mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
chore(audit_info): Replace for provider and add tests (#3542)
Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
+2
-4
@@ -161,10 +161,8 @@ def prowler():
|
||||
checks_to_execute, excluded_services, provider
|
||||
)
|
||||
|
||||
# Once the audit_info is set and we have the eventual checks based on the resource identifier,
|
||||
# Once the provider is set and we have the eventual checks based on the resource identifier,
|
||||
# it is time to check what Prowler's checks are going to be executed
|
||||
# TODO: the following if is done within the function
|
||||
# if global_provider.audit_resources:
|
||||
checks_from_resources = global_provider.get_checks_to_execute_by_audit_resources()
|
||||
if checks_from_resources:
|
||||
checks_to_execute = checks_to_execute.intersection(checks_from_resources)
|
||||
@@ -211,7 +209,7 @@ def prowler():
|
||||
# os.environ["SLACK_CHANNEL_ID"],
|
||||
# stats,
|
||||
# provider,
|
||||
# audit_info,
|
||||
# provider,
|
||||
# )
|
||||
# else:
|
||||
# logger.critical(
|
||||
|
||||
@@ -92,22 +92,6 @@ def check_current_version():
|
||||
return f"{prowler_version_string}"
|
||||
|
||||
|
||||
# TODO: remove after changing tests for this function
|
||||
# def change_config_var(variable: str, value: str, audit_info):
|
||||
# try:
|
||||
# if (
|
||||
# hasattr(audit_info, "audit_config")
|
||||
# and audit_info.audit_config is not None
|
||||
# and variable in audit_info.audit_config
|
||||
# ):
|
||||
# audit_info.audit_config[variable] = value
|
||||
# return audit_info
|
||||
# except Exception as error:
|
||||
# logger.error(
|
||||
# f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
|
||||
# )
|
||||
|
||||
|
||||
# TODO: revisit this function
|
||||
def update_provider_config(variable: str, value: str):
|
||||
try:
|
||||
|
||||
@@ -128,12 +128,12 @@ def parse_checks_from_folder(provider, input_folder: str) -> int:
|
||||
try:
|
||||
imported_checks = 0
|
||||
# Check if input folder is a S3 URI
|
||||
if provider.provider == "aws" and re.search(
|
||||
if provider.type == "aws" and re.search(
|
||||
"^s3://([^/]+)/(.*?([^/]+))/$", input_folder
|
||||
):
|
||||
bucket = input_folder.split("/")[2]
|
||||
key = ("/").join(input_folder.split("/")[3:])
|
||||
s3_resource = provider.session.session.resource("s3")
|
||||
s3_resource = provider.session.current_session.resource("s3")
|
||||
bucket = s3_resource.Bucket(bucket)
|
||||
for obj in bucket.objects.filter(Prefix=key):
|
||||
if not os.path.exists(os.path.dirname(obj.key)):
|
||||
@@ -150,7 +150,7 @@ def parse_checks_from_folder(provider, input_folder: str) -> int:
|
||||
# Copy checks to specific provider/service folder
|
||||
check_service = check.name.split("_")[0]
|
||||
prowler_dir = prowler.__path__
|
||||
prowler_module = f"{prowler_dir[0]}/providers/{provider.provider}/services/{check_service}/{check.name}"
|
||||
prowler_module = f"{prowler_dir[0]}/providers/{provider.type}/services/{check_service}/{check.name}"
|
||||
if os.path.exists(prowler_module):
|
||||
shutil.rmtree(prowler_module)
|
||||
shutil.copytree(check_module, prowler_module)
|
||||
|
||||
@@ -103,6 +103,7 @@ def generate_provider_output(provider, finding, csv_data) -> FindingOutput:
|
||||
return finding_output
|
||||
|
||||
|
||||
# TODO: add test for outputs_unix_timestamp
|
||||
def fill_common_finding_data(finding: dict, unix_timestamp: bool) -> dict:
|
||||
finding_data = {
|
||||
"timestamp": outputs_unix_timestamp(unix_timestamp, timestamp),
|
||||
|
||||
@@ -23,7 +23,7 @@ from prowler.lib.outputs.compliance.mitre_attack_aws import (
|
||||
|
||||
|
||||
def add_manual_controls(
|
||||
output_options, audit_info, file_descriptors, input_compliance_frameworks
|
||||
output_options, provider, file_descriptors, input_compliance_frameworks
|
||||
):
|
||||
try:
|
||||
# Check if MANUAL control was already added to output
|
||||
@@ -41,7 +41,7 @@ def add_manual_controls(
|
||||
fill_compliance(
|
||||
output_options,
|
||||
manual_finding,
|
||||
audit_info,
|
||||
provider,
|
||||
file_descriptors,
|
||||
input_compliance_frameworks,
|
||||
)
|
||||
|
||||
@@ -2,6 +2,7 @@ from prowler.config.config import prowler_version, timestamp_utc
|
||||
from prowler.lib.logger import logger
|
||||
from prowler.lib.outputs.compliance.compliance import get_check_compliance
|
||||
from prowler.lib.outputs.json_asff.models import (
|
||||
Check_Output_JSON_ASFF,
|
||||
Compliance,
|
||||
ProductFields,
|
||||
Resource,
|
||||
@@ -44,51 +45,34 @@ def generate_json_asff_resource_tags(tags):
|
||||
)
|
||||
|
||||
|
||||
def fill_json_asff(finding_output, provider, finding, output_options):
|
||||
def fill_json_asff(provider, finding):
|
||||
"""
|
||||
Fill the finding's output in JSON ASFF format.
|
||||
|
||||
Parameters:
|
||||
- provider: The provider object containing information about the provider (e.g., AWS) and the output options object containing information about the desired output format.
|
||||
- finding: The finding object containing information about the specific finding.
|
||||
|
||||
Returns:
|
||||
- finding_output: The filled finding's output in JSON ASFF format.
|
||||
"""
|
||||
|
||||
try:
|
||||
# Check if there are no resources in the finding
|
||||
if finding.resource_arn == "":
|
||||
if finding.resource_id == "":
|
||||
finding.resource_id = "NONE_PROVIDED"
|
||||
finding.resource_arn = finding.resource_id
|
||||
# The following line cannot be changed because it is the format we use to generate unique findings for AWS Security Hub
|
||||
# If changed some findings could be lost because the unique identifier will be different
|
||||
# TODO: get this from the provider output
|
||||
finding_output.Id = f"prowler-{finding.check_metadata.CheckID}-{provider.identity.account}-{finding.region}-{hash_sha512(finding.resource_id)}"
|
||||
finding_output.ProductArn = f"arn:{provider.identity.partition}:securityhub:{finding.region}::product/prowler/prowler"
|
||||
finding_output.ProductFields = ProductFields(
|
||||
ProviderVersion=prowler_version, ProwlerResourceName=finding.resource_arn
|
||||
)
|
||||
finding_output.GeneratorId = "prowler-" + finding.check_metadata.CheckID
|
||||
finding_output.AwsAccountId = provider.identity.account
|
||||
finding_output.Types = finding.check_metadata.CheckType
|
||||
finding_output.FirstObservedAt = finding_output.UpdatedAt = (
|
||||
finding_output.CreatedAt
|
||||
) = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
||||
finding_output.Severity = Severity(
|
||||
Label=finding.check_metadata.Severity.upper()
|
||||
)
|
||||
finding_output.Title = finding.check_metadata.CheckTitle
|
||||
# Description should NOT be longer than 1024 characters
|
||||
finding_output.Description = (
|
||||
(finding.status_extended[:1000] + "...")
|
||||
if len(finding.status_extended) > 1000
|
||||
else finding.status_extended
|
||||
)
|
||||
|
||||
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
||||
resource_tags = generate_json_asff_resource_tags(finding.resource_tags)
|
||||
finding_output.Resources = [
|
||||
Resource(
|
||||
Id=finding.resource_arn,
|
||||
Type=finding.check_metadata.ResourceType,
|
||||
Partition=provider.identity.partition,
|
||||
Region=finding.region,
|
||||
Tags=resource_tags,
|
||||
)
|
||||
]
|
||||
|
||||
# Iterate for each compliance framework
|
||||
compliance_summary = []
|
||||
associated_standards = []
|
||||
check_compliance = get_check_compliance(finding, "aws", output_options)
|
||||
check_compliance = get_check_compliance(
|
||||
finding, provider.type, provider.output_options
|
||||
)
|
||||
for key, value in check_compliance.items():
|
||||
if (
|
||||
len(associated_standards) < 20
|
||||
@@ -102,19 +86,49 @@ def fill_json_asff(finding_output, provider, finding, output_options):
|
||||
# Ensures finding_status matches allowed values in ASFF
|
||||
finding_status = generate_json_asff_status(finding.status)
|
||||
|
||||
finding_output.Compliance = Compliance(
|
||||
Status=finding_status,
|
||||
AssociatedStandards=associated_standards,
|
||||
RelatedRequirements=compliance_summary,
|
||||
json_asff_output = Check_Output_JSON_ASFF(
|
||||
# The following line cannot be changed because it is the format we use to generate unique findings for AWS Security Hub
|
||||
# If changed some findings could be lost because the unique identifier will be different
|
||||
# TODO: get this from the provider output
|
||||
Id=f"prowler-{finding.check_metadata.CheckID}-{provider.identity.account}-{finding.region}-{hash_sha512(finding.resource_id)}",
|
||||
ProductArn=f"arn:{provider.identity.partition}:securityhub:{finding.region}::product/prowler/prowler",
|
||||
ProductFields=ProductFields(
|
||||
ProviderVersion=prowler_version,
|
||||
ProwlerResourceName=finding.resource_arn,
|
||||
),
|
||||
GeneratorId="prowler-" + finding.check_metadata.CheckID,
|
||||
AwsAccountId=provider.identity.account,
|
||||
Types=finding.check_metadata.CheckType,
|
||||
FirstObservedAt=timestamp,
|
||||
UpdatedAt=timestamp,
|
||||
CreatedAt=timestamp,
|
||||
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
|
||||
Title=finding.check_metadata.CheckTitle,
|
||||
# Description should NOT be longer than 1024 characters
|
||||
Description=(
|
||||
(finding.status_extended[:1000] + "...")
