fix(googleworkspace): use per-service resources for Calendar and Drive (#11161)

This commit is contained in:
lydiavilchez
2026-05-14 12:43:29 +02:00
committed by GitHub
parent 6befa78978
commit 5f92989492
29 changed files with 83 additions and 46 deletions
+1
View File
@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
### 🐞 Fixed
- Google Workspace Calendar and Drive services sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11161)](https://github.com/prowler-cloud/prowler/pull/11161)
- `zone_waf_enabled` check for Cloudflare provider now appends a plan-aware hint to the FAIL `status_extended`: a possible-false-positive note on paid plans (Pro, Business, Enterprise) where the legacy `waf` zone setting can read `off` even though WAF managed rulesets are deployed via the dashboard, and a "not available on the Cloudflare Free plan" note on Free zones [(#9896)](https://github.com/prowler-cloud/prowler/pull/9896)
- Google Workspace Gmail checks sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11169)](https://github.com/prowler-cloud/prowler/pull/11169)
@@ -20,7 +20,10 @@ class calendar_external_invitations_warning(Check):
if calendar_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=calendar_client.provider.domain_resource,
resource=calendar_client.policies,
resource_id="calendarPolicies",
resource_name="Calendar Policies",
customer_id=calendar_client.provider.identity.customer_id,
)
warning_enabled = calendar_client.policies.external_invitations_warning
@@ -20,7 +20,10 @@ class calendar_external_sharing_primary_calendar(Check):
if calendar_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=calendar_client.provider.domain_resource,
resource=calendar_client.policies,
resource_id="calendarPolicies",
resource_name="Calendar Policies",
customer_id=calendar_client.provider.identity.customer_id,
)
sharing = calendar_client.policies.primary_calendar_external_sharing
@@ -20,7 +20,10 @@ class calendar_external_sharing_secondary_calendar(Check):
if calendar_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=calendar_client.provider.domain_resource,
resource=calendar_client.policies,
resource_id="calendarPolicies",
resource_name="Calendar Policies",
customer_id=calendar_client.provider.identity.customer_id,
)
sharing = calendar_client.policies.secondary_calendar_external_sharing
@@ -19,7 +19,10 @@ class drive_access_checker_recipients_only(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
access_checker = drive_client.policies.access_checker_suggestions
@@ -20,7 +20,10 @@ class drive_desktop_access_disabled(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
allow_desktop = drive_client.policies.allow_drive_for_desktop
@@ -18,7 +18,10 @@ class drive_external_sharing_warn_users(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
warning_enabled = drive_client.policies.warn_for_external_sharing
@@ -19,7 +19,10 @@ class drive_internal_users_distribute_content(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
allowed = drive_client.policies.allowed_parties_for_distributing_content
@@ -19,7 +19,10 @@ class drive_publishing_files_disabled(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
allow_publishing = drive_client.policies.allow_publishing_files
@@ -20,7 +20,10 @@ class drive_shared_drive_creation_allowed(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
allow_creation = drive_client.policies.allow_shared_drive_creation
@@ -19,7 +19,10 @@ class drive_shared_drive_disable_download_print_copy(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
allowed = drive_client.policies.allowed_parties_for_download_print_copy
@@ -19,7 +19,10 @@ class drive_shared_drive_managers_cannot_override(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
allow_override = drive_client.policies.allow_managers_to_override_settings
@@ -19,7 +19,10 @@ class drive_shared_drive_members_only_access(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
allow_non_member = drive_client.policies.allow_non_member_access
@@ -18,7 +18,10 @@ class drive_sharing_allowlisted_domains(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
mode = drive_client.policies.external_sharing_mode
@@ -19,7 +19,10 @@ class drive_warn_sharing_with_allowlisted_domains(Check):
if drive_client.policies_fetched:
report = CheckReportGoogleWorkspace(
metadata=self.metadata(),
resource=drive_client.provider.domain_resource,
resource=drive_client.policies,
resource_id="drivePolicies",
resource_name="Drive Policies",
customer_id=drive_client.provider.identity.customer_id,
)
warn_enabled = (
@@ -5,7 +5,6 @@ from prowler.providers.googleworkspace.services.calendar.calendar_service import
)
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -40,7 +39,7 @@ class TestCalendarExternalInvitationsWarning:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "enabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Calendar Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_warnings_disabled(self):
@@ -5,7 +5,6 @@ from prowler.providers.googleworkspace.services.calendar.calendar_service import
)
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -40,10 +39,15 @@ class TestCalendarExternalSharingPrimaryCalendar:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "free/busy information only" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_id == CUSTOMER_ID
assert findings[0].resource_name == "Calendar Policies"
assert findings[0].resource_id == "calendarPolicies"
assert findings[0].customer_id == CUSTOMER_ID
assert findings[0].resource == mock_provider.domain_resource.dict()
assert (
findings[0].resource
== CalendarPolicies(
primary_calendar_external_sharing="EXTERNAL_FREE_BUSY_ONLY"
).dict()
)
def test_fail_read_only(self):
"""Test FAIL when external sharing allows read-only access"""
@@ -5,7 +5,6 @@ from prowler.providers.googleworkspace.services.calendar.calendar_service import
)
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -40,7 +39,7 @@ class TestCalendarExternalSharingSecondaryCalendar:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "free/busy information only" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Calendar Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_read_only(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestDriveAccessCheckerRecipientsOnly:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "recipients only" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_recipients_or_audience(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -36,7 +35,7 @@ class TestDriveDesktopAccessDisabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "disabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_desktop_enabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -36,10 +35,13 @@ class TestDriveExternalSharingWarnUsers:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "enabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_id == CUSTOMER_ID
assert findings[0].resource_name == "Drive Policies"
assert findings[0].resource_id == "drivePolicies"
assert findings[0].customer_id == CUSTOMER_ID
assert findings[0].resource == mock_provider.domain_resource.dict()
assert (
findings[0].resource
== DrivePolicies(warn_for_external_sharing=True).dict()
)
def test_fail_warning_disabled(self):
"""Test FAIL when external sharing warning is explicitly disabled"""
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestDriveInternalUsersDistributeContent:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "ELIGIBLE_INTERNAL_USERS" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_pass_none_allowed(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -36,7 +35,7 @@ class TestDrivePublishingFilesDisabled:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "disabled" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_publishing_enabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -36,7 +35,7 @@ class TestDriveSharedDriveCreationAllowed:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "allowed" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_creation_disabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestDriveSharedDriveDisableDownloadPrintCopy:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "EDITORS_ONLY" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_pass_managers_only(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestDriveSharedDriveManagersCannotOverride:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "cannot override" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_override_allowed(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -36,7 +35,7 @@ class TestDriveSharedDriveMembersOnlyAccess:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "members only" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_non_member_access_enabled(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestDriveSharingAllowlistedDomains:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "allowlisted domains" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_allowed(self):
@@ -3,7 +3,6 @@ from unittest.mock import patch
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
from tests.providers.googleworkspace.googleworkspace_fixtures import (
CUSTOMER_ID,
DOMAIN,
set_mocked_googleworkspace_provider,
)
@@ -38,7 +37,7 @@ class TestDriveWarnSharingWithAllowlistedDomains:
assert len(findings) == 1
assert findings[0].status == "PASS"
assert "warned" in findings[0].status_extended
assert findings[0].resource_name == DOMAIN
assert findings[0].resource_name == "Drive Policies"
assert findings[0].customer_id == CUSTOMER_ID
def test_fail_warning_disabled(self):