--- policy: /ce/ca/azure/key-vault/non-rbac-key-vault-secrets-expiration-date logic: /ce/ca/azure/key-vault/non-rbac-key-vault-secrets-expiration-date/prod.logic.yaml executionTime: 2026-02-10T22:33:28.771494822Z generationMs: 55 executionMs: 1013 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__rbacAuthorization__c') == 'Enabled' actual: extract('CA10__rbacAuthorization__c') == 'Enabled' runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: CA10__Azure_Key_Vault_Secrets__r.has(INCOMPLIANT) actual: CA10__Azure_Key_Vault_Secrets__r.has(INCOMPLIANT) runtimeError: {} - id: test4 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: CA10__Azure_Key_Vault_Secrets__r.has(COMPLIANT) actual: CA10__Azure_Key_Vault_Secrets__r.has(COMPLIANT) runtimeError: {} - id: test5 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 499 actual: 499 conditionText: expected: CA10__Azure_Key_Vault_Secrets__r.has(INAPPLICABLE) actual: CA10__Azure_Key_Vault_Secrets__r.has(INAPPLICABLE) runtimeError: {} - id: test6 match: true status: expected: UNDETERMINED actual: UNDETERMINED conditionIndex: expected: 500 actual: 500 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/azure/key-vault/non-rbac-key-vault-secrets-expiration-date/policy.yaml md5Hash: DED5044D6C204A34A8D680E776010C9C content: | --- names: full: Azure Non-RBAC Key Vault stores Secrets without expiration date contextual: Non-RBAC Key Vault stores Secrets without expiration date description: Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set. type: COMPLIANCE_POLICY categories: - SECURITY frameworkMappings: - "/frameworks/cis-azure-v5.0.0/08/03/04" - "/frameworks/cloudaware/secret-and-certificate-governance/expiration-management" frameworkIgnoreMappings: - "/frameworks/cis-azure-v1.1.0/08/02" - "/frameworks/cis-azure-v1.3.0/08/02" similarPolicies: internal: - dec-x-82ca4127 cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/secret-expiration-check.html name: Check for Azure Key Vault Secrets Expiration Date - path: /ce/ca/azure/key-vault/non-rbac-key-vault-secrets-expiration-date/prod.logic.yaml md5Hash: 9491820C009113CDB5161D3A894B574A content: | --- inputType: "CA10__CaAzureKeyVault__c" importExtracts: - file: "/types/CA10__CaAzureKeyVault__c/object.extracts.yaml" testData: - file: "test-data.json" conditions: - status: "INAPPLICABLE" currentStateMessage: "This is an RBAC-enabled Key Vault." check: IS_EQUAL: left: EXTRACT: "CA10__rbacAuthorization__c" right: TEXT: "Enabled" - status: "INCOMPLIANT" currentStateMessage: "The Key Vault has secrets without an expiration date." remediationMessage: "Set expiration dates for all enabled secrets." check: RELATED_LIST_HAS: relationshipName: CA10__Azure_Key_Vault_Secrets__r status: "INCOMPLIANT" - status: "COMPLIANT" currentStateMessage: "Expiration dates are set for all enabled secrets in the Key Vault." check: RELATED_LIST_HAS: relationshipName: CA10__Azure_Key_Vault_Secrets__r status: "COMPLIANT" - status: "INAPPLICABLE" currentStateMessage: "The Key Vault contains only disabled secrets." check: RELATED_LIST_HAS: relationshipName: CA10__Azure_Key_Vault_Secrets__r status: "INAPPLICABLE" otherwise: status: "UNDETERMINED" currentStateMessage: "The Key Vault has no secrets, or Cloudaware does not have access to view secrets." relatedLists: - relationshipName: CA10__Azure_Key_Vault_Secrets__r importExtracts: - file: "/types/CA10__CaAzureKeyVaultSecret__c/object.extracts.yaml" conditions: - status: "INAPPLICABLE" currentStateMessage: "The secret is disabled." check: NOT_EQUAL: left: EXTRACT: "CA10__enabledStatus__c" right: TEXT: "Enabled" - status: "INCOMPLIANT" currentStateMessage: "The secret expiration date is not set." remediationMessage: "Set a secret expiration date." check: IS_EMPTY: arg: EXTRACT: "CA10__expirationDate__c" - status: "COMPLIANT" currentStateMessage: "The secret expiration date is set." check: NOT_EMPTY: arg: EXTRACT: "CA10__expirationDate__c" otherwise: status: "UNDETERMINED" currentStateMessage: "Unexpected values in the fields." - path: /ce/ca/azure/key-vault/non-rbac-key-vault-secrets-expiration-date/test-data.json md5Hash: 8363BB1CC52C40BC409A8EAD687668A7 content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-06-27T20:33:04Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-06-27T20:33:04Z", "CA10__rbacAuthorization__c": "Enabled", "CA10__Azure_Key_Vault_Secrets__r": [] }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__rbacAuthorization__c') == 'Enabled'", "runtimeError": null }, "context": { "snapshotTime": "2024-06-27T20:33:04Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__rbacAuthorization__c": "Enabled", "CA10__Azure_Key_Vault_Secrets__r": [] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "CA10__Azure_Key_Vault_Secrets__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-06-27T20:33:04Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__rbacAuthorization__c": "Disabled", "CA10__Azure_Key_Vault_Secrets__r": [ { "Id": "test3_1", "CA10__disappearanceTime__c": null, "CA10__enabledStatus__c": "Enabled", "CA10__expirationDate__c": null, "CA10__keyVault__c": "test3" } ] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "399", "conditionText": "CA10__Azure_Key_Vault_Secrets__r.has(COMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-06-27T20:33:04Z" }, "Id": "test4", "CA10__disappearanceTime__c": null, "CA10__rbacAuthorization__c": "Disabled", "CA10__Azure_Key_Vault_Secrets__r": [ { "Id": "test4_1", "CA10__disappearanceTime__c": null, "CA10__enabledStatus__c": "Enabled", "CA10__expirationDate__c": "2024-06-27T20:33:04Z", "CA10__keyVault__c": "test4" } ] }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "499", "conditionText": "CA10__Azure_Key_Vault_Secrets__r.has(INAPPLICABLE)", "runtimeError": null }, "context": { "snapshotTime": "2024-06-27T20:33:04Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "CA10__rbacAuthorization__c": "Disabled", "CA10__Azure_Key_Vault_Secrets__r": [ { "Id": "test5_1", "CA10__disappearanceTime__c": null, "CA10__enabledStatus__c": "Disabled", "CA10__expirationDate__c": "2024-06-27T20:33:04Z", "CA10__keyVault__c": "test5" } ] }, { "expectedResult": { "status": "UNDETERMINED", "conditionIndex": "500", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-06-27T20:33:04Z" }, "Id": "test6", "CA10__disappearanceTime__c": null, "CA10__rbacAuthorization__c": "Disabled", "CA10__Azure_Key_Vault_Secrets__r": [ { "Id": "test6_1", "CA10__disappearanceTime__c": "2024-06-27T20:33:04Z", "CA10__enabledStatus__c": "Enabled", "CA10__expirationDate__c": "2024-06-27T20:33:04Z", "CA10__keyVault__c": "test6" } ] } ] - path: /types/CA10__CaAzureKeyVaultSecret__c/object.extracts.yaml md5Hash: 1AD2B45B59BEA59A4E9DB95F24EECE8E content: "---\nextracts:\n# Values: Enabled, Disabled. Not Nullable. Can't have\ \ no access, retrieved via Microsoft.KeyVault/secrets\n - name: \"CA10__enabledStatus__c\"\ \n value: \n FIELD:\n path: \"CA10__enabledStatus__c\"\n \ \ undeterminedIf:\n isEmpty: \"Corrupted data. Key State cannot\ \ be empty.