PyPI - regscale-cli - Versions diffs - 6.27.3.0__py3-none-any.whl → 6.28.1.0__py3-none-any.whl - Mend - Supply Chain Defender

regscale-cli 6.27.3.0py3-none-any.whl → 6.28.1.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of regscale-cli might be problematic. Click here for more details.

Files changed (113) hide show

tests/regscale/integrations/commercial/aws/test_config_compliance.py ADDED Viewed

@@ -0,0 +1,298 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Unit tests for AWS Config Compliance Integration."""
+import json
+import pytest
+from unittest.mock import Mock, MagicMock, patch, mock_open
+from datetime import datetime
+from regscale.integrations.commercial.aws.config_compliance import (
+    AWSConfigCompliance,
+    AWSConfigComplianceItem,
+)
+class TestAWSConfigComplianceItem:
+    """Test AWS Config Compliance Item."""
+    def test_initialization(self):
+        """Test compliance item initialization."""
+        rule_evaluations = [
+            {"rule_name": "test-rule-1", "compliance_type": "COMPLIANT", "non_compliant_resource_count": 0},
+            {"rule_name": "test-rule-2", "compliance_type": "NON_COMPLIANT", "non_compliant_resource_count": 5},
+        ]
+        item = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations,
+            resource_id="123456789012",
+            resource_name="Test Account",
+        )
+        assert item.control_id == "AC-2"
+        assert item._control_name == "Account Management"
+        assert item.framework == "NIST800-53R5"
+        assert len(item.rule_evaluations) == 2
+        assert item.resource_id == "123456789012"
+        assert item.resource_name == "Test Account"
+    def test_compliance_result_fail(self):
+        """Test compliance result returns FAIL for non-compliant rules."""
+        rule_evaluations = [
+            {"rule_name": "test-rule-1", "compliance_type": "COMPLIANT", "non_compliant_resource_count": 0},
+            {"rule_name": "test-rule-2", "compliance_type": "NON_COMPLIANT", "non_compliant_resource_count": 5},
+        ]
+        item = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations,
+        )
+        assert item.compliance_result == "FAIL"
+    def test_compliance_result_pass(self):
+        """Test compliance result returns PASS for all compliant rules."""
+        rule_evaluations = [
+            {"rule_name": "test-rule-1", "compliance_type": "COMPLIANT", "non_compliant_resource_count": 0},
+            {"rule_name": "test-rule-2", "compliance_type": "COMPLIANT", "non_compliant_resource_count": 0},
+        ]
+        item = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations,
+        )
+        assert item.compliance_result == "PASS"
+    def test_compliance_result_no_data(self):
+        """Test compliance result returns None for no data."""
+        item = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=[],
+        )
+        assert item.compliance_result is None
+    def test_severity_for_failed_control(self):
+        """Test severity calculation for failed controls."""
+        # Test HIGH severity (>= 5 non-compliant rules)
+        rule_evaluations_high = [
+            {"rule_name": f"test-rule-{i}", "compliance_type": "NON_COMPLIANT", "non_compliant_resource_count": 1}
+            for i in range(6)
+        ]
+        item_high = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations_high,
+        )
+        assert item_high.severity == "HIGH"
+        # Test MEDIUM severity (2-4 non-compliant rules)
+        rule_evaluations_medium = [
+            {"rule_name": f"test-rule-{i}", "compliance_type": "NON_COMPLIANT", "non_compliant_resource_count": 1}
+            for i in range(3)
+        ]
+        item_medium = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations_medium,
+        )
+        assert item_medium.severity == "MEDIUM"
+        # Test LOW severity (1 non-compliant rule)
+        rule_evaluations_low = [
+            {"rule_name": "test-rule-1", "compliance_type": "NON_COMPLIANT", "non_compliant_resource_count": 1}
+        ]
+        item_low = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations_low,
+        )
+        assert item_low.severity == "LOW"
+    def test_severity_for_passed_control(self):
+        """Test severity is None for passed controls."""
+        rule_evaluations = [
+            {"rule_name": "test-rule-1", "compliance_type": "COMPLIANT", "non_compliant_resource_count": 0}
+        ]
+        item = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations,
+        )
+        assert item.severity is None
+    def test_description_html_format(self):
+        """Test description contains HTML formatting."""
