--- policy: /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more logic: /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml executionTime: 2026-06-06T12:03:00.636501346Z generationMs: 120 executionMs: 1057 rows: - id: a01 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__credReportPasswordEnabled__c') == false && extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false actual: extract('CA10__credReportPasswordEnabled__c') == false && extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false runtimeError: {} - id: a02 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isNotEmpty() && extract('CA10__credReportPasswordLastUsed__c').beyondLastDays(45) actual: extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isNotEmpty() && extract('CA10__credReportPasswordLastUsed__c').beyondLastDays(45) runtimeError: {} - id: a03 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 499 actual: 499 conditionText: expected: extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey1LastUsed__c').beyondLastDays(45) actual: extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey1LastUsed__c').beyondLastDays(45) runtimeError: {} - id: a04 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 699 actual: 699 conditionText: expected: extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey2LastUsed__c').beyondLastDays(45) actual: extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey2LastUsed__c').beyondLastDays(45) runtimeError: {} - id: a05 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 800 actual: 800 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/policy.yaml md5Hash: 2CD6EDC22111B76CEB7A9AC7A332CE8D content: | --- names: full: AWS IAM User with credentials unused for 45 days or more is not disabled contextual: User with credentials unused for 45 days or more is not disabled description: "AWS IAM users can access AWS resources using different types of credentials,\ \ such as passwords or access keys. It is recommended that all credentials that\ \ have been unused in 45 or greater days be deactivated or removed." type: COMPLIANCE_POLICY categories: - SECURITY frameworkMappings: - "/frameworks/cis-aws-v7.0.0/02/11" - "/frameworks/cloudaware/identity-and-access-governance/credential-lifecycle-management" - "/frameworks/aws-fsbp-v1.0.0/iam/08" similarPolicies: internal: - dec-x-ac93bf15 cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/IAM/credentials-last-used.html name: Credentials Last Used - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/access-keys-rotated-45-days.html name: Access Keys Rotated 45 Days - path: /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/prod.logic.yaml md5Hash: DD40FB5F8B767D069800107E72E772C4 content: "---\ninputType: \"CA10__CaAwsUser__c\"\ntestData:\n - file: test-data.json\n\ importExtracts:\n - file: /types/CA10__CaAwsUser__c/credReport.extracts.yaml\n\ conditions:\n - status: \"INAPPLICABLE\"\n currentStateMessage: \"This policy\ \ applies only to users with an enabled console password or active access keys.\"\ \n check:\n AND:\n args:\n - IS_EQUAL:\n \ \ left:\n EXTRACT: CA10__credReportPasswordEnabled__c\n \ \ right:\n BOOLEAN: false\n - IS_EQUAL:\n\ \ left:\n EXTRACT: CA10__credReportAccessKey1Active__c\n\ \ right:\n BOOLEAN: false\n - IS_EQUAL:\n\ \ left:\n EXTRACT: CA10__credReportAccessKey2Active__c\n\ \ right:\n BOOLEAN: false\n - status: \"INCOMPLIANT\"\ \n currentStateMessage: \"The password has not been used for over 45 days.\"\ \n remediationMessage: \"Disable console access for the user.\"\n check:\n\ \ AND:\n args:\n - IS_EQUAL:\n left:\n \ \ EXTRACT: CA10__credReportPasswordEnabled__c\n right:\n\ \ BOOLEAN: true\n - NOT_EMPTY:\n arg:\n\ \ EXTRACT: CA10__credReportPasswordLastUsed__c\n - IS_BEYOND_LAST_DAYS:\n\ \ offsetDays: 45\n arg:\n EXTRACT:\ \ CA10__credReportPasswordLastUsed__c\n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"The password has not been changed for over 45 days.\"\n remediationMessage:\ \ \"Disable console access for the user.\"\n check:\n AND:\n \ \ args:\n - IS_EQUAL:\n left:\n EXTRACT:\ \ CA10__credReportPasswordEnabled__c\n right:\n \ \ BOOLEAN: true\n - IS_EMPTY:\n arg:\n \ \ EXTRACT: CA10__credReportPasswordLastUsed__c\n - NOT_EMPTY:\n \ \ arg: \n EXTRACT: CA10__credReportPasswordLastChanged__c\n\ \ - IS_BEYOND_LAST_DAYS:\n offsetDays: 45\n \ \ arg:\n EXTRACT: CA10__credReportPasswordLastChanged__c\n\ \ - status: \"INCOMPLIANT\"\n currentStateMessage: \"Access key 1 has not\ \ been used for over 45 days.\"\n remediationMessage: \"Deactivate access\ \ key 1.\"\n check:\n AND:\n args:\n - IS_EQUAL:\n \ \ left:\n EXTRACT: CA10__credReportAccessKey1Active__c\n\ \ right:\n BOOLEAN: true\n - NOT_EMPTY:\n\ \ arg:\n EXTRACT: CA10__credReportAccessKey1LastUsed__c\n\ \ - IS_BEYOND_LAST_DAYS:\n offsetDays: 45\n \ \ arg:\n EXTRACT: CA10__credReportAccessKey1LastUsed__c\n\ \ - status: \"INCOMPLIANT\"\n currentStateMessage: \"Access key 1 has not\ \ been rotated for over 45 days.\"\n remediationMessage: \"Delete access\ \ key 1.\"\n check:\n AND:\n args:\n - IS_EQUAL:\n \ \ left:\n EXTRACT: CA10__credReportAccessKey1Active__c\n\ \ right:\n BOOLEAN: true\n - IS_EMPTY:\n\ \ arg:\n EXTRACT: CA10__credReportAccessKey1LastUsed__c\n\ \ - IS_BEYOND_LAST_DAYS:\n offsetDays: 45\n \ \ arg:\n EXTRACT: CA10__credReportAccessKey1LastRotated__c\n\ \ - status: \"INCOMPLIANT\"\n currentStateMessage: \"Access key 2 has not\ \ been used for over 45 days.\"\n remediationMessage: \"Deactivate access\ \ key 2.