\"\n# Nullable. Can't have no access, retrieved via Microsoft.KeyVault/secrets\n\ \ - name: \"CA10__expirationDate__c\"\n value: \n FIELD:\n path:\ \ \"CA10__expirationDate__c\"\n" - path: /types/CA10__CaAzureKeyVault__c/object.extracts.yaml md5Hash: 120E8A73DCC969A90893ADC71C57D3FD content: "---\nextracts:\n# Values: Enabled, Disabled. Not Nullable. Can't have\ \ no access, retrieved via Microsoft.KeyVault/vaults\n - name: \"CA10__rbacAuthorization__c\"\ \n value: \n FIELD:\n path: \"CA10__rbacAuthorization__c\"\n\ \ undeterminedIf:\n isEmpty: \"Corrupted data. Key Vault RBAC\ \ Authorization cannot be empty.\"\n# Values: Enabled, null. Nullable. Can't\ \ have no access, retrieved via Microsoft.KeyVault/vaults\n - name: \"CA10__purgeProtection__c\"\ \n value: \n FIELD:\n path: \"CA10__purgeProtection__c\"\n# Values:\ \ Enabled, Disabled. Not Nullable. Can't have no access, retrieved via Microsoft.KeyVault/vaults\n\ \ - name: \"CA10__softDelete__c\"\n value: \n FIELD:\n path:\ \ \"CA10__softDelete__c\"\n undeterminedIf:\n isEmpty: \"Corrupted\ \ data. Soft Delete function cannot be empty.\"\n#\n - name: \"CA10__publicNetworkAccess__c\"\ \n value:\n FIELD:\n path: \"CA10__publicNetworkAccess__c\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__rbacAuthorization__c') == 'Enabled'", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "CA10__Azure_Key_Vault_Secrets__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "399", "conditionText" : "CA10__Azure_Key_Vault_Secrets__r.has(COMPLIANT)", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "499", "conditionText" : "CA10__Azure_Key_Vault_Secrets__r.has(INAPPLICABLE)", "runtimeError" : null } }, { "Id" : "test6", "expectedResult" : { "status" : "UNDETERMINED", "conditionIndex" : "500", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAzureKeyVault__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__disappearanceTime__c" : new Date("2024-06-27T20:33:04Z"), "CA10__rbacAuthorization__c" : "Enabled", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__rbacAuthorization__c" : "Enabled", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__rbacAuthorization__c" : "Disabled", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__rbacAuthorization__c" : "Disabled", "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__rbacAuthorization__c" : "Disabled", "Id" : "test5" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__rbacAuthorization__c" : "Disabled", "Id" : "test6" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAzureKeyVaultSecret__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__enabledStatus__c" : "Enabled", "CA10__keyVault__c" : "test3", "Id" : "test3_1" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__enabledStatus__c" : "Enabled", "CA10__expirationDate__c" : new Date("2024-06-27T20:33:04Z"), "CA10__keyVault__c" : "test4", "Id" : "test4_1" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__enabledStatus__c" : "Disabled", "CA10__expirationDate__c" : new Date("2024-06-27T20:33:04Z"), "CA10__keyVault__c" : "test5", "Id" : "test5_1" }, { "context" : { "snapshotTime" : new Date("2024-06-27T20:33:04Z") }, "CA10__disappearanceTime__c" : new Date("2024-06-27T20:33:04Z"), "CA10__enabledStatus__c" : "Enabled", "CA10__expirationDate__c" : new Date("2024-06-27T20:33:04Z"), "CA10__keyVault__c" : "test6", "Id" : "test6_1" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAzureKeyVault__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__rbacAuthorization__c STRING, Id STRING, CA10__Azure_Key_Vault_Secrets__r ARRAY >> >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From Azure [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__rbacAuthorization__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__rbacAuthorization__c.isEmpty()", currentStateMessage: "Corrupted data. Key Vault RBAC Authorization cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__rbacAuthorization__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('RBAC Authorization [obj.CA10__rbacAuthorization__c]: ' + obj.CA10__rbacAuthorization__c); try { if (TextLib.equal(extract3.call(extract3), 'Enabled')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__rbacAuthorization__c') == 'Enabled'", currentStateMessage: "This is an RBAC-enabled Key Vault.