mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
fix(googleworkspace): use per-service resources for Calendar and Drive (#11161)
This commit is contained in:
@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
|
||||
### 🐞 Fixed
|
||||
|
||||
- Google Workspace Calendar and Drive services sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11161)](https://github.com/prowler-cloud/prowler/pull/11161)
|
||||
- `zone_waf_enabled` check for Cloudflare provider now appends a plan-aware hint to the FAIL `status_extended`: a possible-false-positive note on paid plans (Pro, Business, Enterprise) where the legacy `waf` zone setting can read `off` even though WAF managed rulesets are deployed via the dashboard, and a "not available on the Cloudflare Free plan" note on Free zones [(#9896)](https://github.com/prowler-cloud/prowler/pull/9896)
|
||||
- Google Workspace Gmail checks sharing a single resource row, causing the service field to be overwritten by the last check executed [(#11169)](https://github.com/prowler-cloud/prowler/pull/11169)
|
||||
|
||||
|
||||
+4
-1
@@ -20,7 +20,10 @@ class calendar_external_invitations_warning(Check):
|
||||
if calendar_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=calendar_client.provider.domain_resource,
|
||||
resource=calendar_client.policies,
|
||||
resource_id="calendarPolicies",
|
||||
resource_name="Calendar Policies",
|
||||
customer_id=calendar_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
warning_enabled = calendar_client.policies.external_invitations_warning
|
||||
|
||||
+4
-1
@@ -20,7 +20,10 @@ class calendar_external_sharing_primary_calendar(Check):
|
||||
if calendar_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=calendar_client.provider.domain_resource,
|
||||
resource=calendar_client.policies,
|
||||
resource_id="calendarPolicies",
|
||||
resource_name="Calendar Policies",
|
||||
customer_id=calendar_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
sharing = calendar_client.policies.primary_calendar_external_sharing
|
||||
|
||||
+4
-1
@@ -20,7 +20,10 @@ class calendar_external_sharing_secondary_calendar(Check):
|
||||
if calendar_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=calendar_client.provider.domain_resource,
|
||||
resource=calendar_client.policies,
|
||||
resource_id="calendarPolicies",
|
||||
resource_name="Calendar Policies",
|
||||
customer_id=calendar_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
sharing = calendar_client.policies.secondary_calendar_external_sharing
|
||||
|
||||
+4
-1
@@ -19,7 +19,10 @@ class drive_access_checker_recipients_only(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
access_checker = drive_client.policies.access_checker_suggestions
|
||||
|
||||
+4
-1
@@ -20,7 +20,10 @@ class drive_desktop_access_disabled(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
allow_desktop = drive_client.policies.allow_drive_for_desktop
|
||||
|
||||
+4
-1
@@ -18,7 +18,10 @@ class drive_external_sharing_warn_users(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
warning_enabled = drive_client.policies.warn_for_external_sharing
|
||||
|
||||
+4
-1
@@ -19,7 +19,10 @@ class drive_internal_users_distribute_content(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
allowed = drive_client.policies.allowed_parties_for_distributing_content
|
||||
|
||||
+4
-1
@@ -19,7 +19,10 @@ class drive_publishing_files_disabled(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
allow_publishing = drive_client.policies.allow_publishing_files
|
||||
|
||||
+4
-1
@@ -20,7 +20,10 @@ class drive_shared_drive_creation_allowed(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
allow_creation = drive_client.policies.allow_shared_drive_creation
|
||||
|
||||
+4
-1
@@ -19,7 +19,10 @@ class drive_shared_drive_disable_download_print_copy(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
allowed = drive_client.policies.allowed_parties_for_download_print_copy
|
||||
|
||||
+4
-1
@@ -19,7 +19,10 @@ class drive_shared_drive_managers_cannot_override(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
allow_override = drive_client.policies.allow_managers_to_override_settings
|
||||
|
||||
+4
-1
@@ -19,7 +19,10 @@ class drive_shared_drive_members_only_access(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
allow_non_member = drive_client.policies.allow_non_member_access
|
||||
|
||||
+4
-1
@@ -18,7 +18,10 @@ class drive_sharing_allowlisted_domains(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
mode = drive_client.policies.external_sharing_mode
|
||||
|
||||
+4
-1
@@ -19,7 +19,10 @@ class drive_warn_sharing_with_allowlisted_domains(Check):
|
||||
if drive_client.policies_fetched:
|
||||
report = CheckReportGoogleWorkspace(
|
||||
metadata=self.metadata(),
|
||||
resource=drive_client.provider.domain_resource,
|
||||
resource=drive_client.policies,
|
||||
resource_id="drivePolicies",
|
||||
resource_name="Drive Policies",
|
||||
customer_id=drive_client.provider.identity.customer_id,
|
||||
)
|
||||
|
||||
warn_enabled = (
|
||||
|
||||
+1
-2
@@ -5,7 +5,6 @@ from prowler.providers.googleworkspace.services.calendar.calendar_service import
|
||||
)
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -40,7 +39,7 @@ class TestCalendarExternalInvitationsWarning:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "enabled" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Calendar Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_warnings_disabled(self):