\"\n check:\n AND:\n args:\n - IS_EQUAL:\n \ \ left:\n EXTRACT: CA10__credReportAccessKey2Active__c\n\ \ right:\n BOOLEAN: true\n - NOT_EMPTY:\n\ \ arg:\n EXTRACT: CA10__credReportAccessKey2LastUsed__c\n\ \ - IS_BEYOND_LAST_DAYS:\n offsetDays: 45\n \ \ arg:\n EXTRACT: CA10__credReportAccessKey2LastUsed__c\n\ \ - status: \"INCOMPLIANT\"\n currentStateMessage: \"Access key 2 has not\ \ been rotated for over 45 days.\"\n remediationMessage: \"Delete access\ \ key 2.\"\n check:\n AND:\n args:\n - IS_EQUAL:\n \ \ left:\n EXTRACT: CA10__credReportAccessKey2Active__c\n\ \ right:\n BOOLEAN: true\n - IS_EMPTY:\n\ \ arg:\n EXTRACT: CA10__credReportAccessKey2LastUsed__c\n\ \ - IS_BEYOND_LAST_DAYS:\n offsetDays: 45\n \ \ arg:\n EXTRACT: CA10__credReportAccessKey2LastRotated__c\n\ otherwise:\n status: \"COMPLIANT\"\n currentStateMessage: \"All credentials\ \ unused for 45 days or longer have been removed or deactivated.\"\n" - path: /ce/ca/aws/iam/disable-user-with-unused-credentials-45-days-and-more/test-data.json md5Hash: 17D5E80C6F1E05BE85336BC1B63CD61A content: |- [ { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__credReportPasswordEnabled__c') == false && extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a01", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isNotEmpty() && extract('CA10__credReportPasswordLastUsed__c').beyondLastDays(45)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a02", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2021-06-29T13:55:38+00:00\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "499", "conditionText": "extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey1LastUsed__c').beyondLastDays(45)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a03", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"2018-07-17T12:33:00+00:00\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "699", "conditionText": "extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey2LastUsed__c').beyondLastDays(45)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a04", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"2024-03-29T08:41:00+00:00\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "800", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-30T18:23:28Z" }, "Id": "a05", "CA10__disappearanceTime__c": null, "CA10__credReportAttributesJson__c": "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"us-east-1\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"2022-12-13T16:43:00+00:00\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"2024-05-29T19:12:00+00:00\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}" } ] - path: /types/CA10__CaAwsUser__c/credReport.extracts.yaml md5Hash: F6D383D933A0B64268B39ADE7012508C content: "\n# password_last_used: 2021-10-15T16:30:24+00:00\n# access_key_1_last_used_region:\ \ us-east-1\n# password_enabled: not_supported\n# access_key_1_last_used_date:\ \ 2020-02-27T12:03:00+00:00\n# access_key_1_last_used_service: s3\n# mfa_active:\ \ false\n# access_key_2_last_used_date: N/A\n# user_creation_time: 2008-06-17T18:41:41+00:00\n\ # cert_2_active: false\n# cert_1_active: true\n# cert_1_last_rotated: 2011-04-27T13:23:57+00:00\n\ # access_key_2_last_used_service: N/A\n# access_key_2_active: false\n# access_key_1_active:\ \ false\n# password_next_rotation: not_supported\n# access_key_2_last_rotated:\ \ 2014-07-03T15:12:24+00:00\n# arn: arn:aws:iam::814021343637:root\n# access_key_1_last_rotated:\ \ 2011-04-27T13:20:07+00:00\n# access_key_2_last_used_region: N/A\n# user: \n\ # password_last_changed: not_supported\n# cert_2_last_rotated: N/A\n---\nextracts:\n\ \ - name: CA10__credReportAttributesJson__c\n value: \n JSON_FROM:\n\ \ arg:\n FIELD:\n path: CA10__credReportAttributesJson__c\n\ \ returnType: BYTES\n undeterminedIf:\n isEmpty:\ \ Credential report attributes are empty, this is either permission issue or\ \ the data haven't been populated yet\n undeterminedIf:\n isInvalid:\ \ \"Cred report attributes JSON is invalid\"\n - name: CA10__credReportAccessKey1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportAccessKey2Active__c\n value:\n\ \ BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_2_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'access_key_1_active' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastUsed__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_used)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"no_information\"\n - \"N/A\"\n \ \ format: ISO_8601\n undeterminedIf:\n # value CAN be empty,\ \ for example when password was never used.\n #isEmpty: Value of 'password_last_used'\ \ is empty, unexpected data\n invalidFormat: Value of 'password_last_used'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey1LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_1_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_1_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_1_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportAccessKey2LastUsed__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_used_date)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has\ \ failed.\"\n resultTypeMismatch: \"The JSON query did not return\ \ text type.\"\n nullValues:\n - \"N/A\"\n format: ISO_8601\n\ \ undeterminedIf:\n # value CAN be empty, for example when password\ \ was never used.