+        rule_evaluations = [
+            {"rule_name": "test-rule-1", "compliance_type": "COMPLIANT", "non_compliant_resource_count": 0},
+            {"rule_name": "test-rule-2", "compliance_type": "NON_COMPLIANT", "non_compliant_resource_count": 5},
+        ]
+        item = AWSConfigComplianceItem(
+            control_id="AC-2",
+            control_name="Account Management",
+            framework="NIST800-53R5",
+            rule_evaluations=rule_evaluations,
+        )
+        description = item.description
+        assert "<h3>" in description
+        assert "AC-2" in description
+        assert "<strong>" in description
+        assert "Total Rules" in description
+        assert "Compliant Rules" in description
+        assert "Non-Compliant Rules" in description
+class TestAWSConfigCompliance:
+    """Test AWS Config Compliance Integration."""
+    @pytest.fixture
+    def mock_boto_session(self):
+        """Create a mock boto3 session."""
+        with patch("boto3.Session") as mock_session:
+            mock_session_instance = MagicMock()
+            mock_session.return_value = mock_session_instance
+            # Mock clients
+            mock_config_client = MagicMock()
+            mock_sts_client = MagicMock()
+            # Setup client creation
+            def get_client(service_name):
+                if service_name == "config":
+                    return mock_config_client
+                elif service_name == "sts":
+                    return mock_sts_client
+                return MagicMock()
+            mock_session_instance.client.side_effect = get_client
+            # Mock STS get_caller_identity
+            mock_sts_client.get_caller_identity.return_value = {"Account": "123456789012"}
+            yield {
+                "session": mock_session_instance,
+                "config_client": mock_config_client,
+                "sts_client": mock_sts_client,
+            }
+    def test_initialization(self, mock_boto_session):
+        """Test AWS Config Compliance initialization."""
+        with patch("boto3.Session", return_value=mock_boto_session["session"]):
+            scanner = AWSConfigCompliance(
+                plan_id=123,
+                region="us-east-1",
+                framework="NIST800-53R5",
+                create_issues=True,
+                update_control_status=True,
+            )
+            assert scanner.plan_id == 123
+            assert scanner.region == "us-east-1"
+            assert scanner.framework == "NIST800-53R5"
+            assert scanner.create_issues is True
+            assert scanner.update_control_status is True
+            assert scanner.title == "AWS Config"
+    def test_cache_validation(self, mock_boto_session):
+        """Test cache validation logic."""
+        with patch("boto3.Session", return_value=mock_boto_session["session"]):
+            scanner = AWSConfigCompliance(plan_id=123, region="us-east-1")
+            # Test with no cache file
+            with patch("os.path.exists", return_value=False):
+                assert scanner._is_cache_valid() is False
+            # Test with valid cache file
+            with patch("os.path.exists", return_value=True):
+                with patch("os.path.getmtime", return_value=datetime.now().timestamp() - 3600):  # 1 hour old
+                    assert scanner._is_cache_valid() is True
+            # Test with expired cache file
+            with patch("os.path.exists", return_value=True):
+                with patch("os.path.getmtime", return_value=datetime.now().timestamp() - (5 * 3600)):  # 5 hours old
+                    assert scanner._is_cache_valid() is False
+    def test_create_compliance_item(self, mock_boto_session):
+        """Test creating compliance item from raw data."""
+        with patch("boto3.Session", return_value=mock_boto_session["session"]):
+            scanner = AWSConfigCompliance(plan_id=123, region="us-east-1")
+            raw_data = {
+                "control_id": "AC-2",
+                "control_name": "Account Management",
+                "rule_evaluations": [
+                    {"rule_name": "test-rule-1", "compliance_type": "COMPLIANT", "non_compliant_resource_count": 0}
+                ],
+                "resource_id": "123456789012",
+                "resource_name": "Test Account",
+            }
+            item = scanner.create_compliance_item(raw_data)
+            assert isinstance(item, AWSConfigComplianceItem)
+            assert item.control_id == "AC-2"
+            assert len(item.rule_evaluations) == 1
+    def test_get_aws_account_id(self, mock_boto_session):
+        """Test getting AWS account ID."""
+        with patch("boto3.Session", return_value=mock_boto_session["session"]):
+            scanner = AWSConfigCompliance(plan_id=123, region="us-east-1")
+            account_id = scanner._get_aws_account_id()
+            assert account_id == "123456789012"
+    def test_load_cached_data(self, mock_boto_session):
+        """Test loading data from cache."""
+        with patch("boto3.Session", return_value=mock_boto_session["session"]):
+            scanner = AWSConfigCompliance(plan_id=123, region="us-east-1")
+            cached_data = [{"control_id": "AC-2", "rule_evaluations": []}]
+            mock_file_content = json.dumps(cached_data)
+            with patch("builtins.open", mock_open(read_data=mock_file_content)):
+                loaded_data = scanner._load_cached_data()
+                assert len(loaded_data) == 1
+                assert loaded_data[0]["control_id"] == "AC-2"
+    def test_save_to_cache(self, mock_boto_session):
+        """Test saving data to cache."""
