_checks(self): | |
self.assertEqual('kpande_bicep_1650378013212', bicep_registry[0].id) | ||
self.assertEqual('kpande_bicep_1650378013212', bicep_registry[0].bc_id) | ||
|
||
def test_pre_scan_with_multiple_frameworks_graph_check(self): | ||
instance = BcPlatformIntegration() | ||
instance.skip_download = False | ||
instance.platform_integration_configured = True | ||
custom_policies_integration = CustomPoliciesIntegration(instance) | ||
|
||
instance.customer_run_config_response = mock_multiple_frameworks_custom_policy_response() | ||
|
||
custom_policies_integration.pre_scan() | ||
bicep_registry_custom_policies_checks = get_graph_checks_registry("bicep").custom_policies_checks | ||
all_graph_checks = get_all_graph_checks_registries() | ||
for registry in all_graph_checks: | ||
multiple_frameworks_custom_policy_exist = False | ||
for check in registry.custom_policies_checks: | ||
if check.bc_id == 'multiple_frameworks_policy_1625063607541': | ||
multiple_frameworks_custom_policy_exist = True | ||
self.assertEqual(True, multiple_frameworks_custom_policy_exist) | ||
self.assertEqual(2, len(bicep_registry_custom_policies_checks)) | ||
|
||
def test_post_runner_with_cloned_checks(self): | ||
instance = BcPlatformIntegration() | ||
instance.skip_download = False | ||
|
@@ -493,8 +474,8 @@ def test_policy_load_with_resources_types_as_str(self): | |
Path(__file__).parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks")) | ||
checks = [parser.parse_raw_check(CustomPoliciesIntegration._convert_raw_check(p)) for p in policies] | ||
registry.checks = checks # simulate that the policy downloader will do | ||
|
||
|
||
def mock_custom_policies_response(): | ||
return { | ||
"customPolicies": [ | ||
|
@@ -575,45 +556,5 @@ def mock_custom_policies_response(): | |
} | ||
|
||
|
||
def mock_multiple_frameworks_custom_policy_response(): | ||
return { | ||
"customPolicies": [ | ||
{ | ||
"id": "kpande_bicep_1650378013212", | ||
"code": "{\"operator\":\"exists\",\"attribute\":\"spec.runAsUser.rule\",\"cond_type\":\"attribute\"," | ||
"\"resource_types\":[\"PodSecurityPolicy\"]}", | ||
"title": "bicep policy", | ||
"guideline": "meaningful guideline for bicep policy", | ||
"severity": "HIGH", | ||
"pcSeverity": None, | ||
"category": "bicep", | ||
"pcPolicyId": None, | ||
"additionalPcPolicyIds": None, | ||
"sourceIncidentId": None, | ||
"benchmarks": {}, | ||
"frameworks": [ | ||
"bicep" | ||
] | ||
}, | ||
{ | ||
"id": "multiple_frameworks_policy_1625063607541", | ||
"title": "multiple frameworks policy", | ||
"code": "{\"and\":[{\"operator\":\"exists\",\"cond_type\":\"connection\",\"resource_types\":[" | ||
"\"azurerm_subnet_network_security_group_association\"],\"connected_resource_types\":[" | ||
"\"azurerm_subnet\",\"azurerm_network_security_group\"]},{\"value\":[\"azurerm_subnet\"]," | ||
"\"operator\":\"within\",\"attribute\":\"resource_type\",\"cond_type\":\"filter\"}]}", | ||
"severity": "CRITICAL", | ||
"category": "General", | ||
"frameworks": [], | ||
"resourceTypes": ["aws_s3_bucket", "PodSecurityPolicy"], | ||
"guideline": "multiple_frameworks_policy_1625063607541", | ||
"benchmarks": {}, | ||
"createdBy": "[email protected]", | ||
"sourceIncidentId": None | ||
} | ||
] | ||
} | ||
|
||
|
||
if __name__ == '__main__': | ||
unittest.main() |