|
||||
if len(finding.status_extended) > 1000
|
||||
else finding.status_extended
|
||||
),
|
||||
Resources=[
|
||||
Resource(
|
||||
Id=finding.resource_arn,
|
||||
Type=finding.check_metadata.ResourceType,
|
||||
Partition=provider.identity.partition,
|
||||
Region=finding.region,
|
||||
Tags=resource_tags,
|
||||
)
|
||||
],
|
||||
Compliance=Compliance(
|
||||
Status=finding_status,
|
||||
AssociatedStandards=associated_standards,
|
||||
RelatedRequirements=compliance_summary,
|
||||
),
|
||||
Remediation={
|
||||
"Recommendation": finding.check_metadata.Remediation.Recommendation
|
||||
},
|
||||
)
|
||||
# Fill Recommendation Url if it is blank
|
||||
if not finding.check_metadata.Remediation.Recommendation.Url:
|
||||
finding.check_metadata.Remediation.Recommendation.Url = "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
|
||||
finding_output.Remediation = {
|
||||
"Recommendation": finding.check_metadata.Remediation.Recommendation
|
||||
}
|
||||
|
||||
return finding_output
|
||||
return json_asff_output
|
||||
except Exception as error:
|
||||
logger.error(
|
||||
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
||||
|
||||
@@ -36,16 +36,16 @@ class Check_Output_JSON_ASFF(BaseModel):
|
||||
Id: str = ""
|
||||
ProductArn: str = ""
|
||||
RecordState: str = "ACTIVE"
|
||||
ProductFields: ProductFields = None # type: ignore
|
||||
ProductFields: ProductFields
|
||||
GeneratorId: str = ""
|
||||
AwsAccountId: str = ""
|
||||
Types: list[str] = None
|
||||
FirstObservedAt: str = ""
|
||||
UpdatedAt: str = ""
|
||||
CreatedAt: str = ""
|
||||
Severity: Severity = None # type: ignore
|
||||
Severity: Severity
|
||||
Title: str = ""
|
||||
Description: str = ""
|
||||
Resources: list[Resource] = None
|
||||
Compliance: Compliance = None # type: ignore
|
||||
Compliance: Compliance
|
||||
Remediation: dict = None
|
||||
|
||||
@@ -93,6 +93,7 @@ def fill_json_ocsf(finding_output: FindingOutput) -> DetectionFinding:
|
||||
uid=finding_output.resource_uid,
|
||||
group=Group(name=finding_output.service_name),
|
||||
type=finding_output.resource_type,
|
||||
# TODO: this should be included only if using the Cloud profile
|
||||
cloud_partition=finding_output.partition,
|
||||
region=finding_output.region,
|
||||
)
|
||||
@@ -118,21 +119,19 @@ def fill_json_ocsf(finding_output: FindingOutput) -> DetectionFinding:
|
||||
# TODO: Get the PID of the namespace (we only have the name of the namespace)
|
||||
# detection_finding.namespace_pid=,
|
||||
else:
|
||||
detection_finding.cloud = (
|
||||
Cloud(
|
||||
account=Account(
|
||||
name=finding_output.account_name,
|
||||
type_id=cloud_account_type.value,
|
||||
type=cloud_account_type.name,
|
||||
uid=finding_output.account_uid,
|
||||
),
|
||||
org=Organization(
|
||||
uid=finding_output.account_organization_uid,
|
||||
name=finding_output.account_organization_name,
|
||||
),
|
||||
provider=finding_output.provider,
|
||||
region=finding_output.region,
|
||||
detection_finding.cloud = Cloud(
|
||||
account=Account(
|
||||
name=finding_output.account_name,
|
||||
type_id=cloud_account_type.value,
|
||||
type=cloud_account_type.name,
|
||||
uid=finding_output.account_uid,
|
||||
),
|
||||
org=Organization(
|
||||
uid=finding_output.account_organization_uid,
|
||||
name=finding_output.account_organization_name,
|
||||
),
|
||||
provider=finding_output.provider,
|
||||
region=finding_output.region,
|
||||
)
|
||||
|
||||
return detection_finding
|
||||
|
||||
@@ -19,7 +19,6 @@ from prowler.lib.outputs.compliance.compliance import (
|
||||
from prowler.lib.outputs.csv.csv import generate_csv_fields
|
||||
from prowler.lib.outputs.file_descriptors import fill_file_descriptors
|
||||
from prowler.lib.outputs.json_asff.json_asff import fill_json_asff
|
||||
from prowler.lib.outputs.json_asff.models import Check_Output_JSON_ASFF
|
||||
from prowler.lib.outputs.json_ocsf.json_ocsf import fill_json_ocsf
|
||||
from prowler.lib.outputs.utils import unroll_dict
|
||||
|
||||
@@ -105,13 +104,10 @@ def report(check_findings, provider):
|
||||
if finding.check_metadata.Provider == "aws":
|
||||
if "json-asff" in file_descriptors:
|
||||
# Initialize this field using the class within fill_json_asff not here
|
||||
finding_output = Check_Output_JSON_ASFF()
|
||||
fill_json_asff(
|
||||
finding_output, provider, finding, output_options
|
||||
)
|
||||
json_asff_finding = fill_json_asff(provider, finding)
|
||||
|
||||
json.dump(
|
||||
finding_output.dict(exclude_none=True),
|
||||
json_asff_finding.dict(exclude_none=True),
|
||||
file_descriptors["json-asff"],
|
||||
indent=4,
|
||||
)
|
||||
|
||||
@@ -23,18 +23,29 @@ def send_slack_message(token, channel, stats, provider, audit_info):
|
||||
)
|
||||
|
||||
|
||||
def create_message_identity(provider, audit_info):
|
||||
# TODO: move this to each provider
|
||||
def create_message_identity(provider):
|
||||
"""
|
||||
Create a Slack message identity based on the provider type.
|
||||
|
||||
Parameters:
|
||||
- provider (Provider): The Provider (e.g. "AwsProvider", "GcpProvider", "AzureProvide").
|
||||
|
||||
Returns:
|
||||
- identity (str): The message identity based on the provider type.
|
||||
- logo (str): The logo URL associated with the provider type.
|
||||
"""
|
||||
try:
|
||||
identity = ""
|
||||
logo = aws_logo
|
||||
if provider == "aws":
|
||||
identity = f"AWS Account *{audit_info.audited_account}*"
|
||||
elif provider == "gcp":
|
||||
identity = f"GCP Projects *{', '.join(audit_info.project_ids)}*"
|
||||
if provider.type == "aws":
|
||||
identity = f"AWS Account *{provider.identity.account}*"
|
||||
elif provider.type == "gcp":
|
||||
identity = f"GCP Projects *{', '.join(provider.project_ids)}*"
|
||||
logo = gcp_logo
|
||||
elif provider == "azure":
|
||||
elif provider.type == "azure":
|
||||
printed_subscriptions = []
|
||||
for key, value in audit_info.identity.subscriptions.items():
|
||||
for key, value in provider.identity.subscriptions.items():
|
||||
intermediate = f"- *{key}: {value}*\n"
|
||||
printed_subscriptions.append(intermediate)
|
||||
identity = f"Azure Subscriptions:\n{''.join(printed_subscriptions)}"
|
||||
|
||||
@@ -21,6 +21,7 @@ from prowler.providers.aws.config import (
|
||||
ROLE_SESSION_NAME,
|
||||
)
|
||||
from prowler.providers.aws.lib.arn.arn import parse_iam_credentials_arn
|
||||
from prowler.providers.aws.lib.arn.models import ARN
|
||||
from prowler.providers.aws.lib.organizations.organizations import (
|
||||
get_organizations_metadata,
|
||||
parse_organizations_metadata,
|
||||
@@ -49,7 +50,7 @@ class AwsProvider(Provider):
|
||||
_audit_config: dict
|
||||
_ignore_unused_services: bool = False
|
||||
_enabled_regions: set = set()
|
||||
_mutelist: dict
|
||||
_mutelist: dict = {}
|
||||
_output_options: AWSOutputOptions
|
||||
# TODO: this is not optional, enforce for all providers
|
||||
audit_metadata: Audit_Metadata
|
||||
@@ -81,7 +82,7 @@ class AwsProvider(Provider):
|
||||
|
||||
# Configure the initial AWS Session using the local credentials: profile or environment variables
|
||||
aws_session = self.setup_session(input_mfa, input_profile, input_role)
|
||||
session_config = self._set_session_config(aws_retries_max_attempts)
|
||||
session_config = self.set_session_config(aws_retries_max_attempts)
|
||||
# Current session and the original session points to the same session object until we get a new one, if needed
|
||||
self._session = AWSSession(
|
||||
current_session=aws_session,
|
||||
@@ -356,14 +357,14 @@ class AwsProvider(Provider):
|
||||
logger.info(f"Original AWS Caller Identity UserId: {caller_identity.user_id}")
|
||||
logger.info(f"Original AWS Caller Identity ARN: {caller_identity.arn}")
|
||||
|
||||
partition = parse_iam_credentials_arn(caller_identity.arn).partition
|
||||
partition = parse_iam_credentials_arn(caller_identity.arn.arn).partition
|
||||
|
||||
return AWSIdentityInfo(
|
||||
account=caller_identity.account,
|
||||
account_arn=f"arn:{partition}:iam::{caller_identity.account}:root",
|
||||
user_id=caller_identity.user_id,
|
||||
partition=partition,
|
||||
identity_arn=caller_identity.arn,
|
||||
identity_arn=caller_identity.arn.arn,
|
||||
profile=input_profile,
|
||||
profile_region=profile_region,
|
||||
audited_regions=input_regions,
|
||||
@@ -552,7 +553,6 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
|
||||
json_regions = set(
|
||||
data["services"][service]["regions"][self._identity.partition]
|
||||
)
|
||||
# Check for input aws audit_info.audited_regions
|
||||
if self._identity.audited_regions:
|
||||
# Get common regions between input and json
|
||||
regions = json_regions.intersection(self._identity.audited_regions)
|
||||
@@ -637,9 +637,24 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
|
||||
audited_regions.add(region)
|
||||
return audited_regions
|
||||
|
||||
def get_tagged_resources(self, input_resource_tags: list):
|
||||
def get_tagged_resources(self, input_resource_tags: list[str]):
|
||||
"""
|
||||
get_tagged_resources returns a list of the resources that are going to be scanned based on the given input tags
|
||||
Returns a list of the resources that are going to be scanned based on the given input tags.
|
||||
|
||||
Parameters:
|
||||
- input_resource_tags: A list of strings representing the tags to filter the resources. Each string should be in the format "key=value".
|
||||
|
||||
Returns:
|
||||
- A list of strings representing the ARNs (Amazon Resource Names) of the tagged resources.
|
||||
|
||||
Note:
|
||||
- This method uses the AWS Resource Groups Tagging API to retrieve the tagged resources.
|
||||
- The method generates regional clients for the Resource Groups Tagging API for each enabled region in the AWS provider.
|
||||
- The method paginates through the results of the 'get_resources' operation to retrieve all the tagged resources.
|
||||
|
||||
Example usage:
|
||||
input_resource_tags = ["Environment=Production", "Owner=John Doe"]
|
||||
tagged_resources = get_tagged_resources(input_resource_tags)
|
||||
"""
|
||||
try:
|
||||
resource_tags = []
|
||||
@@ -676,9 +691,8 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
|
||||
def get_default_region(self, service: str) -> str:
|
||||
"""get_default_region returns the default region based on the profile and audited service regions"""
|
||||
service_regions = self.get_available_aws_service_regions(service)
|
||||
default_region = (
|
||||
self.get_global_region()
|
||||
) # global region of the partition when all regions are audited and there is no profile region
|
||||
default_region = self.get_global_region()
|
||||
# global region of the partition when all regions are audited and there is no profile region
|
||||
if self._identity.profile_region in service_regions:
|
||||
# return profile region only if it is audited
|
||||
default_region = self._identity.profile_region
|
||||
@@ -704,10 +718,9 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
|
||||
mfa_TOTP = input("Enter MFA code: ")
|
||||
return AWSMFAInfo(arn=mfa_ARN, totp=mfa_TOTP)
|
||||
|
||||
# TODO: rename function
|
||||
def _set_session_config(self, aws_retries_max_attempts: int) -> Config:
|
||||
def set_session_config(self, aws_retries_max_attempts: int) -> Config:
|
||||
"""
|
||||
_set_session_config returns a botocore Config object with the Prowler user agent and the default retrier configuration if nothing is passed as argument
|
||||
set_session_config returns a botocore Config object with the Prowler user agent and the default retrier configuration if nothing is passed as argument
|
||||
"""
|
||||
# Set the maximum retries for the standard retrier config
|
||||
default_session_config = Config(
|
||||
@@ -723,9 +736,7 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
|
||||
},
|
||||
)
|
||||
# Merge the new configuration
|
||||
default_session_config.merge(config)
|
||||
# TODO: I don't understand the following line
|
||||
# default_session_config = self.session.session_config.merge(config)
|
||||
default_session_config = default_session_config.merge(config)
|
||||
|
||||
return default_session_config
|
||||
|
||||
@@ -801,7 +812,7 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
|
||||
# TODO: review this function
|
||||
# Maybe this should be done within the AwsProvider and not in __main__.py
|
||||
def get_checks_to_execute_by_audit_resources(self) -> set[str]:
|
||||
# Once the audit_info is set and we have the eventual checks from arn, it is time to exclude the others
|
||||
# Once the provider is set and we have the eventual checks from arn, it is time to exclude the others
|
||||
try:
|
||||
checks = set()
|
||||
# TODO: self._audit_resources should be a list[ARN] instead of list[str]
|
||||
@@ -819,6 +830,12 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
|
||||
|
||||
|
||||
def read_aws_regions_file() -> dict:
|
||||
"""
|
||||
Reads the AWS services JSON file and returns the parsed data as a dictionary.
|
||||
|
||||
Returns:
|
||||
dict: The parsed data from the AWS services JSON file.
|
||||
"""
|
||||
# Get JSON locally
|
||||
actual_directory = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
|
||||
with open_file(f"{actual_directory}/{aws_services_json_file}") as f:
|
||||
@@ -827,7 +844,13 @@ def read_aws_regions_file() -> dict:
|
||||
return data
|
||||
|
||||
|
||||
def get_aws_available_regions():
|
||||
def get_aws_available_regions() -> set:
|
||||
"""
|
||||
Get the available AWS regions from the AWS services JSON file.