+        with patch("boto3.Session", return_value=mock_boto_session["session"]):
+            scanner = AWSConfigCompliance(plan_id=123, region="us-east-1")
+            compliance_data = [{"control_id": "AC-2", "rule_evaluations": []}]
+            with patch("os.makedirs") as mock_makedirs:
+                with patch("builtins.open", mock_open()) as mock_file:
+                    scanner._save_to_cache(compliance_data)
+                    mock_makedirs.assert_called_once()
+                    mock_file.assert_called_once()
+if __name__ == "__main__":
+    pytest.main([__file__, "-v"])

tests/regscale/integrations/commercial/aws/test_conformance_pack_mappings.py ADDED Viewed

@@ -0,0 +1,200 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Unit tests for AWS Config Conformance Pack Mappings."""
+import pytest
+from regscale.integrations.commercial.aws.conformance_pack_mappings import (
+    extract_control_ids_from_rule_name,
+    extract_control_ids_from_tags,
+    get_control_mappings_for_framework,
+    map_rule_to_controls,
+    NIST_80053_R5_MAPPINGS,
+)
+class TestExtractControlIdsFromRuleName:
+    """Test extracting control IDs from rule names."""
+    def test_extract_single_control(self):
+        """Test extracting a single control ID."""
+        rule_name = "ac-2-iam-user-mfa-enabled"
+        control_ids = extract_control_ids_from_rule_name(rule_name)
+        assert "AC-2" in control_ids
+    def test_extract_multiple_controls(self):
+        """Test extracting multiple control IDs."""
+        rule_name = "AC-2-AU-3-combined-rule"
+        control_ids = extract_control_ids_from_rule_name(rule_name)
+        assert "AC-2" in control_ids
+        assert "AU-3" in control_ids
+    def test_extract_control_with_enhancement(self):
+        """Test extracting control with enhancement - currently only extracts base control."""
+        rule_name = "ia-2-1-mfa-enabled-for-console-access"
+        control_ids = extract_control_ids_from_rule_name(rule_name)
+        # Note: Current implementation extracts base control only (IA-2), not enhancement (IA-2(1))
+        assert "IA-2" in control_ids
+    def test_no_controls_in_name(self):
+        """Test rule name with no control IDs."""
+        rule_name = "encrypted-volumes"
+        control_ids = extract_control_ids_from_rule_name(rule_name)
+        assert len(control_ids) == 0
+    def test_case_insensitive(self):
+        """Test case-insensitive extraction."""
+        rule_name = "ac-2-iam-user-mfa-enabled"
+        control_ids = extract_control_ids_from_rule_name(rule_name)
+        assert "AC-2" in control_ids
+class TestExtractControlIdsFromTags:
+    """Test extracting control IDs from tags."""
+    def test_extract_single_control_from_controlid_tag(self):
+        """Test extracting single control from ControlID tag."""
+        tags = {"ControlID": "AC-2"}
+        control_ids = extract_control_ids_from_tags(tags)
+        assert "AC-2" in control_ids
+    def test_extract_multiple_controls_from_controlid_tag(self):
+        """Test extracting multiple controls from ControlID tag."""
+        tags = {"ControlID": "AC-2,AU-3,SI-2"}
+        control_ids = extract_control_ids_from_tags(tags)
+        assert "AC-2" in control_ids
+        assert "AU-3" in control_ids
+        assert "SI-2" in control_ids
+    def test_extract_from_controlids_tag(self):
+        """Test extracting from ControlIDs (plural) tag."""
+        tags = {"ControlIDs": "AC-2,AU-3"}
+        control_ids = extract_control_ids_from_tags(tags)
+        assert "AC-2" in control_ids
+        assert "AU-3" in control_ids
+    def test_extract_from_control_id_hyphen_tag(self):
+        """Test extracting from Control-ID tag."""
+        tags = {"Control-ID": "AC-2"}
+        control_ids = extract_control_ids_from_tags(tags)
+        assert "AC-2" in control_ids
+    def test_no_control_tags(self):
+        """Test tags with no control IDs."""
+        tags = {"Environment": "Production", "Owner": "Security"}
+        control_ids = extract_control_ids_from_tags(tags)
+        assert len(control_ids) == 0
+    def test_empty_tags(self):
+        """Test empty tags dictionary."""
+        control_ids = extract_control_ids_from_tags({})
+        assert len(control_ids) == 0
+class TestGetControlMappingsForFramework:
+    """Test getting control mappings for framework."""
