-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from schubergphilis/fix-dependencies-exceptions
Fix dependencies, exceptions and extend the default interface.
- Loading branch information
Showing
7 changed files
with
469 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,6 +26,23 @@ | |
| """ | ||
|
|
||
| import logging | ||
| from copy import deepcopy | ||
| from datetime import datetime | ||
|
|
||
| import boto3 | ||
| import botocore.errorfactory | ||
| import botocore.exceptions | ||
| from botocore.config import Config | ||
| from dateutil.parser import parse | ||
| from opnieuw import retry | ||
|
|
||
| from .awsfindingsmanagerlibexceptions import (InvalidRegion, | ||
| NoRegion, | ||
| InvalidOrNoCredentials) | ||
| from .configuration import (AWS_FOUNDATIONAL_SECURITY_FRAMEWORK, | ||
| CIS_AWS_FOUNDATION_FRAMEWORK, | ||
| PCI_DSS_FRAMEWORK, DEFAULT_SECURITY_HUB_FILTER) | ||
| from .validations import validate_allowed_denied_regions, validate_allowed_denied_account_ids | ||
|
|
||
| __author__ = '''Marwin Baumann <[email protected]>''' | ||
| __docformat__ = '''google''' | ||
|
|
@@ -37,25 +54,11 @@ | |
| __email__ = '''<[email protected]>,<[email protected]>,<[email protected]>''' | ||
| __status__ = '''Development''' # "Prototype", "Development", "Production". | ||
|
|
||
|
|
||
| # This is the main prefix used for logging | ||
| LOGGER_BASENAME = '''awsfindingsmanagerlib''' | ||
| LOGGER = logging.getLogger(LOGGER_BASENAME) | ||
| LOGGER.addHandler(logging.NullHandler()) | ||
|
|
||
| class FindingsManager: | ||
|
|
||
| def get_findings(self): | ||
| pass | ||
|
|
||
| def get_findings_by_rule_id(self): | ||
| pass | ||
|
|
||
| def get_findings_by_control_id(self): | ||
| pass | ||
|
|
||
| def get_findings_by_tag(self): | ||
| pass | ||
|
|
||
| class Finding: | ||
| """Models a finding.""" | ||
|
|
@@ -393,9 +396,7 @@ def _calculate_account_id_filter(allowed_account_ids, denied_account_ids): | |
| @staticmethod | ||
| def calculate_query_filter(query_filter=DEFAULT_SECURITY_HUB_FILTER, | ||
| allowed_account_ids=None, | ||
| denied_account_ids=None, | ||
| #frameworks=DEFAULT_SECURITY_HUB_FRAMEWORKS | ||
| ): | ||
| denied_account_ids=None): | ||
| """Calculates a Security Hub compatible filter for retrieving findings. | ||
| Depending on arguments provided for allow list, deny list and frameworks to retrieve a query is constructed to | ||
|
|
@@ -405,8 +406,6 @@ def calculate_query_filter(query_filter=DEFAULT_SECURITY_HUB_FILTER, | |
| query_filter: The default filter if no filter is provided. | ||
| allowed_account_ids: The allow list of account ids to get the findings for. | ||
| denied_account_ids: The deny list of account ids to filter out findings for. | ||
| frameworks: The default frameworks if no frameworks are provided. | ||
| Returns: | ||
| query_filter (dict): The query filter calculated based on the provided arguments. | ||
|
|
@@ -417,24 +416,56 @@ def calculate_query_filter(query_filter=DEFAULT_SECURITY_HUB_FILTER, | |
| if aws_account_ids: | ||
| query_filter.update({'AwsAccountId': aws_account_ids}) | ||
| return query_filter | ||
|
|
||
| def get_findings(self, query_filter): | ||
| """Retrieves findings from security hub based on a provided query. | ||
|
|
||
| Args: | ||
| query_filter (dict): The query filter to execute on security hub to get the findings. | ||
| def get_findings(self): | ||
| """Retrieves findings from security hub based on a default query. | ||
| Returns: | ||
| findings (list): A list of findings from security hub. | ||
| """ | ||
|
|
||
| query_filter = DEFAULT_SECURITY_HUB_FILTER | ||
| return self._get_findings(query_filter) | ||
|
|
||
| def get_findings_by_rule_id(self): | ||
| pass | ||
|
|
||
| """Retrieves findings from security hub based on a provided query that filters by rule id. | ||
| Returns: | ||
| findings (list): A list of findings from security hub. | ||
| """ | ||
| query_filter = {} # fix for rule id | ||
| return self._get_findings(query_filter) | ||
|
|
||
| def get_findings_by_control_id(self): | ||
| pass | ||
|
|
||
| """Retrieves findings from security hub based on a provided query that filters by control id. | ||
| Returns: | ||
| findings (list): A list of findings from security hub. | ||
| """ | ||
| query_filter = {} # fix for control id | ||
| return self._get_findings(query_filter) | ||
|
|
||
| def get_findings_by_tag(self): | ||
| pass | ||
| """Retrieves findings from security hub based on a provided query that filters by tag. | ||
| Returns: | ||
| findings (list): A list of findings from security hub. | ||
| """ | ||
| query_filter = {} # fix for tag | ||
| return self._get_findings(query_filter) | ||
|
|
||
| def suppress_findings(self): | ||
| """Suppresses findings from security hub based on a default query.""" | ||
|
|
||
| def suppress_findings_by_rule_id(self): | ||
| """Suppresses findings from security hub based on a query by rule id.""" | ||
|
|
||
| def suppress_findings_by_control_id(self): | ||
| """Suppresses findings from security hub based on a query by control id.""" | ||
|
|
||
| def suppress_findings_by_tag(self): | ||
| """Suppresses findings from security hub based on a query by tag.""" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,3 +34,31 @@ | |
| __maintainer__ = '''Ben van Breukelen, Costas Tyfoxylos, Marwin Baumann''' | ||
| __email__ = '''<[email protected]>,<[email protected]>,<[email protected]>''' | ||
| __status__ = '''Development''' # "Prototype", "Development", "Production". | ||
|
|
||
|
|
||
| class InvalidAccountListProvided(Exception): | ||
| """The list of accounts provided are not valid AWS accounts.""" | ||
|
|
||
|
|
||
| class InvalidRegionListProvided(Exception): | ||
| """The list of regions provided are not valid AWS regions.""" | ||
|
|
||
|
|
||
| class MutuallyExclusiveArguments(Exception): | ||
| """The arguments provided are mutually exclusive and only one of the should be provided.""" | ||
|
|
||
|
|
||
| class InvalidOrNoCredentials(Exception): | ||
| """Invalid or no credentials were provided from the environment.""" | ||
|
|
||
|
|
||
| class NoRegion(Exception): | ||
| """No region is set on the environment or provided to the library.""" | ||
|
|
||
|
|
||
| class InvalidRegion(Exception): | ||
| """The region provided is not valid.""" | ||
|
|
||
|
|
||
| class UnableToRetrieveSecurityHubRegions(Exception): | ||
| """Could not retrieve the regions security hub is active in.""" | ||
Oops, something went wrong.