|
||||
|
||||
Returns:
|
||||
set: A set of available AWS regions.
|
||||
"""
|
||||
try:
|
||||
data = read_aws_regions_file()
|
||||
|
||||
@@ -839,7 +862,7 @@ def get_aws_available_regions():
|
||||
return regions
|
||||
except Exception as error:
|
||||
logger.error(f"{error.__class__.__name__}: {error}")
|
||||
return []
|
||||
return set()
|
||||
|
||||
|
||||
# TODO: This can be moved to another class since it doesn't need self
|
||||
@@ -858,7 +881,7 @@ def validate_aws_credentials(
|
||||
return AWSCallerIdentity(
|
||||
user_id=caller_identity.get("UserId"),
|
||||
account=caller_identity.get("Account"),
|
||||
arn=caller_identity.get("Arn"),
|
||||
arn=ARN(caller_identity.get("Arn")),
|
||||
region=aws_region,
|
||||
)
|
||||
except Exception as error:
|
||||
@@ -890,6 +913,26 @@ def get_aws_region_for_sts(session_region: str, input_regions: set[str]) -> str:
|
||||
def create_sts_session(
|
||||
session: session.Session, aws_region: str
|
||||
) -> session.Session.client:
|
||||
return session.client(
|
||||
"sts", aws_region, endpoint_url=f"https://sts.{aws_region}.amazonaws.com"
|
||||
)
|
||||
"""
|
||||
Create an STS session client.
|
||||
|
||||
Parameters:
|
||||
- session (session.Session): The AWS session object.
|
||||
- aws_region (str): The AWS region to use for the session.
|
||||
|
||||
Returns:
|
||||
- session.Session.client: The STS session client.
|
||||
|
||||
Example:
|
||||
session = boto3.session.Session()
|
||||
sts_client = create_sts_session(session, 'us-west-2')
|
||||
"""
|
||||
try:
|
||||
return session.client(
|
||||
"sts", aws_region, endpoint_url=f"https://sts.{aws_region}.amazonaws.com"
|
||||
)
|
||||
except Exception as error:
|
||||
logger.critical(
|
||||
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
||||
)
|
||||
sys.exit(1)
|
||||
|
||||
@@ -200,7 +200,7 @@ def validate_role_session_name(session_name):
|
||||
validates that the role session name is valid
|
||||
Documentation: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
|
||||
"""
|
||||
if fullmatch("[\w+=,.@-]{2,64}", session_name):
|
||||
if fullmatch(r"[\w+=,.@-]{2,64}", session_name):
|
||||
return session_name
|
||||
else:
|
||||
raise ArgumentTypeError(
|
||||
|
||||
@@ -19,6 +19,7 @@ def arn_type(arn: str) -> bool:
|
||||
return arn
|
||||
|
||||
|
||||
# TODO: review this function just to parse the ARN not to re-instantiate it
|
||||
def parse_iam_credentials_arn(arn: str) -> ARN:
|
||||
arn_parsed = ARN(arn)
|
||||
# First check if region is empty (in IAM ARN's region is always empty)
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
import csv
|
||||
import json
|
||||
from copy import deepcopy
|
||||
from typing import Any
|
||||
|
||||
from alive_progress import alive_bar
|
||||
from botocore.client import ClientError
|
||||
@@ -18,33 +19,32 @@ from prowler.providers.aws.lib.arn.models import get_arn_resource_type
|
||||
from prowler.providers.aws.lib.s3.s3 import send_to_s3_bucket
|
||||
|
||||
|
||||
# TODO(Audit_Info): use provider here
|
||||
def quick_inventory(audit_info: AWS_Audit_Info, args):
|
||||
def quick_inventory(provider: Any, args):
|
||||
resources = []
|
||||
global_resources = []
|
||||
total_resources_per_region = {}
|
||||
iam_was_scanned = False
|
||||
# If not inputed regions, check all of them
|
||||
if not audit_info.audited_regions:
|
||||
if not provider.audited_regions:
|
||||
# EC2 client for describing all regions
|
||||
ec2_client = audit_info.audit_session.client(
|
||||
"ec2", region_name=audit_info.profile_region
|
||||
ec2_client = provider.audit_session.client(
|
||||
"ec2", region_name=provider.profile_region
|
||||
)
|
||||
# Get all the available regions
|
||||
audit_info.audited_regions = [
|
||||
provider.audited_regions = [
|
||||
region["RegionName"] for region in ec2_client.describe_regions()["Regions"]
|
||||
]
|
||||
|
||||
with alive_bar(
|
||||
total=len(audit_info.audited_regions),
|
||||
total=len(provider.audited_regions),
|
||||
ctrl_c=False,
|
||||
bar="blocks",
|
||||
spinner="classic",
|
||||
stats=False,
|
||||
enrich_print=False,
|
||||
) as bar:
|
||||
for region in sorted(audit_info.audited_regions):
|
||||
bar.title = f"Inventorying AWS Account {orange_color}{audit_info.audited_account}{Style.RESET_ALL}"
|
||||
for region in sorted(provider.audited_regions):
|
||||
bar.title = f"Inventorying AWS Account {orange_color}{provider.audited_account}{Style.RESET_ALL}"
|
||||
resources_in_region = []
|
||||
# {
|
||||
# eu-west-1: 100,...
|
||||
@@ -53,13 +53,13 @@ def quick_inventory(audit_info: AWS_Audit_Info, args):
|
||||
try:
|
||||
# Scan IAM only once
|
||||
if not iam_was_scanned:
|
||||
global_resources.extend(get_iam_resources(audit_info.audit_session))
|
||||
global_resources.extend(get_iam_resources(provider.audit_session))
|
||||
iam_was_scanned = True
|
||||
|
||||
# Get regional S3 buckets since none-tagged buckets are not supported by the resourcegroupstaggingapi
|
||||
resources_in_region.extend(get_regional_buckets(audit_info, region))
|
||||
resources_in_region.extend(get_regional_buckets(provider, region))
|
||||
|
||||
client = audit_info.audit_session.client(
|
||||
client = provider.audit_session.client(
|
||||
"resourcegroupstaggingapi", region_name=region
|
||||
)
|
||||
# Get all the resources
|
||||
@@ -109,7 +109,7 @@ def quick_inventory(audit_info: AWS_Audit_Info, args):
|
||||
inventory_table = create_inventory_table(resources, total_resources_per_region)
|
||||
|
||||
print(
|
||||
f"\nQuick Inventory of AWS Account {Fore.YELLOW}{audit_info.audited_account}{Style.RESET_ALL}:"
|
||||
f"\nQuick Inventory of AWS Account {Fore.YELLOW}{provider.audited_account}{Style.RESET_ALL}:"
|
||||
)
|
||||
|
||||
print(
|
||||
@@ -119,7 +119,7 @@ def quick_inventory(audit_info: AWS_Audit_Info, args):
|
||||
)
|
||||
print(f"\nTotal resources found: {Fore.GREEN}{len(resources)}{Style.RESET_ALL}")
|
||||
|
||||
create_output(resources, audit_info, args)
|
||||
create_output(resources, provider, args)
|
||||
|
||||
|
||||
def create_inventory_table(resources: list, resources_in_region: dict) -> dict:
|
||||
@@ -209,20 +209,19 @@ def create_inventory_table(resources: list, resources_in_region: dict) -> dict:
|
||||
return inventory_table
|
||||
|
||||
|
||||
# TODO(Audit_Info): use provider here
|
||||
def create_output(resources: list, audit_info: AWS_Audit_Info, args):
|
||||
def create_output(resources: list, provider: Any, args):
|
||||
json_output = []
|
||||
# Check if custom output filename was input, if not, set the default
|
||||
if not hasattr(args, "output_filename") or args.output_filename is None:
|
||||
output_file = (
|
||||
f"prowler-inventory-{audit_info.audited_account}-{output_file_timestamp}"
|
||||
f"prowler-inventory-{provider.audited_account}-{output_file_timestamp}"
|
||||
)
|
||||
else:
|
||||
output_file = args.output_filename
|
||||
|
||||
for item in sorted(resources, key=lambda d: d["arn"]):
|
||||
resource = {}
|
||||
resource["AWS_AccountID"] = audit_info.audited_account
|
||||
resource["AWS_AccountID"] = provider.audited_account
|
||||
resource["AWS_Region"] = item["arn"].split(":")[3]
|
||||
resource["AWS_Partition"] = item["arn"].split(":")[1]
|
||||
resource["AWS_Service"] = item["arn"].split(":")[2]
|
||||
@@ -289,11 +288,11 @@ def create_output(resources: list, audit_info: AWS_Audit_Info, args):
|
||||
# Check if -B was input
|
||||
if args.output_bucket:
|
||||
output_bucket = args.output_bucket
|
||||
bucket_session = audit_info.audit_session
|
||||
bucket_session = provider.audit_session
|
||||
# Check if -D was input
|
||||
elif args.output_bucket_no_assume:
|
||||
output_bucket = args.output_bucket_no_assume
|
||||
bucket_session = audit_info.original_session
|
||||
bucket_session = provider.original_session
|
||||
send_to_s3_bucket(
|
||||
output_file,
|
||||
args.output_directory,
|
||||
@@ -303,10 +302,9 @@ def create_output(resources: list, audit_info: AWS_Audit_Info, args):
|
||||
)
|
||||
|
||||
|
||||
# TODO(Audit_Info): use provider here
|
||||
def get_regional_buckets(audit_info: AWS_Audit_Info, region: str) -> list:
|
||||
def get_regional_buckets(provider: Any, region: str) -> list:
|
||||
regional_buckets = []
|
||||
s3_client = audit_info.audit_session.client("s3", region_name=region)
|
||||
s3_client = provider.audit_session.client("s3", region_name=region)
|
||||
try:
|
||||
buckets = s3_client.list_buckets()
|
||||
for bucket in buckets["Buckets"]:
|
||||
@@ -329,7 +327,7 @@ def get_regional_buckets(audit_info: AWS_Audit_Info, region: str) -> list:
|
||||
f"{region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
|
||||
)
|
||||
bucket_arn = (
|
||||
f"arn:{audit_info.audited_partition}:s3:{region}::{bucket['Name']}"
|
||||
f"arn:{provider.audited_partition}:s3:{region}::{bucket['Name']}"
|
||||
)
|
||||
regional_buckets.append({"arn": bucket_arn, "tags": bucket_tags})
|
||||
except Exception as error:
|
||||
|
||||
@@ -4,7 +4,6 @@ from botocore.client import ClientError
|
||||
from prowler.config.config import timestamp_utc
|
||||
from prowler.lib.logger import logger
|
||||
from prowler.lib.outputs.json_asff.json_asff import fill_json_asff
|
||||
from prowler.lib.outputs.json_asff.models import Check_Output_JSON_ASFF
|
||||
|
||||
SECURITY_HUB_INTEGRATION_NAME = "prowler/prowler"
|
||||
SECURITY_HUB_MAX_BATCH = 100
|
||||
@@ -29,10 +28,8 @@ def prepare_security_hub_findings(
|
||||
continue
|
||||
|
||||
# Handle status filters, if any
|
||||
if (
|
||||
not output_options.status
|
||||
or finding.status in output_options.status
|
||||
or output_options.send_sh_only_fails
|
||||
if (finding.status != "FAIL" and output_options.send_sh_only_fails) or (
|
||||
output_options.status and finding.status not in output_options.status
|
||||
):
|
||||
continue
|
||||
|
||||
@@ -40,9 +37,7 @@ def prepare_security_hub_findings(
|
||||
region = finding.region
|
||||
|
||||
# Format the finding in the JSON ASFF format
|
||||
finding_json_asff = fill_json_asff(
|
||||
Check_Output_JSON_ASFF(), provider, finding, output_options
