aws-workspaces-web - add browser-policy filter (cloud-custodian#9644)

supersun · Jul 31, 2024 · b54ea97 · b54ea97
1 parent 6769ae1
commit b54ea97
Show file tree

Hide file tree

Showing 5 changed files with 136 additions and 0 deletions.
diff --git a/c7n/resources/workspaces.py b/c7n/resources/workspaces.py
@@ -14,6 +14,7 @@
 from c7n.filters.iamaccess import CrossAccountAccessFilter
 from c7n.resolver import ValuesFrom
 import c7n.filters.vpc as net_filters
+import json
 
 
 class DescribeWorkspace(DescribeSource):
@@ -475,6 +476,49 @@ class resource_type(TypeInfo):
     augment = universal_augment
 
 
+@WorkspacesWeb.filter_registry.register('browser-policy')
+class BrowerPolicyFilter(ValueFilter):
+    """
+    Applies value type filter on the browser policy of a workspaces secured browser.
+    :example:
+
+    .. code-block:: yaml
+
+            policies:
+              - name: browser-policy-match
+                resource: workspaces-web
+                filters:
+                  - type: browser-policy
+                    key: chromePolicies.AllowDeletingBrowserHistory.value
+                    op: eq
+                    value: false
+    """
+
+    schema = type_schema('browser-policy', rinherit=ValueFilter.schema)
+    schema_alias = False
+    permissions = ('workspaces-web:GetBrowserSettings',)
+    matched_policy_annotation = 'c7n:BrowerPolicyMatches'
+    policy_annotation = "c7n:BrowserPolicy"
+
+    def process(self, resources, event=None):
+        client = local_session(self.manager.session_factory).client('workspaces-web')
+        results = []
+        for r in resources:
+            if self.policy_annotation not in r:
+                browserSettings = self.manager.retry(
+                    client.get_browser_settings,
+                    browserSettingsArn=r['browserSettingsArn']).get('browserSettings')
+                browserPolicy = json.loads(browserSettings['browserPolicy'])
+                r[self.policy_annotation] = browserPolicy
+            if self.match(r[self.policy_annotation]):
+                if self.matched_policy_annotation not in r:
+                    r[self.matched_policy_annotation] = [self.data.get('key')]
+                else:
+                    r[self.matched_policy_annotation].append(self.data.get('key'))
+                results.append(r)
+        return results
+
+
 @WorkspacesWeb.action_registry.register('tag')
 class TagWorkspacesWebResource(Tag):
     """Create tags on a Workspaces Web portal

diff --git a/tests/data/placebo/test_workspaces_web_browser_policy/tagging.GetResources_1.json b/tests/data/placebo/test_workspaces_web_browser_policy/tagging.GetResources_1.json
@@ -0,0 +1,22 @@
+{
+    "status_code": 200,
+    "data": {
+        "PaginationToken": "",
+        "ResourceTagMappingList": [
+            {
+                "ResourceARN": "arn:aws:workspaces-web:us-east-1:644160558196:portal/ccef0dcf-2073-4fa9-98e2-60160a7d7976",
+                "Tags": [
+                    {
+                        "Key": "Owner",
+                        "Value": "Barbara"
+                    },
+                    {
+                        "Key": "foo",
+                        "Value": "bar"
+                    }
+                ]
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/.../data/placebo/test_workspaces_web_browser_policy/workspaces-web.GetBrowserSettings_1.json b/.../data/placebo/test_workspaces_web_browser_policy/workspaces-web.GetBrowserSettings_1.json
@@ -0,0 +1,13 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "browserSettings": {
+            "associatedPortalArns": [
+                "arn:aws:workspaces-web:us-east-1:644160558196:portal/ccef0dcf-2073-4fa9-98e2-60160a7d7976"
+            ],
+            "browserPolicy": "{\"chromePolicies\":{\"ManagedBookmarks\":{\"value\":[]},\"BookmarkBarEnabled\":{\"value\":false},\"RestoreOnStartup\":{\"value\":5},\"RestoreOnStartupURLs\":{\"value\":[]},\"URLBlocklist\":{\"value\":[]},\"URLAllowlist\":{\"value\":[]},\"AllowDeletingBrowserHistory\":{\"value\":false},\"IncognitoModeAvailability\":{\"value\":1}}}",
+            "browserSettingsArn": "arn:aws:workspaces-web:us-east-1:644160558196:browserSettings/43c78162-dfe7-4724-ba86-7bf0fda450d5"
+        }
+    }
+}
diff --git a/tests/data/placebo/test_workspaces_web_browser_policy/workspaces-web.ListPortals_1.json b/tests/data/placebo/test_workspaces_web_browser_policy/workspaces-web.ListPortals_1.json
@@ -0,0 +1,30 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "portals": [
+            {
+                "authenticationType": "IAM_Identity_Center",
+                "browserSettingsArn": "arn:aws:workspaces-web:us-east-1:644160558196:browserSettings/43c78162-dfe7-4724-ba86-7bf0fda450d5",
+                "browserType": "Chrome",
+                "creationDate": {
+                    "__class__": "datetime",
+                    "year": 2024,
+                    "month": 7,
+                    "day": 14,
+                    "hour": 21,
+                    "minute": 18,
+                    "second": 3,
+                    "microsecond": 542000
+                },
+                "displayName": "Barbara Custom Portal - Sun, Jul 14, 2024, 21:14:36",
+                "networkSettingsArn": "arn:aws:workspaces-web:us-east-1:644160558196:networkSettings/6efdca32-660f-49d6-8e96-a3c04ac49ba5",
+                "portalArn": "arn:aws:workspaces-web:us-east-1:644160558196:portal/ccef0dcf-2073-4fa9-98e2-60160a7d7976",
+                "portalEndpoint": "ccef0dcf-2073-4fa9-98e2-60160a7d7976.workspaces-web.com",
+                "portalStatus": "Active",
+                "rendererType": "AppStream",
+                "userSettingsArn": "arn:aws:workspaces-web:us-east-1:644160558196:userSettings/45e0804a-bf8b-44e2-b036-17239a3439a1"
+            }
+        ]
+    }
+}
diff --git a/tests/test_workspaces.py b/tests/test_workspaces.py
@@ -457,6 +457,33 @@ def test_workspaces_web_delete(self):
         portals = client.list_portals()['portals']
         self.assertEqual(len(portals), 0)
 
+    def test_workspaces_web_browser_policy(self):
+        session_factory = self.replay_flight_data("test_workspaces_web_browser_policy")
+        p = self.load_policy(
+            {
+                "name": "test-browser-policy",
+                "resource": "workspaces-web",
+                "filters": [
+                    {
+                        "type": "browser-policy",
+                        "key": "chromePolicies.AllowDeletingBrowserHistory.value",
+                        "op": "eq",
+                        "value": False
+                    },
+                    {
+                        "type": "browser-policy",
+                        "key": "chromePolicies.BookmarkBarEnabled.value",
+                        "op": "eq",
+                        "value": False
+                    },
+                ],
+            },
+            session_factory=session_factory,
+        )
+        resources = p.run()
+
+        self.assertEqual(len(resources), 1)
+
 
 class TestWorkspacesBundleDelete(BaseTest):