\n #isEmpty: Value of 'access_key_2_last_used_date'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_used_date'\ \ does not match ISO-8601 format\n - name: CA10__credReportMfaActive__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(mfa_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Credential report 'mfa_active' key is\ \ empty, unexpected data\n - name: CA10__credReportPasswordEnabled__c\n \ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(password_enabled)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'password_enabled' is empty,\ \ unexpected data\n - name: CA10__credReportPasswordLastChanged__c\n value:\n\ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(password_last_changed)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when password was never changed.\n\ \ #isEmpty: Value of 'password_last_changed' is empty, unexpected data\n\ \ invalidFormat: Value of 'password_last_changed' does not match ISO-8601\ \ format\n - name: CA10__credReportAccessKey1LastRotated__c\n value:\n \ \ DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n \ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n \ \ expression: \"to_string(access_key_1_last_rotated)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ nullValues:\n - \"N/A\"\n format: ISO_8601\n undeterminedIf:\n\ \ # value CAN be empty, for example when key was never changed.\n \ \ #isEmpty: Value of 'access_key_1_last_rotated' is empty, unexpected\ \ data\n invalidFormat: Value of 'access_key_1_last_rotated' does not\ \ match ISO-8601 format\n - name: CA10__credReportAccessKey2LastRotated__c\n\ \ value:\n DATE_TIME_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(access_key_2_last_rotated)\"\n \ \ undeterminedIf:\n evaluationError: \"The JSON query has failed.\"\ \n resultTypeMismatch: \"The JSON query did not return text type.\"\ \n nullValues:\n - \"N/A\"\n format: ISO_8601\n \ \ undeterminedIf:\n # value CAN be empty, for example when key\ \ was never changed.\n #isEmpty: Value of 'access_key_2_last_rotated'\ \ is empty, unexpected data\n invalidFormat: Value of 'access_key_2_last_rotated'\ \ does not match ISO-8601 format\n - name: CA10__credReportCert1Active__c\n\ \ value:\n BOOLEAN_FROM:\n arg:\n JSON_QUERY_TEXT:\n\ \ arg:\n EXTRACT: CA10__credReportAttributesJson__c\n\ \ expression: \"to_string(cert_1_active)\"\n undeterminedIf:\n\ \ evaluationError: \"The JSON query has failed.\"\n \ \ resultTypeMismatch: \"The JSON query did not return text type.\"\n \ \ undeterminedIf:\n isEmpty: Value of 'cert_1_active' is empty, unexpected\ \ data\n - name: CA10__credReportCert2Active__c\n value:\n BOOLEAN_FROM:\n\ \ arg:\n JSON_QUERY_TEXT:\n arg:\n EXTRACT:\ \ CA10__credReportAttributesJson__c\n expression: \"to_string(cert_2_active)\"\ \n undeterminedIf:\n evaluationError: \"The JSON query\ \ has failed.\"\n resultTypeMismatch: \"The JSON query did not\ \ return text type.\"\n undeterminedIf:\n isEmpty: Value of\ \ 'cert_1_active' is empty, unexpected data" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "a01", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__credReportPasswordEnabled__c') == false && extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false", "runtimeError" : null } }, { "Id" : "a02", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isNotEmpty() && extract('CA10__credReportPasswordLastUsed__c').beyondLastDays(45)", "runtimeError" : null } }, { "Id" : "a03", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "499", "conditionText" : "extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey1LastUsed__c').beyondLastDays(45)", "runtimeError" : null } }, { "Id" : "a04", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "699", "conditionText" : "extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey2LastUsed__c').beyondLastDays(45)", "runtimeError" : null } }, { "Id" : "a05", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "800", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsUser__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a01" }, { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2021-06-29T13:55:38+00:00\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a02" }, { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"2018-07-17T12:33:00+00:00\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"N/A\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"false\",\"access_key_1_active\":\"true\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a03" }, { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"2024-07-17T17:37:46Z\",\"access_key_1_last_used_region\":\"N/A\",\"password_enabled\":\"true\",\"access_key_1_last_used_date\":\"N/A\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"true\",\"access_key_2_last_used_date\":\"2024-03-29T08:41:00+00:00\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a04" }, { "context" : { "snapshotTime" : new Date("2024-05-30T18:23:28Z") }, "CA10__credReportAttributesJson__c" : "{\"password_last_used\":\"N/A\",\"access_key_1_last_used_region\":\"us-east-1\",\"password_enabled\":\"false\",\"access_key_1_last_used_date\":\"2022-12-13T16:43:00+00:00\",\"access_key_1_last_used_service\":\"N/A\",\"mfa_active\":\"false\",\"access_key_2_last_used_date\":\"2024-05-29T19:12:00+00:00\",\"user_creation_time\":\"2017-09-27T19:51:41Z\",\"cert_2_active\":\"false\",\"cert_1_active\":\"false\",\"cert_1_last_rotated\":\"N/A\",\"access_key_2_last_used_service\":\"N/A\",\"access_key_2_active\":\"true\",\"access_key_1_active\":\"false\",\"password_next_rotation\":\"2024-10-15T17:38:45Z\",\"access_key_2_last_rotated\":\"N/A\",\"arn\":\"arn:aws:iam::526216611803:user/srichter\",\"access_key_1_last_rotated\":\"N/A\",\"access_key_2_last_used_region\":\"N/A\",\"user\":\"srichter\",\"password_last_changed\":\"2024-07-17T17:38:45Z\",\"cert_2_last_rotated\":\"N/A\"}", "Id" : "a05" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsUser__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__credReportAttributesJson__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js OPTIONS (library=['gs://compliance-platform-public/jmespath.min.js']) AS r""" var TemporalLib = new function () { var iso8601regex = /^([\+-]?