|
||||
)
|
||||
finding_json_asff = fill_json_asff(provider, finding)
|
||||
|
||||
# Include that finding within their region in the JSON format
|
||||
security_hub_findings_per_region[region].append(
|
||||
|
||||
@@ -70,7 +70,7 @@ class AWSSession:
|
||||
class AWSCallerIdentity:
|
||||
user_id: str
|
||||
account: str
|
||||
arn: str
|
||||
arn: ARN
|
||||
region: str
|
||||
|
||||
|
||||
|
||||
@@ -138,6 +138,7 @@ class AzureProvider(Provider):
|
||||
self._mutelist = mutelist
|
||||
|
||||
# TODO: this should be moved to the argparse, if not we need to enforce it from the Provider
|
||||
# previously was using the AzureException
|
||||
def validate_arguments(
|
||||
self, az_cli_auth, sp_env_auth, browser_auth, managed_entity_auth, tenant_id
|
||||
):
|
||||
|
||||
@@ -1,15 +0,0 @@
|
||||
from prowler.providers.azure.lib.audit_info.models import (
|
||||
Azure_Audit_Info,
|
||||
AzureIdentityInfo,
|
||||
AzureRegionConfig,
|
||||
)
|
||||
|
||||
azure_audit_info = Azure_Audit_Info(
|
||||
credentials=None,
|
||||
identity=AzureIdentityInfo(),
|
||||
audit_resources=None,
|
||||
audit_metadata=None,
|
||||
audit_config=None,
|
||||
azure_region_config=AzureRegionConfig(),
|
||||
locations=None,
|
||||
)
|
||||
@@ -1,49 +0,0 @@
|
||||
from dataclasses import dataclass
|
||||
from typing import Any, Optional
|
||||
|
||||
from azure.identity import DefaultAzureCredential
|
||||
from pydantic import BaseModel
|
||||
|
||||
|
||||
class AzureIdentityInfo(BaseModel):
|
||||
identity_id: str = ""
|
||||
identity_type: str = ""
|
||||
tenant_ids: list[str] = []
|
||||
domain: str = "Unknown tenant domain (missing AAD permissions)"
|
||||
subscriptions: dict = {}
|
||||
|
||||
|
||||
class AzureRegionConfig(BaseModel):
|
||||
name: str = ""
|
||||
authority: str = None
|
||||
base_url: str = ""
|
||||
credential_scopes: list = []
|
||||
|
||||
|
||||
@dataclass
|
||||
class Azure_Audit_Info:
|
||||
credentials: DefaultAzureCredential
|
||||
identity: AzureIdentityInfo
|
||||
audit_resources: Optional[Any]
|
||||
audit_metadata: Optional[Any]
|
||||
audit_config: dict
|
||||
azure_region_config: AzureRegionConfig
|
||||
locations: list[str]
|
||||
|
||||
def __init__(
|
||||
self,
|
||||
credentials,
|
||||
identity,
|
||||
audit_metadata,
|
||||
audit_resources,
|
||||
audit_config,
|
||||
azure_region_config,
|
||||
locations,
|
||||
):
|
||||
self.credentials = credentials
|
||||
self.identity = identity
|
||||
self.audit_metadata = audit_metadata
|
||||
self.audit_resources = audit_resources
|
||||
self.audit_config = audit_config
|
||||
self.azure_region_config = azure_region_config
|
||||
self.locations = locations
|
||||
@@ -32,13 +32,6 @@ class AzureOutputOptions(ProviderOutputOptions):
|
||||
# First call Provider_Output_Options init
|
||||
super().__init__(arguments, bulk_checks_metadata)
|
||||
|
||||
# Confire Shodan API
|
||||
# TODO: review shodan for the new AWS provider
|
||||
# if arguments.shodan:
|
||||
# audit_info = change_config_var(
|
||||
# "shodan_api_key", arguments.shodan, audit_info
|
||||
# )
|
||||
|
||||
# Check if custom output filename was input, if not, set the default
|
||||
if (
|
||||
not hasattr(arguments, "output_filename")
|
||||
|
||||
@@ -17,7 +17,7 @@ class Audit_Metadata(BaseModel):
|
||||
|
||||
|
||||
class ProviderOutputOptions:
|
||||
status: bool
|
||||
status: list[str]
|
||||
output_modes: list
|
||||
output_directory: str
|
||||
bulk_checks_metadata: dict
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
from abc import ABC, abstractmethod
|
||||
from typing import Any
|
||||
|
||||
# TODO: with this we can enforce that all classes ending with "Provider" needs to inherint from the Provider class
|
||||
# class ProviderMeta:
|
||||
@@ -14,91 +15,131 @@ from abc import ABC, abstractmethod
|
||||
|
||||
# TODO: enforce audit_metadata for all the providers
|
||||
class Provider(ABC):
|
||||
"""
|
||||
The Provider class is an abstract base class that defines the interface for all provider classes in the auditing system.
|
||||
|
||||
Attributes:
|
||||
type (property): The type of the provider.
|
||||
identity (property): The identity of the provider for auditing.
|
||||
session (property): The session of the provider for auditing.
|
||||
audit_config (property): The audit configuration of the provider.
|
||||
output_options (property): The output configuration of the provider for auditing.
|
||||
|
||||
Methods:
|
||||
print_credentials(): Displays the provider's credentials used for auditing in the command-line interface.
|
||||
setup_session(): Sets up the session for the provider.
|
||||
get_output_mapping(): Returns the output mapping between the provider and the generic model.
|
||||
validate_arguments(): Validates the arguments for the provider.
|
||||
get_checks_to_execute_by_audit_resources(): Returns a set of checks based on the input resources to scan.
|
||||
|
||||
Note:
|
||||
This is an abstract base class and should not be instantiated directly. Each provider should implement its own
|
||||
version of the Provider class by inheriting from this base class and implementing the required methods and properties.
|
||||
"""
|
||||
|
||||
@property
|
||||
@abstractmethod
|
||||
def type(self):
|
||||
def type(self) -> str:
|
||||
"""
|
||||
type method stores the provider's type.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@property
|
||||
@abstractmethod
|
||||
def identity(self):
|
||||
def identity(self) -> str:
|
||||
"""
|
||||
identity method stores the provider's identity to audit.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@abstractmethod
|
||||
def setup_session(self) -> Any:
|
||||
"""
|
||||
setup_session sets up the session for the provider.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@property
|
||||
@abstractmethod
|
||||
def session(self):
|
||||
def session(self) -> str:
|
||||
"""
|
||||
session method stores the provider's session to audit.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@property
|
||||
@abstractmethod
|
||||
def audit_config(self):
|
||||
def audit_config(self) -> str:
|
||||
"""
|
||||
audit_config method stores the provider's audit configuration.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@abstractmethod
|
||||
def print_credentials(self):
|
||||
def print_credentials(self) -> None:
|
||||
"""
|
||||
print_credentials is used to display in the CLI the provider's credentials used to audit.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
|
||||
@abstractmethod
|
||||
def setup_session(self):
|
||||
pass
|
||||
raise NotImplementedError()
|
||||
|
||||
@property
|
||||
@abstractmethod
|
||||
def output_options(self):
|
||||
def output_options(self) -> str:
|
||||
"""
|
||||
output_options method returns the provider's audit output configuration.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@output_options.setter
|
||||
@abstractmethod
|
||||
def output_options(self):
|
||||
def output_options(self, value: str) -> Any:
|
||||
"""
|
||||
output_options.setter sets the provider's audit output configuration.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@abstractmethod
|
||||
def get_output_mapping(self):
|
||||
def get_output_mapping(self) -> dict:
|
||||
"""
|
||||
get_output_mapping return the CSV output mapping between the provider and the generic model.
|
||||
get_output_mapping returns the output mapping between the provider and the generic model.
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
# TODO: probably this won't be here since we want to do the arguments validation during the parse()
|
||||
def validate_arguments(self):
|
||||
pass
|
||||
def validate_arguments(self) -> None:
|
||||
"""
|
||||
validate_arguments validates the arguments for the provider.
|
||||
|
||||
def get_checks_to_execute_by_audit_resources(self):
|
||||
This method can be overridden in each provider if needed.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
def get_checks_to_execute_by_audit_resources(self) -> set:
|
||||
"""
|
||||
get_checks_to_execute_by_audit_resources returns a set of checks based on the input resources to scan.
|
||||
|
||||
This is a fallback that returns None if the service has not implemented this function.
|
||||
"""
|
||||
return set()
|
||||
|
||||
@property
|
||||
@abstractmethod
|
||||
@@ -108,6 +149,7 @@ class Provider(ABC):
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@mutelist.setter
|
||||
@abstractmethod
|
||||
@@ -117,3 +159,4 @@ class Provider(ABC):
|
||||
|
||||
This method needs to be created in each provider.
|
||||
"""
|
||||
raise NotImplementedError()
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
from prowler.providers.gcp.lib.audit_info.models import GCP_Audit_Info
|
||||
|
||||
gcp_audit_info = GCP_Audit_Info(
|
||||
credentials=None,
|
||||
default_project_id=None,
|
||||
project_ids=[],
|
||||
audit_resources=None,
|
||||
audit_metadata=None,
|
||||
audit_config=None,
|
||||
)
|
||||
@@ -1,30 +0,0 @@
|
||||
from dataclasses import dataclass
|
||||
from typing import Any, Optional
|
||||
|
||||
from google.oauth2.credentials import Credentials
|
||||
|
||||
|
||||
@dataclass
|
||||
class GCP_Audit_Info:
|
||||
credentials: Credentials
|
||||
default_project_id: str
|
||||
project_ids: list
|
||||
audit_resources: Optional[Any]
|
||||
audit_metadata: Optional[Any]
|
||||
audit_config: Optional[dict]
|
||||
|
||||
def __init__(
|
||||
self,
|
||||
credentials,
|
||||
default_project_id,
|
||||
project_ids,
|
||||
audit_metadata,
|
||||
audit_resources,
|
||||
audit_config,
|
||||
):
|
||||
self.credentials = credentials
|
||||
self.default_project_id = default_project_id
|
||||
self.project_ids = project_ids
|
||||
self.audit_metadata = audit_metadata
|
||||
self.audit_resources = audit_resources
|
||||
self.audit_config = audit_config
|
||||
@@ -225,7 +225,7 @@ class KubernetesProvider(Provider):
|
||||
)
|
||||
sys.exit(1)
|
||||
|
||||
def get_all_namespaces(self):
|
||||
def get_all_namespaces(self) -> list[str]:
|
||||
"""
|
||||
Retrieves all namespaces.