|
||||
|
||||
+8
-4
@@ -5,7 +5,6 @@ from prowler.providers.googleworkspace.services.calendar.calendar_service import
|
||||
)
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -40,10 +39,15 @@ class TestCalendarExternalSharingPrimaryCalendar:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "free/busy information only" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_id == CUSTOMER_ID
|
||||
assert findings[0].resource_name == "Calendar Policies"
|
||||
assert findings[0].resource_id == "calendarPolicies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
assert findings[0].resource == mock_provider.domain_resource.dict()
|
||||
assert (
|
||||
findings[0].resource
|
||||
== CalendarPolicies(
|
||||
primary_calendar_external_sharing="EXTERNAL_FREE_BUSY_ONLY"
|
||||
).dict()
|
||||
)
|
||||
|
||||
def test_fail_read_only(self):
|
||||
"""Test FAIL when external sharing allows read-only access"""
|
||||
|
||||
+1
-2
@@ -5,7 +5,6 @@ from prowler.providers.googleworkspace.services.calendar.calendar_service import
|
||||
)
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -40,7 +39,7 @@ class TestCalendarExternalSharingSecondaryCalendar:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "free/busy information only" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Calendar Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_read_only(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -38,7 +37,7 @@ class TestDriveAccessCheckerRecipientsOnly:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "recipients only" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_recipients_or_audience(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -36,7 +35,7 @@ class TestDriveDesktopAccessDisabled:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "disabled" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_desktop_enabled(self):
|
||||
|
||||
+6
-4
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -36,10 +35,13 @@ class TestDriveExternalSharingWarnUsers:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "enabled" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_id == CUSTOMER_ID
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].resource_id == "drivePolicies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
assert findings[0].resource == mock_provider.domain_resource.dict()
|
||||
assert (
|
||||
findings[0].resource
|
||||
== DrivePolicies(warn_for_external_sharing=True).dict()
|
||||
)
|
||||
|
||||
def test_fail_warning_disabled(self):
|
||||
"""Test FAIL when external sharing warning is explicitly disabled"""
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -38,7 +37,7 @@ class TestDriveInternalUsersDistributeContent:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "ELIGIBLE_INTERNAL_USERS" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_pass_none_allowed(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -36,7 +35,7 @@ class TestDrivePublishingFilesDisabled:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "disabled" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_publishing_enabled(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -36,7 +35,7 @@ class TestDriveSharedDriveCreationAllowed:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "allowed" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_creation_disabled(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -38,7 +37,7 @@ class TestDriveSharedDriveDisableDownloadPrintCopy:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "EDITORS_ONLY" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_pass_managers_only(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -38,7 +37,7 @@ class TestDriveSharedDriveManagersCannotOverride:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "cannot override" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_override_allowed(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -36,7 +35,7 @@ class TestDriveSharedDriveMembersOnlyAccess:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "members only" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_non_member_access_enabled(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -38,7 +37,7 @@ class TestDriveSharingAllowlistedDomains:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "allowlisted domains" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_allowed(self):
|
||||
|
||||
+1
-2
@@ -3,7 +3,6 @@ from unittest.mock import patch
|
||||
from prowler.providers.googleworkspace.services.drive.drive_service import DrivePolicies
|
||||
from tests.providers.googleworkspace.googleworkspace_fixtures import (
|
||||
CUSTOMER_ID,
|
||||
DOMAIN,
|
||||
set_mocked_googleworkspace_provider,
|
||||
)
|
||||
|
||||
@@ -38,7 +37,7 @@ class TestDriveWarnSharingWithAllowlistedDomains:
|
||||
assert len(findings) == 1
|
||||
assert findings[0].status == "PASS"
|
||||
assert "warned" in findings[0].status_extended
|
||||
assert findings[0].resource_name == DOMAIN
|
||||
assert findings[0].resource_name == "Drive Policies"
|
||||
assert findings[0].customer_id == CUSTOMER_ID
|
||||
|
||||
def test_fail_warning_disabled(self):
|
||||
|
||||
Reference in New Issue
Block a user