deprecate control name in posture exception policies (#157)

amirmalka · web-flow · commit be60387d6d70 · 2025-02-19T16:23:28.000+02:00
* deprecate control name in posture exception policies

Signed-off-by: Amir Malka &lt;amirm@armosec.io&gt;

* deprecate control name in posture exception policies

Signed-off-by: Amir Malka &lt;amirm@armosec.io&gt;

---------

Signed-off-by: Amir Malka &lt;amirm@armosec.io&gt;
diff --git a/exceptions/exceptionprocessor.go b/exceptions/exceptionprocessor.go
@@ -35,14 +35,14 @@ func (p *Processor) SetFrameworkExceptions(frameworkReport *reporthandling.Frame
 // SetControlExceptions add exceptions to control report
 func (p *Processor) SetControlExceptions(controlReport *reporthandling.ControlReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName string) {
 	for r := range controlReport.RuleReports {
-		p.SetRuleExceptions(&controlReport.RuleReports[r], exceptionsPolicies, clusterName, frameworkName, controlReport.Name, controlReport.ControlID)
+		p.SetRuleExceptions(&controlReport.RuleReports[r], exceptionsPolicies, clusterName, frameworkName, controlReport.ControlID)
 	}
 }
 
 // SetRuleExceptions add exceptions to rule report
-func (p *Processor) SetRuleExceptions(ruleReport *reporthandling.RuleReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName, controlName, controlID string) {
+func (p *Processor) SetRuleExceptions(ruleReport *reporthandling.RuleReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName, controlID string) {
 	// adding exceptions to the rules
-	ruleExceptions := p.ListRuleExceptions(exceptionsPolicies, frameworkName, controlName, controlID, ruleReport.Name)
+	ruleExceptions := p.ListRuleExceptions(exceptionsPolicies, frameworkName, controlID, ruleReport.Name)
 	p.SetRuleResponsExceptions(ruleReport.RuleResponses, ruleExceptions, clusterName)
 }
 
@@ -68,11 +68,11 @@ func (p *Processor) SetRuleResponsExceptions(results []reporthandling.RuleRespon
 	}
 }
 
-func (p *Processor) ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlName, controlID, ruleName string) []armotypes.PostureExceptionPolicy {
+func (p *Processor) ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlID, ruleName string) []armotypes.PostureExceptionPolicy {
 	ruleExceptions := make([]armotypes.PostureExceptionPolicy, 0, len(exceptionPolicies))
 
 	for i := range exceptionPolicies {
-		if p.ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlName, controlID, ruleName) {
+		if p.ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlID, ruleName) {
 			ruleExceptions = append(ruleExceptions, exceptionPolicies[i])
 		}
 	}
@@ -81,21 +81,18 @@ func (p *Processor) ListRuleExceptions(exceptionPolicies []armotypes.PostureExce
 
 }
 
-func (p *Processor) ruleHasExceptions(exceptionPolicy *armotypes.PostureExceptionPolicy, frameworkName, controlName, controlID, ruleName string) bool {
+func (p *Processor) ruleHasExceptions(exceptionPolicy *armotypes.PostureExceptionPolicy, frameworkName, controlID, ruleName string) bool {
 	if len(exceptionPolicy.PosturePolicies) == 0 {
 		return true // empty policy -> apply all
 	}
 