|
||||
Returns:
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
from prowler.providers.kubernetes.lib.audit_info.models import Kubernetes_Audit_Info
|
||||
|
||||
kubernetes_audit_info = Kubernetes_Audit_Info(
|
||||
api_client=None,
|
||||
context=None,
|
||||
audit_resources=None,
|
||||
audit_metadata=None,
|
||||
audit_config=None,
|
||||
)
|
||||
@@ -1,27 +0,0 @@
|
||||
from dataclasses import dataclass
|
||||
from typing import Any, Optional
|
||||
|
||||
from kubernetes import client
|
||||
|
||||
|
||||
@dataclass
|
||||
class Kubernetes_Audit_Info:
|
||||
api_client: client.ApiClient
|
||||
context: Optional[str]
|
||||
audit_resources: Optional[Any]
|
||||
audit_metadata: Optional[Any]
|
||||
audit_config: Optional[dict]
|
||||
|
||||
def __init__(
|
||||
self,
|
||||
api_client,
|
||||
context,
|
||||
audit_metadata,
|
||||
audit_resources,
|
||||
audit_config,
|
||||
):
|
||||
self.api_client = api_client
|
||||
self.context = context
|
||||
self.audit_metadata = audit_metadata
|
||||
self.audit_resources = audit_resources
|
||||
self.audit_config = audit_config
|
||||
+28
-51
@@ -2,16 +2,17 @@ import os
|
||||
import pathlib
|
||||
from unittest import mock
|
||||
|
||||
import pytest
|
||||
from requests import Response
|
||||
|
||||
from prowler.config.config import (
|
||||
change_config_var,
|
||||
check_current_version,
|
||||
get_available_compliance_frameworks,
|
||||
load_and_validate_config_file,
|
||||
update_provider_config,
|
||||
)
|
||||
from prowler.providers.aws.aws_provider import get_aws_available_regions
|
||||
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
|
||||
from tests.providers.aws.utils import set_mocked_aws_provider
|
||||
|
||||
MOCK_PROWLER_VERSION = "3.3.0"
|
||||
MOCK_OLD_PROWLER_VERSION = "0.0.0"
|
||||
@@ -78,61 +79,30 @@ class Test_Config:
|
||||
== f"Prowler {MOCK_OLD_PROWLER_VERSION} (latest is {MOCK_PROWLER_VERSION}, upgrade for the latest features)"
|
||||
)
|
||||
|
||||
def test_change_config_var_aws(self):
|
||||
audit_info = AWS_Audit_Info(
|
||||
session_config=None,
|
||||
original_session=None,
|
||||
audit_session=None,
|
||||
audited_account=None,
|
||||
audited_account_arn=None,
|
||||
audited_user_id=None,
|
||||
audited_partition="aws",
|
||||
audited_identity_arn=None,
|
||||
profile=None,
|
||||
profile_region=None,
|
||||
credentials=None,
|
||||
assumed_role_info=None,
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
audit_metadata=None,
|
||||
audit_config={"shodan_api_key": ""},
|
||||
def test_update_provider_config_aws(self):
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audit_config={"shodan_api_key": "DEFAULT-KEY"}
|
||||
)
|
||||
|
||||
updated_audit_info = change_config_var("shodan_api_key", "XXXXXX", audit_info)
|
||||
assert audit_info == updated_audit_info
|
||||
assert audit_info.audit_config.get(
|
||||
"shodan_api_key"
|
||||
) == updated_audit_info.audit_config.get("shodan_api_key")
|
||||
with mock.patch(
|
||||
"prowler.config.config.get_global_provider",
|
||||
return_value=aws_provider,
|
||||
):
|
||||
update_provider_config("shodan_api_key", "TEST-API-KEY")
|
||||
assert aws_provider.audit_config.get("shodan_api_key") == "TEST-API-KEY"
|
||||
|
||||
def test_change_config_var_aws_not_present(self):
|
||||
audit_info = AWS_Audit_Info(
|
||||
session_config=None,
|
||||
original_session=None,
|
||||
audit_session=None,
|
||||
audited_account=None,
|
||||
audited_account_arn=None,
|
||||
audited_user_id=None,
|
||||
audited_partition="aws",
|
||||
audited_identity_arn=None,
|
||||
profile=None,
|
||||
profile_region=None,
|
||||
credentials=None,
|
||||
assumed_role_info=None,
|
||||
audited_regions=["us-east-1", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
audit_metadata=None,
|
||||
audit_config={},
|
||||
def test_update_provider_config_aws_not_present(self):
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audit_config={"shodan_api_key": "DEFAULT-KEY"}
|
||||
)
|
||||
|
||||
updated_audit_info = change_config_var("not_found", "no_value", audit_info)
|
||||
assert audit_info == updated_audit_info
|
||||
assert updated_audit_info.audit_config.get("not_found") is None
|
||||
with mock.patch(
|
||||
"prowler.config.config.get_global_provider",
|
||||
return_value=aws_provider,
|
||||
):
|
||||
|
||||
# Test load_and_validate_config_file
|
||||
update_provider_config("not_found", "no_value")
|
||||
assert aws_provider.audit_config.get("not_found") is None
|
||||
|
||||
def test_get_available_compliance_frameworks(self):
|
||||
compliance_frameworks = [
|
||||
@@ -202,3 +172,10 @@ class Test_Config:
|
||||
assert load_and_validate_config_file("aws", config_test_file) == config_aws
|
||||
assert load_and_validate_config_file("gcp", config_test_file) == {}
|
||||
assert load_and_validate_config_file("azure", config_test_file) == {}
|
||||
|
||||
def test_load_and_validate_config_file_invalid_config_file_path(self):
|
||||
provider = "aws"
|
||||
config_file_path = "invalid/path/to/config.yaml"
|
||||
|
||||
with pytest.raises(SystemExit):
|
||||
load_and_validate_config_file(provider, config_file_path)
|
||||
|
||||
+11
-329
@@ -1,5 +1,6 @@
|
||||
import os
|
||||
import pathlib
|
||||
from argparse import Namespace
|
||||
from importlib.machinery import FileFinder
|
||||
from pkgutil import ModuleInfo
|
||||
|
||||
@@ -23,14 +24,11 @@ from prowler.lib.check.check import (
|
||||
update_audit_metadata,
|
||||
)
|
||||
from prowler.lib.check.models import load_check_metadata
|
||||
from prowler.providers.aws.aws_provider import (
|
||||
get_checks_from_input_arn,
|
||||
get_regions_from_audit_resources,
|
||||
)
|
||||
from tests.providers.aws.utils import set_mocked_aws_audit_info
|
||||
from prowler.providers.aws.aws_provider import AwsProvider
|
||||
from tests.providers.aws.utils import AWS_REGION_US_EAST_1
|
||||
|
||||
AWS_ACCOUNT_NUMBER = "123456789012"
|
||||
AWS_REGION = "us-east-1"
|
||||
# AWS_ACCOUNT_NUMBER = "123456789012"
|
||||
# AWS_REGION = "us-east-1"
|
||||
|
||||
expected_packages = [
|
||||
ModuleInfo(
|
||||
@@ -390,147 +388,7 @@ def mock_recover_checks_from_aws_provider(*_):
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_lambda_service(*_):
|
||||
return [
|
||||
(
|
||||
"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
|
||||
"/root_dir/fake_path/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
|
||||
),
|
||||
(
|
||||
"awslambda_function_url_cors_policy",
|
||||
"/root_dir/fake_path/awslambda/awslambda_function_url_cors_policy",
|
||||
),
|
||||
(
|
||||
"awslambda_function_no_secrets_in_code",
|
||||
"/root_dir/fake_path/awslambda/awslambda_function_no_secrets_in_code",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_elb_service(*_):
|
||||
return [
|
||||
(
|
||||
"elb_insecure_ssl_ciphers",
|
||||
"/root_dir/fake_path/elb/elb_insecure_ssl_ciphers",
|
||||
),
|
||||
(
|
||||
"elb_internet_facing",
|
||||
"/root_dir/fake_path/elb/elb_internet_facing",
|
||||
),
|
||||
(
|
||||
"elb_logging_enabled",
|
||||
"/root_dir/fake_path/elb/elb_logging_enabled",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_efs_service(*_):
|
||||
return [
|
||||
(
|
||||
"efs_encryption_at_rest_enabled",
|
||||
"/root_dir/fake_path/efs/efs_encryption_at_rest_enabled",
|
||||
),
|
||||
(
|
||||
"efs_have_backup_enabled",
|
||||
"/root_dir/fake_path/efs/efs_have_backup_enabled",
|
||||
),
|
||||
(
|
||||
"efs_not_publicly_accessible",
|
||||
"/root_dir/fake_path/efs/efs_not_publicly_accessible",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_iam_service(*_):
|
||||
return [
|
||||
(
|
||||
"iam_customer_attached_policy_no_administrative_privileges",
|
||||
"/root_dir/fake_path/iam/iam_customer_attached_policy_no_administrative_privileges",
|
||||
),
|
||||
(
|
||||
"iam_check_saml_providers_sts",
|
||||
"/root_dir/fake_path/iam/iam_check_saml_providers_sts",
|
||||
),
|
||||
(
|
||||
"iam_password_policy_minimum_length_14",
|
||||
"/root_dir/fake_path/iam/iam_password_policy_minimum_length_14",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_s3_service(*_):
|
||||
return [
|
||||
(
|
||||
"s3_account_level_public_access_blocks",
|
||||
"/root_dir/fake_path/s3/s3_account_level_public_access_blocks",
|
||||
),
|
||||
(
|
||||
"s3_bucket_acl_prohibited",
|
||||
"/root_dir/fake_path/s3/s3_bucket_acl_prohibited",
|
||||
),
|
||||
(
|
||||
"s3_bucket_policy_public_write_access",
|
||||
"/root_dir/fake_path/s3/s3_bucket_policy_public_write_access",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_cloudwatch_service(*_):
|
||||
return [
|
||||
(
|
||||
"cloudwatch_changes_to_network_acls_alarm_configured",
|
||||
"/root_dir/fake_path/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured",
|
||||
),
|
||||
(
|
||||
"cloudwatch_changes_to_network_gateways_alarm_configured",
|
||||
"/root_dir/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured",
|
||||
),
|
||||
(
|
||||
"cloudwatch_changes_to_network_route_tables_alarm_configured",
|
||||
"/root_dir/fake_path/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_ec2_service(*_):
|
||||
return [
|
||||
(
|
||||
"ec2_securitygroup_allow_ingress_from_internet_to_any_port",
|
||||
"/root_dir/fake_path/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port",
|
||||
),
|
||||
(
|
||||
"ec2_networkacl_allow_ingress_any_port",
|
||||
"/root_dir/fake_path/ec2/ec2_networkacl_allow_ingress_any_port",
|
||||
),
|
||||
(
|
||||
"ec2_ami_public",
|
||||
"/root_dir/fake_path/ec2/ec2_ami_public",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_rds_service(*_):
|
||||
return [
|
||||
(
|
||||
"rds_instance_backup_enabled",
|
||||
"/root_dir/fake_path/rds/rds_instance_backup_enabled",
|
||||
),
|
||||
(
|
||||
"rds_instance_deletion_protection",
|
||||
"/root_dir/fake_path/rds/rds_instance_deletion_protection",
|
||||
),
|
||||
(
|
||||
"rds_snapshots_public_access",
|
||||
"/root_dir/fake_path/rds/rds_snapshots_public_access",
|
||||
),
|
||||
]
|
||||
|
||||
|
||||
def mock_recover_checks_from_aws_provider_cognito_service(*_):
|
||||
return []
|
||||
|
||||
|
||||
class Test_Check:
|
||||
class TestCheck:
|
||||
def test_load_check_metadata(self):
|
||||
test_cases = [
|
||||
{
|
||||
@@ -574,7 +432,7 @@ class Test_Check:
|
||||
f"{pathlib.Path().absolute()}/tests/lib/check/fixtures/checks_folder"
|
||||
)
|
||||
# Create bucket and upload checks folder
|
||||
s3_client = client("s3", region_name=AWS_REGION)
|
||||
s3_client = client("s3", region_name=AWS_REGION_US_EAST_1)
|
||||
s3_client.create_bucket(Bucket="test")
|
||||
# Iterate through the files in the folder and upload each one
|
||||
for subdir, _, files in os.walk(test_checks_folder):
|
||||
@@ -601,14 +459,14 @@ class Test_Check:
|
||||
"expected": 3,
|
||||
},
|
||||
]
|
||||
|
||||
arguments = Namespace()
|
||||
aws_provider = AwsProvider(arguments)
|
||||
for test in test_cases:
|
||||
check_folder = test["input"]["path"]
|
||||
provider = test["input"]["provider"]
|
||||
assert (
|
||||
parse_checks_from_folder(
|
||||
set_mocked_aws_audit_info(), check_folder, provider
|
||||
)
|
||||
== test["expected"]
|
||||
parse_checks_from_folder(aws_provider, check_folder) == test["expected"]
|
||||
)
|
||||
remove_custom_checks_module(check_folder, provider)
|
||||
|
||||
@@ -787,182 +645,6 @@ class Test_Check:
|
||||
recovered_checks = recover_checks_from_service(service_list, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_elb_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_elb(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:elasticloadbalancing:us-east-1:{AWS_ACCOUNT_NUMBER}:loadbalancer/test"
|
||||
]
|
||||
provider = "aws"
|
||||
expected_checks = [
|
||||
"elb_insecure_ssl_ciphers",
|
||||
"elb_internet_facing",
|
||||
"elb_logging_enabled",
|
||||
]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_efs_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_efs(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:elasticfilesystem:us-east-1:{AWS_ACCOUNT_NUMBER}:file-system/fs-01234567"
|
||||
]
|
||||
provider = "aws"
|
||||
expected_checks = [
|
||||
"efs_encryption_at_rest_enabled",
|
||||
"efs_have_backup_enabled",
|
||||
"efs_not_publicly_accessible",
|
||||
]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_lambda_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_lambda(self):
