ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: remove authentication arguments

Browse Source
This commit is contained in:
HugoPBrito
2025-12-16 08:20:17 +01:00
parent c667ff91be
commit 72d2ff40f2
6 changed files with 26 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/user-guide/providers/cloudflare/authentication.mdx
View File

@@ -111,17 +111,8 @@ The email must be the same email address used to log into your Cloudflare accoun
- **Use least privilege** - Only grant the minimum permissions needed
- **Monitor token usage** - Review the Cloudflare audit log for suspicious activity
### Credential Priority
If multiple credentials are configured, Prowler uses them in this order:
1. **Command-line arguments** (highest priority)
2. **Environment variables** (if no CLI arguments provided)
<Warning>
**Use only one authentication method at a time.** The Cloudflare SDK automatically reads credentials from environment variables, which can cause conflicts if both methods are configured simultaneously.
If both API Token and API Key and Email are set, Prowler will use the API Token and log an error message.
**Use only one authentication method at a time.** If both API Token and API Key + Email are set, Prowler will use the API Token and log an error message.
</Warning>
## Troubleshooting

28
docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx
View File

@@ -40,43 +40,23 @@ prowler cloudflare
That's it! Prowler will automatically discover all zones in your account and run security checks against them.
## Authentication Methods
## Authentication
### Using Environment Variables (Recommended)
Prowler reads Cloudflare credentials from environment variables. Set your credentials before running Prowler:
Set your credentials as environment variables before running Prowler:
**API Token:**
**API Token (Recommended):**
```bash
export CLOUDFLARE_API_TOKEN="your-api-token-here"
prowler cloudflare
```
**API Key + Email:**
**API Key + Email (Legacy):**
```bash
export CLOUDFLARE_API_KEY="your-api-key-here"
export CLOUDFLARE_API_EMAIL="your-email@example.com"
prowler cloudflare
```
### Using Command-Line Arguments
Pass credentials directly to Prowler:
**API Token:**
```bash
prowler cloudflare --cloudflare-api-token "your-api-token-here"
```
**API Key + Email:**
```bash
prowler cloudflare --cloudflare-api-key "your-api-key-here" --cloudflare-api-email "your-email@example.com"
```
<Note>
Command-line arguments take priority over environment variables.
</Note>
## Filtering Zones
By default, Prowler scans all zones accessible with your credentials:

37
prowler/providers/cloudflare/cloudflare_provider.py
View File

@@ -40,9 +40,6 @@ class CloudflareProvider(Provider):
def __init__(
self,
api_token: str = None,
api_key: str = None,
api_email: str = None,
filter_zones: Iterable[str] | None = None,
config_path: str = None,
config_content: dict | None = None,
@@ -61,12 +58,7 @@ class CloudflareProvider(Provider):
max_retries = self._audit_config.get("max_retries", 2)
self._session = CloudflareProvider.setup_session(
api_token=api_token,
api_key=api_key,
api_email=api_email,
max_retries=max_retries,
)
self._session = CloudflareProvider.setup_session(max_retries=max_retries)
self._identity = CloudflareProvider.setup_identity(self._session)
@@ -118,31 +110,26 @@ class CloudflareProvider(Provider):
return self._identity.accounts
@staticmethod
def setup_session(
api_token: str = None,
api_key: str = None,
api_email: str = None,
max_retries: int = 2,
) -> CloudflareSession:
def setup_session(max_retries: int = 2) -> CloudflareSession:
"""Initialize Cloudflare SDK client.
Credentials are read from environment variables:
- CLOUDFLARE_API_TOKEN (recommended)
- CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL (legacy)
Args:
api_token: Cloudflare API token.
api_key: Cloudflare API key.
api_email: Cloudflare API email.
max_retries: Maximum number of retries for API requests (default is 2).
"""
token = api_token or os.environ.get("CLOUDFLARE_API_TOKEN", "")
key = api_key or os.environ.get("CLOUDFLARE_API_KEY", "")
email = api_email or os.environ.get("CLOUDFLARE_API_EMAIL", "")
token = os.environ.get("CLOUDFLARE_API_TOKEN", "")
key = os.environ.get("CLOUDFLARE_API_KEY", "")
email = os.environ.get("CLOUDFLARE_API_EMAIL", "")
# Warn if both auth methods are set, use API Token (recommended)
if token and key and email:
logger.error(
"Both API Token and API Key + Email credentials are set. "
"Using API Token (recommended). "
"To avoid this error, unset CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL, or CLOUDFLARE_API_TOKEN. "
"Note: The Cloudflare SDK automatically reads credentials from environment variables, which causes conflicts."
"To avoid this error, unset CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL, or CLOUDFLARE_API_TOKEN."
)
# The Cloudflare SDK reads credentials from environment variables automatically.
@@ -161,9 +148,7 @@ class CloudflareProvider(Provider):
else:
raise CloudflareCredentialsError(
file=os.path.basename(__file__),
message="Cloudflare credentials not found. Available authentication methods: "
"(1) API Token: use --cloudflare-api-token or set CLOUDFLARE_API_TOKEN environment variable; "
"(2) API Key + Email: use --cloudflare-api-key and --cloudflare-api-email or set CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL environment variables.",
message="Cloudflare credentials not found. Set CLOUDFLARE_API_TOKEN or both CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL environment variables.",
)
return CloudflareSession(