 	for _, posturePolicy := range exceptionPolicy.PosturePolicies {
-		if posturePolicy.FrameworkName == "" && posturePolicy.ControlName == "" && posturePolicy.ControlID == "" && posturePolicy.RuleName == "" {
+		if posturePolicy.FrameworkName == "" && posturePolicy.ControlID == "" && posturePolicy.RuleName == "" {
 			return true // empty policy -> apply all
 		}
 		if posturePolicy.FrameworkName != "" && frameworkName != "" && !(strings.EqualFold(posturePolicy.FrameworkName, frameworkName) || p.regexCompareI(posturePolicy.FrameworkName, frameworkName)) {
 			continue // policy does not match
 		}
-		if posturePolicy.ControlName != "" && controlName != "" && !(strings.EqualFold(posturePolicy.ControlName, controlName) || p.regexCompareI(posturePolicy.ControlName, controlName)) {
-			continue // policy does not match
-		}
 		if posturePolicy.ControlID != "" && controlID != "" && !(strings.EqualFold(posturePolicy.ControlID, controlID) || p.regexCompareI(posturePolicy.ControlID, controlID)) {
 			continue // policy does not match
 		}
diff --git a/exceptions/exceptionprocessor_test.go b/exceptions/exceptionprocessor_test.go
@@ -109,64 +109,58 @@ func emptyPostureExceptionPolicyAlertOnlyMock() *armotypes.PostureExceptionPolic
 func TestListRuleExceptions(t *testing.T) {
 	p := NewProcessor()
 	exceptionPolicies := []armotypes.PostureExceptionPolicy{*postureExceptionPolicyAlertOnlyMock()}
-	res1 := p.ListRuleExceptions(exceptionPolicies, "MITRE", "", "", "")
+	res1 := p.ListRuleExceptions(exceptionPolicies, "MITRE", "", "")
 	assert.Equal(t, 1, len(res1))
 
-	res2 := p.ListRuleExceptions(exceptionPolicies, "", "hostPath mount", "", "")
+	res2 := p.ListRuleExceptions(exceptionPolicies, "", "", "")
 	assert.Equal(t, len(res2), 1)
 
-	res3 := p.ListRuleExceptions(exceptionPolicies, "NSA", "", "", "")
+	res3 := p.ListRuleExceptions(exceptionPolicies, "NSA", "", "")
 	assert.Equal(t, len(res3), 0)
 
 }
 
 func TestListRuleExceptionsRegex(t *testing.T) {
 	p := NewProcessor()
 	exceptionPolicy := emptyPostureExceptionPolicyAlertOnlyMock()
-	res1 := p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "", "")
+	res1 := p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "")
 	assert.Equal(t, 1, len(res1))
 
 	exceptionPolicy.PosturePolicies = append(exceptionPolicy.PosturePolicies, armotypes.PosturePolicy{
 		FrameworkName: "MIT.*",
 	})
 
-	res2 := p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "", "")
-	assert.Equal(t, 1, len(res2))
-
-	res2 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "2MITRE", "", "", "")
+	res2 := p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "2MITRE", "", "")
 	assert.Equal(t, 0, len(res2))
 
 	exceptionPolicy.PosturePolicies[0] = armotypes.PosturePolicy{
 		FrameworkName: "mit.*",
 	}
-	res2 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "", "")
+	res2 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "")
 	assert.Equal(t, 1, len(res2))
 
 	exceptionPolicy.PosturePolicies[0] = armotypes.PosturePolicy{
 		FrameworkName: "mitre",
 	}
-	res2 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "", "")
+	res2 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "")
 	assert.Equal(t, 1, len(res2))
 
 	exceptionPolicy.PosturePolicies[0] = armotypes.PosturePolicy{
 		FrameworkName: "MITRE",
-		ControlName:   "my.*",
+		ControlName:   "my.*", // deprecated
 		RuleName:      "rule.*vk",
 	}
 
-	res3 := p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "", "")
+	res3 := p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "")
 	assert.Equal(t, 1, len(res3))
 
-	res3 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "my-control", "", "")
+	res3 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "")
 	assert.Equal(t, 1, len(res3))
 
-	res3 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "control-my", "", "")
-	assert.Equal(t, 0, len(res3))
-
-	res3 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "my-control", "", "rulebla -bla vk")
+	res3 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "rulebla -bla vk")
 	assert.Equal(t, 1, len(res3))
 