|
||||
audit_resources = ["arn:aws:lambda:us-east-1:123456789:function:test-lambda"]
|
||||
provider = "aws"
|
||||
expected_checks = [
|
||||
"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
|
||||
"awslambda_function_no_secrets_in_code",
|
||||
"awslambda_function_url_cors_policy",
|
||||
]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_iam_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_iam(self):
|
||||
audit_resources = [f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/user-name"]
|
||||
provider = "aws"
|
||||
expected_checks = [
|
||||
"iam_check_saml_providers_sts",
|
||||
"iam_customer_attached_policy_no_administrative_privileges",
|
||||
"iam_password_policy_minimum_length_14",
|
||||
]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_s3_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_s3(self):
|
||||
audit_resources = ["arn:aws:s3:::bucket-name"]
|
||||
provider = "aws"
|
||||
expected_checks = [
|
||||
"s3_account_level_public_access_blocks",
|
||||
"s3_bucket_acl_prohibited",
|
||||
"s3_bucket_policy_public_write_access",
|
||||
]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_cloudwatch_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_cloudwatch(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:logs:us-east-1:{AWS_ACCOUNT_NUMBER}:destination:testDestination"
|
||||
]
|
||||
provider = "aws"
|
||||
expected_checks = [
|
||||
"cloudwatch_changes_to_network_acls_alarm_configured",
|
||||
"cloudwatch_changes_to_network_gateways_alarm_configured",
|
||||
"cloudwatch_changes_to_network_route_tables_alarm_configured",
|
||||
]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_cognito_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_cognito(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:cognito-idp:us-east-1:{AWS_ACCOUNT_NUMBER}:userpool/test"
|
||||
]
|
||||
provider = "aws"
|
||||
expected_checks = []
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_ec2_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_ec2_security_group(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:ec2:us-east-1:{AWS_ACCOUNT_NUMBER}:security-group/sg-1111111111"
|
||||
]
|
||||
provider = "aws"
|
||||
expected_checks = ["ec2_securitygroup_allow_ingress_from_internet_to_any_port"]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_ec2_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_ec2_acl(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:ec2:us-west-2:{AWS_ACCOUNT_NUMBER}:network-acl/acl-1"
|
||||
]
|
||||
provider = "aws"
|
||||
expected_checks = ["ec2_networkacl_allow_ingress_any_port"]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_rds_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_rds_snapshots(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:rds:us-east-2:{AWS_ACCOUNT_NUMBER}:snapshot:rds:snapshot-1"
|
||||
]
|
||||
provider = "aws"
|
||||
expected_checks = ["rds_snapshots_public_access"]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
@patch(
|
||||
"prowler.lib.check.check.recover_checks_from_provider",
|
||||
new=mock_recover_checks_from_aws_provider_ec2_service,
|
||||
)
|
||||
def test_get_checks_from_input_arn_ec2_ami(self):
|
||||
audit_resources = [f"arn:aws:ec2:us-west-2:{AWS_ACCOUNT_NUMBER}:image/ami-1"]
|
||||
provider = "aws"
|
||||
expected_checks = ["ec2_ami_public"]
|
||||
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
|
||||
assert recovered_checks == expected_checks
|
||||
|
||||
def test_get_regions_from_audit_resources_with_regions(self):
|
||||
audit_resources = [
|
||||
f"arn:aws:lambda:us-east-1:{AWS_ACCOUNT_NUMBER}:function:test-lambda",
|
||||
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:policy/test",
|
||||
f"arn:aws:ec2:eu-west-1:{AWS_ACCOUNT_NUMBER}:security-group/sg-test",
|
||||
"arn:aws:s3:::bucket-name",
|
||||
"arn:aws:apigateway:us-east-2::/restapis/api-id/stages/stage-name",
|
||||
]
|
||||
expected_regions = {"us-east-1", "eu-west-1", "us-east-2"}
|
||||
recovered_regions = get_regions_from_audit_resources(audit_resources)
|
||||
assert recovered_regions == expected_regions
|
||||
|
||||
def test_get_regions_from_audit_resources_without_regions(self):
|
||||
audit_resources = ["arn:aws:s3:::bucket-name"]
|
||||
recovered_regions = get_regions_from_audit_resources(audit_resources)
|
||||
assert not recovered_regions
|
||||
|
||||
# def test_parse_checks_from_compliance_framework_two(self):
|
||||
# test_case = {
|
||||
# "input": {"compliance_frameworks": ["cis_v1.4_aws", "ens_v3_aws"]},
|
||||
|
||||
@@ -85,7 +85,7 @@ class TestCustomChecksMetadata:
|
||||
def test_parse_custom_checks_metadata_file_for_kubernetes(self):
|
||||
assert parse_custom_checks_metadata_file(
|
||||
KUBERNETES_PROVIDER, CUSTOM_CHECKS_METADATA_FIXTURE_FILE
|
||||
) == {"Checks": {"bigquery_dataset_cmk_encryption": {"Severity": "low"}}}
|
||||
) == {"Checks": {"apiserver_anonymous_requests": {"Severity": "low"}}}
|
||||
|
||||
def test_parse_custom_checks_metadata_file_for_aws_validation_error(self, caplog):
|
||||
caplog.set_level(logging.CRITICAL)
|
||||
|
||||
@@ -79,7 +79,6 @@ class Test_Parser:
|
||||
assert not parsed.output_bucket
|
||||
assert not parsed.output_bucket_no_assume
|
||||
assert not parsed.shodan
|
||||
assert not parsed.mutelist_file
|
||||
assert not parsed.resource_tags
|
||||
assert not parsed.ignore_unused_services
|
||||
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
from datetime import datetime
|
||||
|
||||
from prowler.config.config import prowler_version
|
||||
from prowler.lib.outputs.common_models import FindingOutput
|
||||
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER
|
||||
|
||||
|
||||
# TODO: customize it per provider
|
||||
def generate_finding_output(status, severity, muted, region) -> FindingOutput:
|
||||
# TODO: Include metadata from a valid file
|
||||
|
||||
return FindingOutput(
|
||||
auth_method="profile: default",
|
||||
timestamp=datetime.now(),
|
||||
account_uid=AWS_ACCOUNT_NUMBER,
|
||||
account_name=AWS_ACCOUNT_NUMBER,
|
||||
account_email="",
|
||||
account_organization_uid="test-organization-id",
|
||||
account_organization_name="test-organization",
|
||||
account_tags="",
|
||||
finding_uid="test-unique-finding",
|
||||
provider="aws",
|
||||
check_id="test-check-id",
|
||||
check_title="test-check-id",
|
||||
check_type="test-type",
|
||||
status=status,
|
||||
status_extended="status extended",
|
||||
muted=muted,
|
||||
service_name="test-service",
|
||||
subservice_name="",
|
||||
severity=severity,
|
||||
resource_type="test-resource",
|
||||
resource_uid="resource-id",
|
||||
resource_name="resource_name",
|
||||
resource_details="resource_details",
|
||||
resource_tags="",
|
||||
partition="aws",
|
||||
region=region,
|
||||
description="check description",
|
||||
risk="",
|
||||
related_url="",
|
||||
remediation_recommendation_text="",
|
||||
remediation_recommendation_url="",
|
||||
remediation_code_nativeiac="",
|
||||
remediation_code_terraform="",
|
||||
remediation_code_cli="",
|
||||
remediation_code_other="",
|
||||
compliance="",
|
||||
categories="",
|
||||
depends_on="",
|
||||
related_to="",
|
||||
notes="",
|
||||
prowler_version=prowler_version,
|
||||
)
|
||||
@@ -0,0 +1,457 @@
|
||||
from os import path
|
||||
|
||||
import mock
|
||||
|
||||
from prowler.config.config import prowler_version, timestamp_utc
|
||||
from prowler.lib.check.models import Check_Report, load_check_metadata
|
||||
from prowler.lib.outputs.json_asff.json_asff import (
|
||||
fill_json_asff,
|
||||
generate_json_asff_resource_tags,
|
||||
generate_json_asff_status,
|
||||
)
|
||||
from prowler.lib.outputs.json_asff.models import (
|
||||
Check_Output_JSON_ASFF,
|
||||
Compliance,
|
||||
ProductFields,
|
||||
Resource,
|
||||
Severity,
|
||||
)
|
||||
from prowler.lib.utils.utils import hash_sha512
|
||||
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, set_mocked_aws_provider
|
||||
|
||||
METADATA_FIXTURE_PATH = (
|
||||
f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json"
|
||||
)
|
||||
|
||||
|
||||
class TestOutputJSONASFF:
|
||||
def test_fill_json_asff(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
|
||||
finding.resource_details = "Test resource details"
|
||||
finding.resource_id = "test-resource"
|
||||
finding.resource_arn = "test-arn"
|
||||
finding.region = "eu-west-1"
|
||||
finding.status = "PASS"
|
||||
finding.status_extended = "This is a test"
|
||||
|
||||
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
||||
|
||||
expected = Check_Output_JSON_ASFF(
|
||||
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
|
||||
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
|
||||
ProductFields=ProductFields(
|
||||
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
|
||||
),
|
||||
GeneratorId="prowler-" + finding.check_metadata.CheckID,
|
||||
AwsAccountId=AWS_ACCOUNT_NUMBER,
|
||||
Types=finding.check_metadata.CheckType,
|
||||
FirstObservedAt=timestamp,
|
||||
UpdatedAt=timestamp,
|
||||
CreatedAt=timestamp,
|
||||
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
|
||||
Title=finding.check_metadata.CheckTitle,
|
||||
Description=finding.status_extended,
|
||||
Resources=[
|
||||
Resource(
|
||||
Id="test-arn",
|
||||
Type=finding.check_metadata.ResourceType,
|
||||
Partition="aws",
|
||||
Region="eu-west-1",
|
||||
)
|
||||
],
|
||||
Compliance=Compliance(
|
||||
Status="PASS" + "ED",
|
||||
RelatedRequirements=[],
|
||||
AssociatedStandards=[],
|
||||
),
|
||||
Remediation={
|
||||
"Recommendation": finding.check_metadata.Remediation.Recommendation
|
||||
},
|
||||
)
|
||||
|
||||
assert fill_json_asff(aws_provider, finding) == expected
|
||||
|
||||
def test_fill_json_asff_without_remediation_recommendation_url(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
|
||||
|
||||
# Empty the Remediation.Recomendation.URL
|
||||
finding.check_metadata.Remediation.Recommendation.Url = ""
|
||||
|
||||
finding.resource_details = "Test resource details"
|
||||
finding.resource_id = "test-resource"
|
||||
finding.resource_arn = "test-arn"
|
||||
finding.region = "eu-west-1"
|
||||
finding.status = "PASS"
|
||||
finding.status_extended = "This is a test"
|
||||
|
||||
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
||||
|
||||
expected = Check_Output_JSON_ASFF(
|
||||
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
|
||||
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
|
||||
ProductFields=ProductFields(
|
||||
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
|
||||
),
|
||||
GeneratorId="prowler-" + finding.check_metadata.CheckID,
|
||||
AwsAccountId=AWS_ACCOUNT_NUMBER,
|
||||
Types=finding.check_metadata.CheckType,
|
||||
FirstObservedAt=timestamp,
|
||||
UpdatedAt=timestamp,
|
||||
CreatedAt=timestamp,
|
||||
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
|
||||
Title=finding.check_metadata.CheckTitle,
|
||||
Description=finding.status_extended,
|
||||
Resources=[
|
||||
Resource(
|
||||
Id="test-arn",
|
||||
Type=finding.check_metadata.ResourceType,
|
||||
Partition="aws",
|
||||
Region="eu-west-1",
|
||||
)
|
||||
],
|
||||
Compliance=Compliance(
|
||||
Status="PASS" + "ED",
|
||||
RelatedRequirements=[],
|
||||
AssociatedStandards=[],
|
||||
),
|
||||
Remediation={
|
||||
"Recommendation": finding.check_metadata.Remediation.Recommendation,
|
||||
# "Code": finding.check_metadata.Remediation.Code,
|
||||
},
|
||||
)
|
||||
|
||||
expected.Remediation["Recommendation"].Text = (
|
||||
finding.check_metadata.Remediation.Recommendation.Text
|
||||
)
|
||||
expected.Remediation["Recommendation"].Url = (
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
|
||||
)
|
||||
|
||||
assert fill_json_asff(aws_provider, finding) == expected
|
||||
|
||||
def test_fill_json_asff_with_long_description(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
|
||||
|
||||
# Empty the Remediation.Recomendation.URL
|
||||
finding.check_metadata.Remediation.Recommendation.Url = ""
|
||||
|
||||
finding.resource_details = "Test resource details"
|
||||
finding.resource_id = "test-resource"
|
||||
finding.resource_arn = "test-arn"
|
||||
finding.region = "eu-west-1"
|
||||
finding.status = "PASS"
|
||||
finding.status_extended = "x" * 2000 # it has to be limited to 1000+...