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } var count_CA10__Azure_Key_Vault_Secrets__r_INCOMPLIANT5 = 0; if (obj.CA10__Azure_Key_Vault_Secrets__r != null) { for (var i6 = 0; i6 < obj.CA10__Azure_Key_Vault_Secrets__r.length; i6++) { if (typeof(obj.CA10__Azure_Key_Vault_Secrets__r[i6].status) !== 'undefined') { if (obj.CA10__Azure_Key_Vault_Secrets__r[i6].status == 'INCOMPLIANT') { count_CA10__Azure_Key_Vault_Secrets__r_INCOMPLIANT5 += obj.CA10__Azure_Key_Vault_Secrets__r[i6].count; } } else { if (obj.CA10__Azure_Key_Vault_Secrets__r[i6].result.status == 'INCOMPLIANT') { count_CA10__Azure_Key_Vault_Secrets__r_INCOMPLIANT5 += 1; } } } } // condition[2], conditionIndex:[200..299] references1.push('Related list [CA10__Azure_Key_Vault_Secrets__r] ' + (count_CA10__Azure_Key_Vault_Secrets__r_INCOMPLIANT5 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); if (count_CA10__Azure_Key_Vault_Secrets__r_INCOMPLIANT5 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "CA10__Azure_Key_Vault_Secrets__r.has(INCOMPLIANT)", currentStateMessage: "The Key Vault has secrets without an expiration date.", currentStateReferences: references1.join('\n'), remediation: "Set expiration dates for all enabled secrets.", runtimeError: null}; } var count_CA10__Azure_Key_Vault_Secrets__r_COMPLIANT7 = 0; if (obj.CA10__Azure_Key_Vault_Secrets__r != null) { for (var i8 = 0; i8 < obj.CA10__Azure_Key_Vault_Secrets__r.length; i8++) { if (typeof(obj.CA10__Azure_Key_Vault_Secrets__r[i8].status) !== 'undefined') { if (obj.CA10__Azure_Key_Vault_Secrets__r[i8].status == 'COMPLIANT') { count_CA10__Azure_Key_Vault_Secrets__r_COMPLIANT7 += obj.CA10__Azure_Key_Vault_Secrets__r[i8].count; } } else { if (obj.CA10__Azure_Key_Vault_Secrets__r[i8].result.status == 'COMPLIANT') { count_CA10__Azure_Key_Vault_Secrets__r_COMPLIANT7 += 1; } } } } // condition[3], conditionIndex:[300..399] if (count_CA10__Azure_Key_Vault_Secrets__r_COMPLIANT7 > 0) { return {status: 'COMPLIANT', conditionIndex: 399, conditionText: "CA10__Azure_Key_Vault_Secrets__r.has(COMPLIANT)", currentStateMessage: "Expiration dates are set for all enabled secrets in the Key Vault.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__Azure_Key_Vault_Secrets__r_INAPPLICABLE9 = 0; if (obj.CA10__Azure_Key_Vault_Secrets__r != null) { for (var i10 = 0; i10 < obj.CA10__Azure_Key_Vault_Secrets__r.length; i10++) { if (typeof(obj.CA10__Azure_Key_Vault_Secrets__r[i10].status) !== 'undefined') { if (obj.CA10__Azure_Key_Vault_Secrets__r[i10].status == 'INAPPLICABLE') { count_CA10__Azure_Key_Vault_Secrets__r_INAPPLICABLE9 += obj.CA10__Azure_Key_Vault_Secrets__r[i10].count; } } else { if (obj.CA10__Azure_Key_Vault_Secrets__r[i10].result.status == 'INAPPLICABLE') { count_CA10__Azure_Key_Vault_Secrets__r_INAPPLICABLE9 += 1; } } } } // condition[4], conditionIndex:[400..499] if (count_CA10__Azure_Key_Vault_Secrets__r_INAPPLICABLE9 > 0) { return {status: 'INAPPLICABLE', conditionIndex: 499, conditionText: "CA10__Azure_Key_Vault_Secrets__r.has(INAPPLICABLE)", currentStateMessage: "The Key Vault contains only disabled secrets.