\d{4}(?!\d{2}\b))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([T\s]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$/ this.checkIso8601 = function(arg) { return arg == null || iso8601regex.test(arg); }; this.parseIso8601 = function(arg) { return arg == null ? null: new Date(arg); }; this.replaceNullValues = function(arg, nullValues) { for (var i = 0; i < nullValues.length; i++) { if (TextLib.equal(arg, nullValues[i])) { return null; } } return arg; }; }(); var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var IsEmptyLib = new function () { this.simpleIsEmpty = function(arg) { return arg == null; }; this.simpleIsNotEmpty = function(arg) { return arg != null; }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var todayMinus45Day = new Date(snapshotTime.toISOString().substr(0,10)+'T00:00:00.000Z').getTime() + (-45 * 86400000); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function boolChecked4() { var boolFrom10 = jsonQueryChecked5(); if (TextLib.isEmpty(boolFrom10)) { throw new Error("UNDETERMINED condition:105", {cause: {status: 'UNDETERMINED', conditionIndex: 105, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEmpty()", currentStateMessage: "Value of 'password_enabled' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom10); } function jsonQueryChecked5() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, 'to_string(password_enabled)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:103", {cause: {status: 'UNDETERMINED', conditionIndex: 103, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:104", {cause: {status: 'UNDETERMINED', conditionIndex: 104, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked8() { var input = fieldChecked9(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:102", {cause: {status: 'UNDETERMINED', conditionIndex: 102, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked9() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract7() { if (!this.out) { this.out = jsonChecked8(); } return this.out; }; function extract3() { if (!this.out) { this.out = boolChecked4(); } return this.out; }; function boolChecked13() { var boolFrom16 = jsonQueryChecked14(); if (TextLib.isEmpty(boolFrom16)) { throw new Error("UNDETERMINED condition:108", {cause: {status: 'UNDETERMINED', conditionIndex: 108, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom16); } function jsonQueryChecked14() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, 'to_string(access_key_1_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:106", {cause: {status: 'UNDETERMINED', conditionIndex: 106, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:107", {cause: {status: 'UNDETERMINED', conditionIndex: 107, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract12() { if (!this.out) { this.out = boolChecked13(); } return this.out; }; function boolChecked19() { var boolFrom22 = jsonQueryChecked20(); if (TextLib.isEmpty(boolFrom22)) { throw new Error("UNDETERMINED condition:111", {cause: {status: 'UNDETERMINED', conditionIndex: 111, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom22); } function jsonQueryChecked20() { var input = extract7.call(extract7); var out; try { out = jmespath.search(input, 'to_string(access_key_2_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:109", {cause: {status: 'UNDETERMINED', conditionIndex: 109, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:110", {cause: {status: 'UNDETERMINED', conditionIndex: 110, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract18() { if (!this.out) { this.out = boolChecked19(); } return this.out; }; references1.push('Cred Report: Attributes JSON [obj.CA10__credReportAttributesJson__c]: ' + obj.CA10__credReportAttributesJson__c); try { if (extract3.call(extract3) == false && extract12.call(extract12) == false && extract18.call(extract18) == false) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__credReportPasswordEnabled__c') == false && extract('CA10__credReportAccessKey1Active__c') == false && extract('CA10__credReportAccessKey2Active__c') == false", currentStateMessage: "This policy applies only to users with an enabled console password or active access keys.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function boolChecked25() { var boolFrom31 = jsonQueryChecked26(); if (TextLib.isEmpty(boolFrom31)) { throw new Error("UNDETERMINED condition:205", {cause: {status: 'UNDETERMINED', conditionIndex: 205, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEmpty()", currentStateMessage: "Value of 'password_enabled' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom31); } function jsonQueryChecked26() { var input = extract28.call(extract28); var out; try { out = jmespath.search(input, 'to_string(password_enabled)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:203", {cause: {status: 'UNDETERMINED', conditionIndex: 203, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:204", {cause: {status: 'UNDETERMINED', conditionIndex: 204, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked29() { var input = fieldChecked30(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked30() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract28() { if (!this.out) { this.out = jsonChecked29(); } return this.out; }; function extract24() { if (!this.out) { this.out = boolChecked25(); } return this.out; }; function dateChecked34() { var dateTimeFrom35 = jsonQueryChecked36(); dateTimeFrom35 = TemporalLib.replaceNullValues(dateTimeFrom35, ['no_information', 'N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom35)) { throw new Error("UNDETERMINED condition:208", {cause: {status: 'UNDETERMINED', conditionIndex: 208, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_used)').checkIso8601()", currentStateMessage: "Value of 'password_last_used' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom35); } function jsonQueryChecked36() { var input = extract28.call(extract28); var out; try { out = jmespath.search(input, 'to_string(password_last_used)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:206", {cause: {status: 'UNDETERMINED', conditionIndex: 206, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_used)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:207", {cause: {status: 'UNDETERMINED', conditionIndex: 207, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_used)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract33() { if (!this.out) { this.out = dateChecked34(); } return this.out; }; try { if (extract24.call(extract24) == true && IsEmptyLib.simpleIsNotEmpty(extract33.call(extract33)) && (extract33.call(extract33) != null && extract33.call(extract33).getTime() < todayMinus45Day)) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isNotEmpty() && extract('CA10__credReportPasswordLastUsed__c').beyondLastDays(45)", currentStateMessage: "The password has not been used for over 45 days.", currentStateReferences: references1.join('\n'), remediation: "Disable console access for the user.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[3], conditionIndex:[300..399] function boolChecked42() { var boolFrom48 = jsonQueryChecked43(); if (TextLib.isEmpty(boolFrom48)) { throw new Error("UNDETERMINED condition:305", {cause: {status: 'UNDETERMINED', conditionIndex: 305, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEmpty()", currentStateMessage: "Value of 'password_enabled' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom48); } function jsonQueryChecked43() { var input = extract45.call(extract45); var out; try { out = jmespath.search(input, 'to_string(password_enabled)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:303", {cause: {status: 'UNDETERMINED', conditionIndex: 303, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:304", {cause: {status: 'UNDETERMINED', conditionIndex: 304, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_enabled)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked46() { var input = fieldChecked47(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:302", {cause: {status: 'UNDETERMINED', conditionIndex: 302, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked47() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract45() { if (!this.out) { this.out = jsonChecked46(); } return this.out; }; function extract41() { if (!this.out) { this.out = boolChecked42(); } return this.out; }; function dateChecked51() { var dateTimeFrom52 = jsonQueryChecked53(); dateTimeFrom52 = TemporalLib.replaceNullValues(dateTimeFrom52, ['no_information', 'N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom52)) { throw new Error("UNDETERMINED condition:308", {cause: {status: 'UNDETERMINED', conditionIndex: 308, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_used)').checkIso8601()", currentStateMessage: "Value of 'password_last_used' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom52); } function jsonQueryChecked53() { var input = extract45.call(extract45); var out; try { out = jmespath.search(input, 'to_string(password_last_used)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:306", {cause: {status: 'UNDETERMINED', conditionIndex: 306, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_used)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:307", {cause: {status: 'UNDETERMINED', conditionIndex: 307, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_used)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract50() { if (!this.out) { this.out = dateChecked51(); } return this.out; }; function dateChecked57() { var dateTimeFrom58 = jsonQueryChecked59(); dateTimeFrom58 = TemporalLib.replaceNullValues(dateTimeFrom58, ['N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom58)) { throw new Error("UNDETERMINED condition:311", {cause: {status: 'UNDETERMINED', conditionIndex: 311, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_changed)').checkIso8601()", currentStateMessage: "Value of 'password_last_changed' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom58); } function jsonQueryChecked59() { var input = extract45.call(extract45); var out; try { out = jmespath.search(input, 'to_string(password_last_changed)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:309", {cause: {status: 'UNDETERMINED', conditionIndex: 309, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_changed)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:310", {cause: {status: 'UNDETERMINED', conditionIndex: 310, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(password_last_changed)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract56() { if (!this.out) { this.out = dateChecked57(); } return this.out; }; try { if (extract41.call(extract41) == true && IsEmptyLib.simpleIsEmpty(extract50.call(extract50)) && IsEmptyLib.simpleIsNotEmpty(extract56.call(extract56)) && (extract56.call(extract56) != null && extract56.call(extract56).getTime() < todayMinus45Day)) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "extract('CA10__credReportPasswordEnabled__c') == true && extract('CA10__credReportPasswordLastUsed__c').isEmpty() && extract('CA10__credReportPasswordLastChanged__c').isNotEmpty() && extract('CA10__credReportPasswordLastChanged__c').beyondLastDays(45)", currentStateMessage: "The password has not been changed for over 45 days.", currentStateReferences: references1.join('\n'), remediation: "Disable console access for the user.