-	res3 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "control-my", "", "rulebla -bla")
+	res3 = p.ListRuleExceptions([]armotypes.PostureExceptionPolicy{*exceptionPolicy}, "MITRE", "", "rulebla -bla")
 	assert.Equal(t, 0, len(res3))
 }
 
diff --git a/reporthandling/results/v1/resourcesresults/exceptions.go b/reporthandling/results/v1/resourcesresults/exceptions.go
@@ -60,7 +60,7 @@ func (control *ResourceAssociatedControl) setExceptions(workload workloadinterfa
 	}
 
 	for i := range control.ResourceAssociatedRules {
-		exceptionsPolicies = processor.ListRuleExceptions(exceptionsPolicies, "", control.GetName(), control.GetID(), "")
+		exceptionsPolicies = processor.ListRuleExceptions(exceptionsPolicies, "", control.GetID(), "")
 		control.ResourceAssociatedRules[i].setExceptions(workload, exceptionsPolicies, clusterName, processor)
 		// Update rule status according to exceptions
 		control.ResourceAssociatedRules[i].SetStatus(control.ResourceAssociatedRules[i].GetStatus(nil).Status(), nil)
@@ -76,6 +76,6 @@ func (rule *ResourceAssociatedRule) setExceptions(workload workloadinterface.IMe
 		return
 	}
 
-	ruleExceptions := processor.ListRuleExceptions(exceptionsPolicies, "", "", "", rule.GetName())
+	ruleExceptions := processor.ListRuleExceptions(exceptionsPolicies, "", "", rule.GetName())
 	rule.Exception = processor.GetResourceExceptions(ruleExceptions, workload, clusterName)
 }