33
prowler/providers/cloudflare/lib/arguments/arguments.py
View File

@@ -7,29 +7,6 @@ def init_parser(self):
"cloudflare", parents=[self.common_providers_parser], help="Cloudflare Provider"
)
auth_group = cloudflare_parser.add_argument_group("Authentication")
auth_group.add_argument(
"--cloudflare-api-token",
nargs="?",
default=None,
metavar="CLOUDFLARE_API_TOKEN",
help="Cloudflare API Token used for authentication (preferred)",
)
auth_group.add_argument(
"--cloudflare-api-key",
nargs="?",
default=None,
metavar="CLOUDFLARE_API_KEY",
help="Cloudflare API key (legacy authentication)",
)
auth_group.add_argument(
"--cloudflare-api-email",
nargs="?",
default=None,
metavar="CLOUDFLARE_API_EMAIL",
help="Email associated with the Cloudflare API key (required when using --cloudflare-api-key)",
)
scope_group = cloudflare_parser.add_argument_group("Scope")
scope_group.add_argument(
"--region",
@@ -44,16 +21,14 @@ def init_parser(self):
def validate_arguments(arguments) -> tuple[bool, str]:
"""Validate Cloudflare provider arguments."""
token = arguments.cloudflare_api_token or environ.get("CLOUDFLARE_API_TOKEN", "")
api_key = arguments.cloudflare_api_key or environ.get("CLOUDFLARE_API_KEY", "")
api_email = arguments.cloudflare_api_email or environ.get(
"CLOUDFLARE_API_EMAIL", ""
)
token = environ.get("CLOUDFLARE_API_TOKEN", "")
api_key = environ.get("CLOUDFLARE_API_KEY", "")
api_email = environ.get("CLOUDFLARE_API_EMAIL", "")
if not token and not (api_key and api_email):
return (
False,
"Cloudflare provider requires CLOUDFLARE_API_TOKEN (or --cloudflare-api-token) or the combination of CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL (or --cloudflare-api-key and --cloudflare-api-email).",
"Cloudflare provider requires CLOUDFLARE_API_TOKEN or the combination of CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL environment variables.",
)
return (True, "")

3
prowler/providers/common/provider.py
View File

@@ -250,9 +250,6 @@ class Provider(ABC):
)
elif "cloudflare" in provider_class_name.lower():
provider_class(
api_token=arguments.cloudflare_api_token,
api_key=arguments.cloudflare_api_key,
api_email=arguments.cloudflare_api_email,
filter_zones=arguments.region,
config_path=arguments.config_file,
mutelist_path=arguments.mutelist_file,

14
tests/providers/cloudflare/cloudflare_provider_test.py
View File

@@ -51,7 +51,7 @@ class TestCloudflareProvider:
),
),
):
provider = CloudflareProvider(api_token=API_TOKEN)
provider = CloudflareProvider()
assert provider._type == "cloudflare"
assert provider.session.api_token == API_TOKEN
@@ -87,7 +87,7 @@ class TestCloudflareProvider:
),
),
):
provider = CloudflareProvider(api_key=API_KEY, api_email=API_EMAIL)
provider = CloudflareProvider()
assert provider._type == "cloudflare"
assert provider.session.api_key == API_KEY
@@ -120,7 +120,7 @@ class TestCloudflareProvider:
),
),
):
provider = CloudflareProvider(api_token=API_TOKEN)
provider = CloudflareProvider()
connection = provider.test_connection()
assert isinstance(connection, Connection)
@@ -151,7 +151,7 @@ class TestCloudflareProvider:
),
),
):
provider = CloudflareProvider(api_token=API_TOKEN)
provider = CloudflareProvider()
connection = provider.test_connection()
assert isinstance(connection, Connection)
@@ -197,9 +197,7 @@ class TestCloudflareProvider:
),
):
filter_zones = ["zone1", "zone2"]
provider = CloudflareProvider(
api_token=API_TOKEN, filter_zones=filter_zones
)
provider = CloudflareProvider(filter_zones=filter_zones)
assert provider.filter_zones == set(filter_zones)
@@ -230,7 +228,7 @@ class TestCloudflareProvider:
),
),
):
provider = CloudflareProvider(api_token=API_TOKEN)
provider = CloudflareProvider()
assert provider.type == "cloudflare"
assert provider.session is not None