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[4], conditionIndex:[400..499] function boolChecked65() { var boolFrom71 = jsonQueryChecked66(); if (TextLib.isEmpty(boolFrom71)) { throw new Error("UNDETERMINED condition:405", {cause: {status: 'UNDETERMINED', conditionIndex: 405, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom71); } function jsonQueryChecked66() { var input = extract68.call(extract68); var out; try { out = jmespath.search(input, 'to_string(access_key_1_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:403", {cause: {status: 'UNDETERMINED', conditionIndex: 403, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:404", {cause: {status: 'UNDETERMINED', conditionIndex: 404, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked69() { var input = fieldChecked70(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:402", {cause: {status: 'UNDETERMINED', conditionIndex: 402, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked70() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:401", {cause: {status: 'UNDETERMINED', conditionIndex: 401, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract68() { if (!this.out) { this.out = jsonChecked69(); } return this.out; }; function extract64() { if (!this.out) { this.out = boolChecked65(); } return this.out; }; function dateChecked74() { var dateTimeFrom75 = jsonQueryChecked76(); dateTimeFrom75 = TemporalLib.replaceNullValues(dateTimeFrom75, ['N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom75)) { throw new Error("UNDETERMINED condition:408", {cause: {status: 'UNDETERMINED', conditionIndex: 408, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_used_date)').checkIso8601()", currentStateMessage: "Value of 'access_key_1_last_used_date' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom75); } function jsonQueryChecked76() { var input = extract68.call(extract68); var out; try { out = jmespath.search(input, 'to_string(access_key_1_last_used_date)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:406", {cause: {status: 'UNDETERMINED', conditionIndex: 406, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_used_date)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:407", {cause: {status: 'UNDETERMINED', conditionIndex: 407, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_used_date)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract73() { if (!this.out) { this.out = dateChecked74(); } return this.out; }; try { if (extract64.call(extract64) == true && IsEmptyLib.simpleIsNotEmpty(extract73.call(extract73)) && (extract73.call(extract73) != null && extract73.call(extract73).getTime() < todayMinus45Day)) { return {status: 'INCOMPLIANT', conditionIndex: 499, conditionText: "extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey1LastUsed__c').beyondLastDays(45)", currentStateMessage: "Access key 1 has not been used for over 45 days.", currentStateReferences: references1.join('\n'), remediation: "Deactivate access key 1.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[5], conditionIndex:[500..599] function boolChecked82() { var boolFrom88 = jsonQueryChecked83(); if (TextLib.isEmpty(boolFrom88)) { throw new Error("UNDETERMINED condition:505", {cause: {status: 'UNDETERMINED', conditionIndex: 505, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom88); } function jsonQueryChecked83() { var input = extract85.call(extract85); var out; try { out = jmespath.search(input, 'to_string(access_key_1_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:503", {cause: {status: 'UNDETERMINED', conditionIndex: 503, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:504", {cause: {status: 'UNDETERMINED', conditionIndex: 504, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked86() { var input = fieldChecked87(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:502", {cause: {status: 'UNDETERMINED', conditionIndex: 502, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked87() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:501", {cause: {status: 'UNDETERMINED', conditionIndex: 501, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract85() { if (!this.out) { this.out = jsonChecked86(); } return this.out; }; function extract81() { if (!this.out) { this.out = boolChecked82(); } return this.out; }; function dateChecked91() { var dateTimeFrom92 = jsonQueryChecked93(); dateTimeFrom92 = TemporalLib.replaceNullValues(dateTimeFrom92, ['N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom92)) { throw new Error("UNDETERMINED condition:508", {cause: {status: 'UNDETERMINED', conditionIndex: 508, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_used_date)').checkIso8601()", currentStateMessage: "Value of 'access_key_1_last_used_date' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom92); } function jsonQueryChecked93() { var input = extract85.call(extract85); var out; try { out = jmespath.search(input, 'to_string(access_key_1_last_used_date)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:506", {cause: {status: 'UNDETERMINED', conditionIndex: 506, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_used_date)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:507", {cause: {status: 'UNDETERMINED', conditionIndex: 507, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_used_date)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract90() { if (!this.out) { this.out = dateChecked91(); } return this.out; }; function dateChecked97() { var dateTimeFrom98 = jsonQueryChecked99(); dateTimeFrom98 = TemporalLib.replaceNullValues(dateTimeFrom98, ['N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom98)) { throw new Error("UNDETERMINED condition:511", {cause: {status: 'UNDETERMINED', conditionIndex: 511, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_rotated)').checkIso8601()", currentStateMessage: "Value of 'access_key_1_last_rotated' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom98); } function jsonQueryChecked99() { var input = extract85.call(extract85); var out; try { out = jmespath.search(input, 'to_string(access_key_1_last_rotated)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:509", {cause: {status: 'UNDETERMINED', conditionIndex: 509, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_rotated)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:510", {cause: {status: 'UNDETERMINED', conditionIndex: 510, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_1_last_rotated)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract96() { if (!this.out) { this.out = dateChecked97(); } return this.out; }; try { if (extract81.call(extract81) == true && IsEmptyLib.simpleIsEmpty(extract90.call(extract90)) && (extract96.call(extract96) != null && extract96.call(extract96).getTime() < todayMinus45Day)) { return {status: 'INCOMPLIANT', conditionIndex: 599, conditionText: "extract('CA10__credReportAccessKey1Active__c') == true && extract('CA10__credReportAccessKey1LastUsed__c').isEmpty() && extract('CA10__credReportAccessKey1LastRotated__c').beyondLastDays(45)", currentStateMessage: "Access key 1 has not been rotated for over 45 days.", currentStateReferences: references1.join('\n'), remediation: "Delete access key 1.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[6], conditionIndex:[600..699] function boolChecked104() { var boolFrom110 = jsonQueryChecked105(); if (TextLib.isEmpty(boolFrom110)) { throw new Error("UNDETERMINED condition:605", {cause: {status: 'UNDETERMINED', conditionIndex: 605, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom110); } function jsonQueryChecked105() { var input = extract107.call(extract107); var out; try { out = jmespath.search(input, 'to_string(access_key_2_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:603", {cause: {status: 'UNDETERMINED', conditionIndex: 603, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:604", {cause: {status: 'UNDETERMINED', conditionIndex: 604, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked108() { var input = fieldChecked109(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:602", {cause: {status: 'UNDETERMINED', conditionIndex: 602, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked109() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:601", {cause: {status: 'UNDETERMINED', conditionIndex: 601, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract107() { if (!this.out) { this.out = jsonChecked108(); } return this.out; }; function extract103() { if (!this.out) { this.out = boolChecked104(); } return this.out; }; function dateChecked113() { var dateTimeFrom114 = jsonQueryChecked115(); dateTimeFrom114 = TemporalLib.replaceNullValues(dateTimeFrom114, ['N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom114)) { throw new Error("UNDETERMINED condition:608", {cause: {status: 'UNDETERMINED', conditionIndex: 608, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_used_date)').checkIso8601()", currentStateMessage: "Value of 'access_key_2_last_used_date' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom114); } function jsonQueryChecked115() { var input = extract107.call(extract107); var out; try { out = jmespath.search(input, 'to_string(access_key_2_last_used_date)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:606", {cause: {status: 'UNDETERMINED', conditionIndex: 606, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_used_date)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:607", {cause: {status: 'UNDETERMINED', conditionIndex: 607, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_used_date)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract112() { if (!this.out) { this.out = dateChecked113(); } return this.out; }; try { if (extract103.call(extract103) == true && IsEmptyLib.simpleIsNotEmpty(extract112.call(extract112)) && (extract112.call(extract112) != null && extract112.call(extract112).getTime() < todayMinus45Day)) { return {status: 'INCOMPLIANT', conditionIndex: 699, conditionText: "extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isNotEmpty() && extract('CA10__credReportAccessKey2LastUsed__c').beyondLastDays(45)", currentStateMessage: "Access key 2 has not been used for over 45 days.", currentStateReferences: references1.join('\n'), remediation: "Deactivate access key 2.