|
||||
|
||||
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
||||
|
||||
expected = Check_Output_JSON_ASFF(
|
||||
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
|
||||
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
|
||||
ProductFields=ProductFields(
|
||||
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
|
||||
),
|
||||
GeneratorId="prowler-" + finding.check_metadata.CheckID,
|
||||
AwsAccountId=AWS_ACCOUNT_NUMBER,
|
||||
Types=finding.check_metadata.CheckType,
|
||||
FirstObservedAt=timestamp,
|
||||
UpdatedAt=timestamp,
|
||||
CreatedAt=timestamp,
|
||||
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
|
||||
Title=finding.check_metadata.CheckTitle,
|
||||
Description=finding.status_extended[:1000] + "...",
|
||||
Resources=[
|
||||
Resource(
|
||||
Id="test-arn",
|
||||
Type=finding.check_metadata.ResourceType,
|
||||
Partition="aws",
|
||||
Region="eu-west-1",
|
||||
)
|
||||
],
|
||||
Compliance=Compliance(
|
||||
Status="PASS" + "ED",
|
||||
RelatedRequirements=[],
|
||||
AssociatedStandards=[],
|
||||
),
|
||||
Remediation={
|
||||
"Recommendation": finding.check_metadata.Remediation.Recommendation,
|
||||
# "Code": finding.check_metadata.Remediation.Code,
|
||||
},
|
||||
)
|
||||
|
||||
expected.Remediation["Recommendation"].Text = (
|
||||
finding.check_metadata.Remediation.Recommendation.Text
|
||||
)
|
||||
expected.Remediation["Recommendation"].Url = (
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
|
||||
)
|
||||
|
||||
assert fill_json_asff(aws_provider, finding) == expected
|
||||
|
||||
def test_fill_json_asff_with_long_associated_standards(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
with mock.patch(
|
||||
"prowler.lib.outputs.json_asff.json_asff.get_check_compliance",
|
||||
return_value={
|
||||
"CISA": ["your-systems-3", "your-data-2"],
|
||||
"SOC2": ["cc_2_1", "cc_7_2", "cc_a_1_2"],
|
||||
"CIS-1.4": ["3.1"],
|
||||
"CIS-1.5": ["3.1"],
|
||||
"GDPR": ["article_25", "article_30"],
|
||||
"AWS-Foundational-Security-Best-Practices": ["cloudtrail"],
|
||||
"HIPAA": [
|
||||
"164_308_a_1_ii_d",
|
||||
"164_308_a_3_ii_a",
|
||||
"164_308_a_6_ii",
|
||||
"164_312_b",
|
||||
"164_312_e_2_i",
|
||||
],
|
||||
"ISO27001": ["A.12.4"],
|
||||
"GxP-21-CFR-Part-11": ["11.10-e", "11.10-k", "11.300-d"],
|
||||
"AWS-Well-Architected-Framework-Security-Pillar": [
|
||||
"SEC04-BP02",
|
||||
"SEC04-BP03",
|
||||
],
|
||||
"GxP-EU-Annex-11": [
|
||||
"1-risk-management",
|
||||
"4.2-validation-documentation-change-control",
|
||||
],
|
||||
"NIST-800-171-Revision-2": [
|
||||
"3_1_12",
|
||||
"3_3_1",
|
||||
"3_3_2",
|
||||
"3_3_3",
|
||||
"3_4_1",
|
||||
"3_6_1",
|
||||
"3_6_2",
|
||||
"3_13_1",
|
||||
"3_13_2",
|
||||
"3_14_6",
|
||||
"3_14_7",
|
||||
],
|
||||
"NIST-800-53-Revision-4": [
|
||||
"ac_2_4",
|
||||
"ac_2",
|
||||
"au_2",
|
||||
"au_3",
|
||||
"au_12",
|
||||
"cm_2",
|
||||
],
|
||||
"NIST-800-53-Revision-5": [
|
||||
"ac_2_4",
|
||||
"ac_3_1",
|
||||
"ac_3_10",
|
||||
"ac_4_26",
|
||||
"ac_6_9",
|
||||
"au_2_b",
|
||||
"au_3_1",
|
||||
"au_3_a",
|
||||
"au_3_b",
|
||||
"au_3_c",
|
||||
"au_3_d",
|
||||
"au_3_e",
|
||||
"au_3_f",
|
||||
"au_6_3",
|
||||
"au_6_4",
|
||||
"au_6_6",
|
||||
"au_6_9",
|
||||
"au_8_b",
|
||||
"au_10",
|
||||
"au_12_a",
|
||||
"au_12_c",
|
||||
"au_12_1",
|
||||
"au_12_2",
|
||||
"au_12_3",
|
||||
"au_12_4",
|
||||
"au_14_a",
|
||||
"au_14_b",
|
||||
"au_14_3",
|
||||
"ca_7_b",
|
||||
"cm_5_1_b",
|
||||
"cm_6_a",
|
||||
"cm_9_b",
|
||||
"ia_3_3_b",
|
||||
"ma_4_1_a",
|
||||
"pm_14_a_1",
|
||||
"pm_14_b",
|
||||
"pm_31",
|
||||
"sc_7_9_b",
|
||||
"si_1_1_c",
|
||||
"si_3_8_b",
|
||||
"si_4_2",
|
||||
"si_4_17",
|
||||
"si_4_20",
|
||||
"si_7_8",
|
||||
"si_10_1_c",
|
||||
],
|
||||
"ENS-RD2022": [
|
||||
"op.acc.6.r5.aws.iam.1",
|
||||
"op.exp.5.aws.ct.1",
|
||||
"op.exp.8.aws.ct.1",
|
||||
"op.exp.8.aws.ct.6",
|
||||
"op.exp.9.aws.ct.1",
|
||||
"op.mon.1.aws.ct.1",
|
||||
],
|
||||
"NIST-CSF-1.1": [
|
||||
"ae_1",
|
||||
"ae_3",
|
||||
"ae_4",
|
||||
"cm_1",
|
||||
"cm_3",
|
||||
"cm_6",
|
||||
"cm_7",
|
||||
"am_3",
|
||||
"ac_6",
|
||||
"ds_5",
|
||||
"ma_2",
|
||||
"pt_1",
|
||||
],
|
||||
"RBI-Cyber-Security-Framework": ["annex_i_7_4"],
|
||||
"FFIEC": [
|
||||
"d2-ma-ma-b-1",
|
||||
"d2-ma-ma-b-2",
|
||||
"d3-dc-an-b-3",
|
||||
"d3-dc-an-b-4",
|
||||
"d3-dc-an-b-5",
|
||||
"d3-dc-ev-b-1",
|
||||
"d3-dc-ev-b-3",
|
||||
"d3-pc-im-b-3",
|
||||
"d3-pc-im-b-7",
|
||||
"d5-dr-de-b-3",
|
||||
],
|
||||
"PCI-3.2.1": ["cloudtrail"],
|
||||
"FedRamp-Moderate-Revision-4": [
|
||||
"ac-2-4",
|
||||
"ac-2-g",
|
||||
"au-2-a-d",
|
||||
"au-3",
|
||||
"au-6-1-3",
|
||||
"au-12-a-c",
|
||||
"ca-7-a-b",
|
||||
"si-4-16",
|
||||
"si-4-2",
|
||||
"si-4-4",
|
||||
"si-4-5",
|
||||
],
|
||||
"FedRAMP-Low-Revision-4": ["ac-2", "au-2", "ca-7"],
|
||||
},
|
||||
):
|
||||
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
|
||||
|
||||
# Empty the Remediation.Recomendation.URL
|
||||
finding.check_metadata.Remediation.Recommendation.Url = ""
|
||||
|
||||
finding.resource_details = "Test resource details"
|
||||
finding.resource_id = "test-resource"
|
||||
finding.resource_arn = "test-arn"
|
||||
finding.region = "eu-west-1"
|
||||
finding.status = "PASS"
|
||||
finding.status_extended = "This is a test"
|
||||
|
||||
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
|
||||
|
||||
expected = Check_Output_JSON_ASFF(
|
||||
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
|
||||
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
|
||||
ProductFields=ProductFields(
|
||||
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
|
||||
),
|
||||
GeneratorId="prowler-" + finding.check_metadata.CheckID,
|
||||
AwsAccountId=AWS_ACCOUNT_NUMBER,
|
||||
Types=finding.check_metadata.CheckType,
|
||||
FirstObservedAt=timestamp,
|
||||
UpdatedAt=timestamp,
|
||||
CreatedAt=timestamp,
|
||||
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
|
||||
Title=finding.check_metadata.CheckTitle,
|
||||
Description=finding.status_extended,
|
||||
Resources=[
|
||||
Resource(
|
||||
Id="test-arn",
|
||||
Type=finding.check_metadata.ResourceType,
|
||||
Partition="aws",
|
||||
Region="eu-west-1",
|
||||
)
|
||||
],
|
||||
Compliance=Compliance(
|
||||
Status="PASS" + "ED",
|
||||
RelatedRequirements=[
|
||||
"CISA your-systems-3 your-data-2",
|
||||
"SOC2 cc_2_1 cc_7_2 cc_a_1_2",
|
||||
"CIS-1.4 3.1",
|
||||
"CIS-1.5 3.1",
|
||||
"GDPR article_25 article_30",
|
||||
"AWS-Foundational-Security-Best-Practices cloudtrail",
|
||||
"HIPAA 164_308_a_1_ii_d 164_308_a_3_ii_a 164_308_a_6_ii 164_312_",
|
||||
"ISO27001 A.12.4",
|
||||
"GxP-21-CFR-Part-11 11.10-e 11.10-k 11.300-d",
|
||||
"AWS-Well-Architected-Framework-Security-Pillar SEC04-BP02 SEC04",
|
||||
"GxP-EU-Annex-11 1-risk-management 4.2-validation-documentation-",
|
||||
"NIST-800-171-Revision-2 3_1_12 3_3_1 3_3_2 3_3_3 3_4_1 3_6_1 3_",
|
||||
"NIST-800-53-Revision-4 ac_2_4 ac_2 au_2 au_3 au_12 cm_2",
|
||||
"NIST-800-53-Revision-5 ac_2_4 ac_3_1 ac_3_10 ac_4_26 ac_6_9 au_",
|
||||
"ENS-RD2022 op.acc.6.r5.aws.iam.1 op.exp.5.aws.ct.1 op.exp.8.aws",
|
||||
"NIST-CSF-1.1 ae_1 ae_3 ae_4 cm_1 cm_3 cm_6 cm_7 am_3 ac_6 ds_5 ",
|
||||
"RBI-Cyber-Security-Framework annex_i_7_4",
|
||||
"FFIEC d2-ma-ma-b-1 d2-ma-ma-b-2 d3-dc-an-b-3 d3-dc-an-b-4 d3-dc",
|
||||
"PCI-3.2.1 cloudtrail",
|
||||
"FedRamp-Moderate-Revision-4 ac-2-4 ac-2-g au-2-a-d au-3 au-6-1-",
|
||||
],
|
||||
AssociatedStandards=[
|
||||
{"StandardsId": "CISA"},
|
||||
{"StandardsId": "SOC2"},
|
||||
{"StandardsId": "CIS-1.4"},
|
||||
{"StandardsId": "CIS-1.5"},
|
||||
{"StandardsId": "GDPR"},
|
||||
{"StandardsId": "AWS-Foundational-Security-Best-Practices"},
|
||||
{"StandardsId": "HIPAA"},
|
||||
{"StandardsId": "ISO27001"},
|
||||
{"StandardsId": "GxP-21-CFR-Part-11"},
|
||||
{
|
||||
"StandardsId": "AWS-Well-Architected-Framework-Security-Pillar"
|
||||
},
|
||||
{"StandardsId": "GxP-EU-Annex-11"},
|
||||
{"StandardsId": "NIST-800-171-Revision-2"},
|
||||
{"StandardsId": "NIST-800-53-Revision-4"},
|
||||
{"StandardsId": "NIST-800-53-Revision-5"},
|
||||
{"StandardsId": "ENS-RD2022"},
|
||||
{"StandardsId": "NIST-CSF-1.1"},
|
||||
{"StandardsId": "RBI-Cyber-Security-Framework"},
|
||||
{"StandardsId": "FFIEC"},
|
||||
{"StandardsId": "PCI-3.2.1"},
|
||||
{"StandardsId": "FedRamp-Moderate-Revision-4"},
|
||||
],
|
||||
),
|
||||
Remediation={
|
||||
"Recommendation": finding.check_metadata.Remediation.Recommendation,
|
||||
# "Code": finding.check_metadata.Remediation.Code,
|
||||
},
|
||||
)
|
||||
|
||||
expected.Remediation["Recommendation"].Text = (
|
||||
finding.check_metadata.Remediation.Recommendation.Text
|
||||
)
|
||||
expected.Remediation["Recommendation"].Url = (
|
||||
"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
|
||||
)
|
||||
|
||||
assert fill_json_asff(aws_provider, finding) == expected
|
||||
|
||||
def test_generate_json_asff_status(self):
|
||||
assert generate_json_asff_status("PASS") == "PASSED"
|
||||
assert generate_json_asff_status("FAIL") == "FAILED"
|
||||
assert generate_json_asff_status("MUTED") == "MUTED"
|
||||
assert generate_json_asff_status("SOMETHING ELSE") == "NOT_AVAILABLE"
|
||||
|
||||
def test_generate_json_asff_resource_tags(self):
|
||||
assert generate_json_asff_resource_tags(None) is None
|
||||
assert generate_json_asff_resource_tags([]) is None
|
||||
assert generate_json_asff_resource_tags([{}]) is None