+    def test_nist_800_53_r5_framework(self):
+        """Test NIST 800-53 R5 framework mappings."""
+        mappings = get_control_mappings_for_framework("NIST800-53R5")
+        assert len(mappings) > 0
+        assert "iam-password-policy" in mappings
+        assert "AC-2" in mappings["iam-password-policy"]
+    def test_nist_alternate_formats(self):
+        """Test alternate NIST framework format names."""
+        mappings1 = get_control_mappings_for_framework("NIST800-53R5")
+        mappings2 = get_control_mappings_for_framework("NIST-800-53-R5")
+        mappings3 = get_control_mappings_for_framework("NIST_800_53_R5")
+        assert mappings1 == mappings2 == mappings3
+    def test_unknown_framework(self):
+        """Test unknown framework returns empty mappings."""
+        mappings = get_control_mappings_for_framework("UNKNOWN_FRAMEWORK")
+        assert len(mappings) == 0
+class TestMapRuleToControls:
+    """Test mapping rules to controls."""
+    def test_map_via_framework_mappings(self):
+        """Test mapping via framework-specific mappings."""
+        control_ids = map_rule_to_controls(rule_name="iam-password-policy", framework="NIST800-53R5")
+        assert "AC-2" in control_ids
+        assert "IA-5" in control_ids
+    def test_map_via_tags_priority(self):
+        """Test that tags take priority over framework mappings."""
+        rule_tags = {"ControlID": "AC-5"}
+        control_ids = map_rule_to_controls(
+            rule_name="iam-password-policy", rule_tags=rule_tags, framework="NIST800-53R5"
+        )
+        # Should include both framework mapping and tag
+        assert "AC-2" in control_ids  # From framework mapping
+        assert "IA-5" in control_ids  # From framework mapping
+        assert "AC-5" in control_ids  # From tags
+    def test_map_via_rule_name_pattern(self):
+        """Test mapping via pattern matching in rule name."""
+        control_ids = map_rule_to_controls(rule_name="custom-ac-2-check-rule", framework="NIST800-53R5")
+        assert "AC-2" in control_ids
+    def test_map_via_description_pattern(self):
+        """Test mapping via pattern matching in description."""
+        control_ids = map_rule_to_controls(
+            rule_name="custom-check", rule_description="This rule checks AC-2 compliance", framework="NIST800-53R5"
+        )
+        assert "AC-2" in control_ids
+    def test_no_mapping_found(self):
+        """Test rule with no mappable controls."""
+        control_ids = map_rule_to_controls(
+            rule_name="unknown-custom-rule", rule_description="Some custom check", framework="NIST800-53R5"
+        )
+        assert len(control_ids) == 0
+    def test_deduplicate_controls(self):
+        """Test that duplicate controls are removed."""
+        rule_tags = {"ControlID": "AC-2,AU-3"}
+        control_ids = map_rule_to_controls(
+            rule_name="ac-2-au-3-combined-check", rule_tags=rule_tags, framework="NIST800-53R5"
+        )
+        # Should have AC-2 and AU-3 only once each
+        assert control_ids.count("AC-2") == 1
+        assert control_ids.count("AU-3") == 1
+class TestNIST80053R5Mappings:
+    """Test NIST 800-53 R5 mappings structure."""
+    def test_mappings_exist(self):
+        """Test that mappings dictionary exists and has content."""
+        assert len(NIST_80053_R5_MAPPINGS) > 0
+    def test_cloudtrail_mapping(self):
+        """Test CloudTrail rule mappings."""
+        assert "cloudtrail-enabled" in NIST_80053_R5_MAPPINGS
+        assert "AU-2" in NIST_80053_R5_MAPPINGS["cloudtrail-enabled"]
+        assert "AU-3" in NIST_80053_R5_MAPPINGS["cloudtrail-enabled"]
+    def test_iam_password_policy_mapping(self):
+        """Test IAM password policy mappings."""
+        assert "iam-password-policy" in NIST_80053_R5_MAPPINGS
+        assert "AC-2" in NIST_80053_R5_MAPPINGS["iam-password-policy"]
+        assert "IA-5" in NIST_80053_R5_MAPPINGS["iam-password-policy"]
+    def test_encryption_mappings(self):
+        """Test encryption-related mappings."""
+        assert "encrypted-volumes" in NIST_80053_R5_MAPPINGS
+        assert "SC-13" in NIST_80053_R5_MAPPINGS["encrypted-volumes"]
+if __name__ == "__main__":
+    pytest.main([__file__, "-v"])