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[7], conditionIndex:[700..799] function boolChecked121() { var boolFrom127 = jsonQueryChecked122(); if (TextLib.isEmpty(boolFrom127)) { throw new Error("UNDETERMINED condition:705", {cause: {status: 'UNDETERMINED', conditionIndex: 705, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEmpty()", currentStateMessage: "Value of 'access_key_1_active' is empty, unexpected data", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TextLib.equal('true', boolFrom127); } function jsonQueryChecked122() { var input = extract124.call(extract124); var out; try { out = jmespath.search(input, 'to_string(access_key_2_active)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:703", {cause: {status: 'UNDETERMINED', conditionIndex: 703, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:704", {cause: {status: 'UNDETERMINED', conditionIndex: 704, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_active)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function jsonChecked125() { var input = fieldChecked126(); input = TextLib.isEmpty(input) ? null : input; var out; try { out = JSON.parse(input); } catch (e) { throw new Error("UNDETERMINED condition:702", {cause: {status: 'UNDETERMINED', conditionIndex: 702, conditionText: "CA10__credReportAttributesJson__c.asJson().isInvalid()", currentStateMessage: "Cred report attributes JSON is invalid", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function fieldChecked126() { if (BytesLib.isEmpty(obj.CA10__credReportAttributesJson__c)) { throw new Error("UNDETERMINED condition:701", {cause: {status: 'UNDETERMINED', conditionIndex: 701, conditionText: "CA10__credReportAttributesJson__c.isEmpty()", currentStateMessage: "Credential report attributes are empty, this is either permission issue or the data haven't been populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__credReportAttributesJson__c; } function extract124() { if (!this.out) { this.out = jsonChecked125(); } return this.out; }; function extract120() { if (!this.out) { this.out = boolChecked121(); } return this.out; }; function dateChecked130() { var dateTimeFrom131 = jsonQueryChecked132(); dateTimeFrom131 = TemporalLib.replaceNullValues(dateTimeFrom131, ['N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom131)) { throw new Error("UNDETERMINED condition:708", {cause: {status: 'UNDETERMINED', conditionIndex: 708, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_used_date)').checkIso8601()", currentStateMessage: "Value of 'access_key_2_last_used_date' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom131); } function jsonQueryChecked132() { var input = extract124.call(extract124); var out; try { out = jmespath.search(input, 'to_string(access_key_2_last_used_date)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:706", {cause: {status: 'UNDETERMINED', conditionIndex: 706, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_used_date)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:707", {cause: {status: 'UNDETERMINED', conditionIndex: 707, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_used_date)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract129() { if (!this.out) { this.out = dateChecked130(); } return this.out; }; function dateChecked136() { var dateTimeFrom137 = jsonQueryChecked138(); dateTimeFrom137 = TemporalLib.replaceNullValues(dateTimeFrom137, ['N/A']); if (!TemporalLib.checkIso8601(dateTimeFrom137)) { throw new Error("UNDETERMINED condition:711", {cause: {status: 'UNDETERMINED', conditionIndex: 711, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_rotated)').checkIso8601()", currentStateMessage: "Value of 'access_key_2_last_rotated' does not match ISO-8601 format", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return TemporalLib.parseIso8601(dateTimeFrom137); } function jsonQueryChecked138() { var input = extract124.call(extract124); var out; try { out = jmespath.search(input, 'to_string(access_key_2_last_rotated)'); if (out != null && typeof out != 'string') { throw new Error("UNDETERMINED condition:709", {cause: {status: 'UNDETERMINED', conditionIndex: 709, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_rotated)').isResultTypeMismatch()", currentStateMessage: "The JSON query did not return text type.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } } catch (e) { throw new Error("UNDETERMINED condition:710", {cause: {status: 'UNDETERMINED', conditionIndex: 710, conditionText: "extract('CA10__credReportAttributesJson__c').jsonQueryText('to_string(access_key_2_last_rotated)').isEvaluationFailed()", currentStateMessage: "The JSON query has failed.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: e.message}}); } return out; } function extract135() { if (!this.out) { this.out = dateChecked136(); } return this.out; }; try { if (extract120.call(extract120) == true && IsEmptyLib.simpleIsEmpty(extract129.call(extract129)) && (extract135.call(extract135) != null && extract135.call(extract135).getTime() < todayMinus45Day)) { return {status: 'INCOMPLIANT', conditionIndex: 799, conditionText: "extract('CA10__credReportAccessKey2Active__c') == true && extract('CA10__credReportAccessKey2LastUsed__c').isEmpty() && extract('CA10__credReportAccessKey2LastRotated__c').beyondLastDays(45)", currentStateMessage: "Access key 2 has not been rotated for over 45 days.", currentStateReferences: references1.join('\n'), remediation: "Delete access key 2.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 800, conditionText: "otherwise", currentStateMessage: "All credentials unused for 45 days or longer have been removed or deactivated.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id, process_CA10__CaAwsUser__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__credReportAttributesJson__c AS CA10__credReportAttributesJson__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsUser__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;