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'UNDETERMINED', conditionIndex: 500, conditionText: "otherwise", currentStateMessage: "The Key Vault has no secrets, or Cloudaware does not have access to view secrets.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__Azure_Key_Vault_Secrets__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__enabledStatus__c STRING, CA10__expirationDate__c TIMESTAMP, CA10__keyVault__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var IsEmptyLib = new function () { this.simpleIsEmpty = function(arg) { return arg == null; }; this.simpleIsNotEmpty = function(arg) { return arg != null; }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From Azure [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__enabledStatus__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__enabledStatus__c.isEmpty()", currentStateMessage: "Corrupted data. Key State cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__enabledStatus__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Enabled Status [obj.CA10__enabledStatus__c]: ' + obj.CA10__enabledStatus__c); try { if (TextLib.notEqual(extract3.call(extract3), 'Enabled')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__enabledStatus__c') != 'Enabled'", currentStateMessage: "The secret is disabled.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function extract6() { if (!this.out) { this.out = obj.CA10__expirationDate__c; } return this.out; }; references1.push('Expiration Date [obj.CA10__expirationDate__c]: ' + obj.CA10__expirationDate__c); if (IsEmptyLib.simpleIsEmpty(extract6.call(extract6))) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__expirationDate__c').isEmpty()", currentStateMessage: "The secret expiration date is not set.", currentStateReferences: references1.join('\n'), remediation: "Set a secret expiration date.", runtimeError: null}; } // condition[3], conditionIndex:[300..399] function extract9() { if (!this.out) { this.out = obj.CA10__expirationDate__c; } return this.out; }; if (IsEmptyLib.simpleIsNotEmpty(extract9.call(extract9))) { return {status: 'COMPLIANT', conditionIndex: 399, conditionText: "extract('CA10__expirationDate__c').isNotEmpty()", currentStateMessage: "The secret expiration date is set.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'UNDETERMINED', conditionIndex: 400, conditionText: "otherwise", currentStateMessage: "Unexpected values in the fields.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__rbacAuthorization__c AS CA10__rbacAuthorization__c, sObject.Id AS Id, `CA10__Azure_Key_Vault_Secrets__r`.arr AS CA10__Azure_Key_Vault_Secrets__r, process_CA10__CaAzureKeyVault__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__rbacAuthorization__c AS CA10__rbacAuthorization__c, sObject.Id AS Id, `CA10__Azure_Key_Vault_Secrets__r`.arr AS CA10__Azure_Key_Vault_Secrets__r ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAzureKeyVault__c()) AS sObject LEFT JOIN ( SELECT sObject.CA10__keyVault__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__enabledStatus__c AS CA10__enabledStatus__c, sObject.CA10__expirationDate__c AS CA10__expirationDate__c, sObject.CA10__keyVault__c AS CA10__keyVault__c, sObject.Id AS Id, process_CA10__Azure_Key_Vault_Secrets__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__enabledStatus__c AS CA10__enabledStatus__c, sObject.CA10__expirationDate__c AS CA10__expirationDate__c, sObject.CA10__keyVault__c AS CA10__keyVault__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAzureKeyVaultSecret__c()) AS sObject GROUP BY sObject.CA10__keyVault__c ) AS `CA10__Azure_Key_Vault_Secrets__r` ON sObject.Id = `CA10__Azure_Key_Vault_Secrets__r`.CA10__keyVault__c ) sObject ON sObject.Id = expectedResult.Id;