Original file line number	Diff line number	Diff line change
`@@ -35,14 +35,14 @@ func (p Processor) SetFrameworkExceptions(frameworkReport reporthandling.Frame`
`35`	`35`	`// SetControlExceptions add exceptions to control report`
`36`	`36`	`func (p Processor) SetControlExceptions(controlReport reporthandling.ControlReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName string) {`
`37`	`37`	`for r := range controlReport.RuleReports {`
`38`		`- p.SetRuleExceptions(&controlReport.RuleReports[r], exceptionsPolicies, clusterName, frameworkName, controlReport.Name, controlReport.ControlID)`
	`38`	`+ p.SetRuleExceptions(&controlReport.RuleReports[r], exceptionsPolicies, clusterName, frameworkName, controlReport.ControlID)`
`39`	`39`	`}`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`// SetRuleExceptions add exceptions to rule report`
`43`		`-func (p Processor) SetRuleExceptions(ruleReport reporthandling.RuleReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName, controlName, controlID string) {`
	`43`	`+func (p Processor) SetRuleExceptions(ruleReport reporthandling.RuleReport, exceptionsPolicies []armotypes.PostureExceptionPolicy, clusterName, frameworkName, controlID string) {`
`44`	`44`	`// adding exceptions to the rules`
`45`		`- ruleExceptions := p.ListRuleExceptions(exceptionsPolicies, frameworkName, controlName, controlID, ruleReport.Name)`
	`45`	`+ ruleExceptions := p.ListRuleExceptions(exceptionsPolicies, frameworkName, controlID, ruleReport.Name)`
`46`	`46`	`p.SetRuleResponsExceptions(ruleReport.RuleResponses, ruleExceptions, clusterName)`
`47`	`47`	`}`
`48`	`48`
`@@ -68,11 +68,11 @@ func (p *Processor) SetRuleResponsExceptions(results []reporthandling.RuleRespon`
`68`	`68`	`}`
`69`	`69`	`}`
`70`	`70`
`71`		`-func (p *Processor) ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlName, controlID, ruleName string) []armotypes.PostureExceptionPolicy {`
	`71`	`+func (p *Processor) ListRuleExceptions(exceptionPolicies []armotypes.PostureExceptionPolicy, frameworkName, controlID, ruleName string) []armotypes.PostureExceptionPolicy {`
`72`	`72`	`ruleExceptions := make([]armotypes.PostureExceptionPolicy, 0, len(exceptionPolicies))`
`73`	`73`
`74`	`74`	`for i := range exceptionPolicies {`
`75`		`- if p.ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlName, controlID, ruleName) {`
	`75`	`+ if p.ruleHasExceptions(&exceptionPolicies[i], frameworkName, controlID, ruleName) {`
`76`	`76`	`ruleExceptions = append(ruleExceptions, exceptionPolicies[i])`
`77`	`77`	`}`
`78`	`78`	`}`
`@@ -81,21 +81,18 @@ func (p *Processor) ListRuleExceptions(exceptionPolicies []armotypes.PostureExce`
`81`	`81`
`82`	`82`	`}`
`83`	`83`
`84`		`-func (p Processor) ruleHasExceptions(exceptionPolicy armotypes.PostureExceptionPolicy, frameworkName, controlName, controlID, ruleName string) bool {`
	`84`	`+func (p Processor) ruleHasExceptions(exceptionPolicy armotypes.PostureExceptionPolicy, frameworkName, controlID, ruleName string) bool {`
`85`	`85`	`if len(exceptionPolicy.PosturePolicies) == 0 {`
`86`	`86`	`return true // empty policy -> apply all`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`for _, posturePolicy := range exceptionPolicy.PosturePolicies {`
`90`		`- if posturePolicy.FrameworkName == "" && posturePolicy.ControlName == "" && posturePolicy.ControlID == "" && posturePolicy.RuleName == "" {`
	`90`	`+ if posturePolicy.FrameworkName == "" && posturePolicy.ControlID == "" && posturePolicy.RuleName == "" {`
`91`	`91`	`return true // empty policy -> apply all`
`92`	`92`	`}`
`93`	`93`	`if posturePolicy.FrameworkName != "" && frameworkName != "" && !(strings.EqualFold(posturePolicy.FrameworkName, frameworkName) \|\| p.regexCompareI(posturePolicy.FrameworkName, frameworkName)) {`
`94`	`94`	`continue // policy does not match`
`95`	`95`	`}`
`96`		`- if posturePolicy.ControlName != "" && controlName != "" && !(strings.EqualFold(posturePolicy.ControlName, controlName) \|\| p.regexCompareI(posturePolicy.ControlName, controlName)) {`
`97`		`- continue // policy does not match`
`98`		`- }`
`99`	`96`	`if posturePolicy.ControlID != "" && controlID != "" && !(strings.EqualFold(posturePolicy.ControlID, controlID) \|\| p.regexCompareI(posturePolicy.ControlID, controlID)) {`
`100`	`97`	`continue // policy does not match`
`101`	`98`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ func (control *ResourceAssociatedControl) setExceptions(workload workloadinterfa`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`for i := range control.ResourceAssociatedRules {`
`63`		`- exceptionsPolicies = processor.ListRuleExceptions(exceptionsPolicies, "", control.GetName(), control.GetID(), "")`
	`63`	`+ exceptionsPolicies = processor.ListRuleExceptions(exceptionsPolicies, "", control.GetID(), "")`
`64`	`64`	`control.ResourceAssociatedRules[i].setExceptions(workload, exceptionsPolicies, clusterName, processor)`
`65`	`65`	`// Update rule status according to exceptions`
`66`	`66`	`control.ResourceAssociatedRules[i].SetStatus(control.ResourceAssociatedRules[i].GetStatus(nil).Status(), nil)`
`@@ -76,6 +76,6 @@ func (rule *ResourceAssociatedRule) setExceptions(workload workloadinterface.IMe`
`76`	`76`	`return`
`77`	`77`	`}`
`78`	`78`
`79`		`- ruleExceptions := processor.ListRuleExceptions(exceptionsPolicies, "", "", "", rule.GetName())`
	`79`	`+ ruleExceptions := processor.ListRuleExceptions(exceptionsPolicies, "", "", rule.GetName())`
`80`	`80`	`rule.Exception = processor.GetResourceExceptions(ruleExceptions, workload, clusterName)`
`81`	`81`	`}`