|
||||
assert generate_json_asff_resource_tags([{"key1": "value1"}]) == {
|
||||
"key1": "value1"
|
||||
}
|
||||
assert generate_json_asff_resource_tags(
|
||||
[{"Key": "key1", "Value": "value1"}]
|
||||
) == {"key1": "value1"}
|
||||
@@ -0,0 +1,225 @@
|
||||
# from datetime import datetime
|
||||
from os import path
|
||||
|
||||
from py_ocsf_models.events.base_event import SeverityID, StatusID
|
||||
from py_ocsf_models.events.findings.detection_finding import (
|
||||
TypeID as DetectionFindingTypeID,
|
||||
)
|
||||
from py_ocsf_models.events.findings.finding import ActivityID, FindingInformation
|
||||
from py_ocsf_models.objects.account import Account, TypeID
|
||||
from py_ocsf_models.objects.cloud import Cloud
|
||||
from py_ocsf_models.objects.group import Group
|
||||
from py_ocsf_models.objects.metadata import Metadata
|
||||
from py_ocsf_models.objects.organization import Organization
|
||||
from py_ocsf_models.objects.product import Product
|
||||
|
||||
# from py_ocsf_models.events.findings.detection_finding import DetectionFinding
|
||||
from py_ocsf_models.objects.remediation import Remediation
|
||||
from py_ocsf_models.objects.resource_details import ResourceDetails
|
||||
|
||||
from prowler.config.config import prowler_version
|
||||
from prowler.lib.outputs.json_ocsf.json_ocsf import (
|
||||
fill_json_ocsf,
|
||||
get_account_type_id_by_provider,
|
||||
get_finding_status_id,
|
||||
)
|
||||
from tests.lib.outputs.fixtures.fixtures import generate_finding_output
|
||||
from tests.providers.aws.utils import AWS_REGION_EU_WEST_1
|
||||
|
||||
METADATA_FIXTURE_PATH = (
|
||||
f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json"
|
||||
)
|
||||
|
||||
|
||||
class TestOutputJSONOCSF:
|
||||
# test_fill_json_ocsf_iso_format_timestamp
|
||||
def test_finding_output_cloud_pass_low_muted(self):
|
||||
finding_output = generate_finding_output(
|
||||
"PASS", "low", True, AWS_REGION_EU_WEST_1
|
||||
)
|
||||
|
||||
finding_json_ocsf = fill_json_ocsf(finding_output)
|
||||
|
||||
# Activity
|
||||
assert finding_json_ocsf.activity_id == ActivityID.Create.value
|
||||
assert finding_json_ocsf.activity_name == ActivityID.Create.name
|
||||
|
||||
# Finding Information
|
||||
finding_information = finding_json_ocsf.finding_info
|
||||
|
||||
assert isinstance(finding_information, FindingInformation)
|
||||
assert finding_information.created_time == finding_output.timestamp
|
||||
assert finding_information.desc == finding_output.description
|
||||
assert finding_information.title == finding_output.check_title
|
||||
assert finding_information.uid == finding_output.finding_uid
|
||||
assert finding_information.product_uid == "prowler"
|
||||
|
||||
# Event time
|
||||
assert finding_json_ocsf.event_time == finding_output.timestamp
|
||||
|
||||
# Remediation
|
||||
remediation = finding_json_ocsf.remediation
|
||||
assert isinstance(remediation, Remediation)
|
||||
assert remediation.desc == finding_output.remediation_recommendation_text
|
||||
assert remediation.references == []
|
||||
|
||||
# Severity
|
||||
assert finding_json_ocsf.severity_id == SeverityID.Low
|
||||
assert finding_json_ocsf.severity == SeverityID.Low.name
|
||||
|
||||
# Status
|
||||
assert finding_json_ocsf.status_id == StatusID.Suppressed.value
|
||||
assert finding_json_ocsf.status == StatusID.Suppressed.name
|
||||
assert finding_json_ocsf.status_code == finding_output.status
|
||||
assert finding_json_ocsf.status_detail == finding_output.status_extended
|
||||
|
||||
# ResourceDetails
|
||||
resource_details = finding_json_ocsf.resources
|
||||
|
||||
assert len(resource_details) == 1
|
||||
assert isinstance(resource_details, list)
|
||||
assert isinstance(resource_details[0], ResourceDetails)
|
||||
assert resource_details[0].labels == []
|
||||
assert resource_details[0].name == finding_output.resource_name
|
||||
assert resource_details[0].uid == finding_output.resource_uid
|
||||
assert resource_details[0].type == finding_output.resource_type
|
||||
assert resource_details[0].cloud_partition == finding_output.partition
|
||||
assert resource_details[0].region == finding_output.region
|
||||
|
||||
resource_details_group = resource_details[0].group
|
||||
assert isinstance(resource_details_group, Group)
|
||||
assert resource_details_group.name == finding_output.service_name
|
||||
|
||||
# Metadata
|
||||
metadata = finding_json_ocsf.metadata
|
||||
assert isinstance(metadata, Metadata)
|
||||
|
||||
metadata_product = metadata.product
|
||||
assert isinstance(metadata_product, Product)
|
||||
assert metadata_product.name == "Prowler"
|
||||
assert metadata_product.vendor_name == "Prowler"
|
||||
assert metadata_product.version == prowler_version
|
||||
|
||||
# Type
|
||||
assert finding_json_ocsf.type_uid == DetectionFindingTypeID.Create
|
||||
assert finding_json_ocsf.type_name == DetectionFindingTypeID.Create.name
|
||||
|
||||
# Cloud
|
||||
cloud = finding_json_ocsf.cloud
|
||||
assert isinstance(cloud, Cloud)
|
||||
assert cloud.provider == "aws"
|
||||
assert cloud.region == finding_output.region
|
||||
|
||||
cloud_account = cloud.account
|
||||
assert isinstance(cloud_account, Account)
|
||||
assert cloud_account.name == finding_output.account_name
|
||||
assert cloud_account.type_id == TypeID.AWS_Account
|
||||
assert cloud_account.type == TypeID.AWS_Account.name
|
||||
assert cloud_account.uid == finding_output.account_uid
|
||||
|
||||
cloud_organization = cloud.org
|
||||
assert isinstance(cloud_organization, Organization)
|
||||
assert cloud_organization.uid == finding_output.account_organization_uid
|
||||
assert cloud_organization.name == finding_output.account_organization_name
|
||||
|
||||
def test_finding_output_cloud_fail_low_not_muted(self):
|
||||
finding_output = generate_finding_output(
|
||||
"FAIL", "low", False, AWS_REGION_EU_WEST_1
|
||||
)
|
||||
|
||||
finding_json_ocsf = fill_json_ocsf(finding_output)
|
||||
|
||||
# Status
|
||||
assert finding_json_ocsf.status_id == StatusID.New.value
|
||||
assert finding_json_ocsf.status == StatusID.New.name
|
||||
assert finding_json_ocsf.status_code == finding_output.status
|
||||
assert finding_json_ocsf.status_detail == finding_output.status_extended
|
||||
|
||||
def test_finding_output_cloud_pass_low_not_muted(self):
|
||||
finding_output = generate_finding_output(
|
||||
"PASS", "low", False, AWS_REGION_EU_WEST_1
|
||||
)
|
||||
|
||||
finding_json_ocsf = fill_json_ocsf(finding_output)
|
||||
|
||||
# Status
|
||||
assert finding_json_ocsf.status_id == StatusID.Other.value
|
||||
assert finding_json_ocsf.status == StatusID.Other.name
|
||||
assert finding_json_ocsf.status_code == finding_output.status
|
||||
assert finding_json_ocsf.status_detail == finding_output.status_extended
|
||||
|
||||
# Returns TypeID.AWS_Account when provider is 'aws'
|
||||
def test_returns_aws_account_when_provider_is_aws(self):
|
||||
provider = "aws"
|
||||
result = get_account_type_id_by_provider(provider)
|
||||
|
||||
assert result == TypeID.AWS_Account
|
||||
|
||||
# Returns TypeID.Azure_AD_Account when provider is 'azure'
|
||||
def test_returns_azure_ad_account_when_provider_is_azure(self):
|
||||
provider = "azure"
|
||||
result = get_account_type_id_by_provider(provider)
|
||||
|
||||
assert result == TypeID.Azure_AD_Account
|
||||
|
||||
# Returns TypeID.GCP_Account when provider is 'gcp'
|
||||
def test_returns_gcp_account_when_provider_is_gcp(self):
|
||||
provider = "gcp"
|
||||
result = get_account_type_id_by_provider(provider)
|
||||
|
||||
assert result == TypeID.GCP_Account
|
||||
|
||||
# Returns TypeID.Other when provider is None
|
||||
def test_returns_other_when_provider_is_none(self):
|
||||
provider = None
|
||||
result = get_account_type_id_by_provider(provider)
|
||||
|
||||
assert result == TypeID.Other
|
||||
|
||||
# Returns StatusID.New when status is "FAIL" and muted is False
|
||||
def test_new_when_status_fail_and_not_muted(self):
|
||||
status = "FAIL"
|
||||
muted = False
|
||||
result = get_finding_status_id(status, muted)
|
||||
|
||||
assert result == StatusID.New
|
||||
|
||||
# Returns StatusID.Suppressed when status is "FAIL" and muted is True
|
||||
def test_suppressed_when_status_fail_and_muted(self):
|
||||
status = "FAIL"
|
||||
muted = True
|
||||
result = get_finding_status_id(status, muted)
|
||||
|
||||
assert result == StatusID.Suppressed
|
||||
|
||||
# Returns StatusID.Other when status is None and muted is False
|
||||
def test_other_when_status_whatever_and_not_muted(self):
|
||||
status = None
|
||||
muted = False
|
||||
result = get_finding_status_id(status, muted)
|
||||
|
||||
assert result == StatusID.Other
|
||||
|
||||
# Returns StatusID.Suppresed when status is None and muted is True
|
||||
def test_other_when_status_whatever_and_muted(self):
|
||||
status = None
|
||||
muted = True
|
||||
result = get_finding_status_id(status, muted)
|
||||
|
||||
assert result == StatusID.Suppressed
|
||||
|
||||
# Returns StatusID.Suppressed when muted is True and status is not "FAIL"
|
||||
def test_suppressed_when_status_pass_and_muted(self):
|
||||
status = "PASS"
|
||||
muted = True
|
||||
result = get_finding_status_id(status, muted)
|
||||
|
||||
assert result == StatusID.Suppressed
|
||||
|
||||
# Returns StatusID.Other when muted is False and status is not "FAIL"
|
||||
def test_other_when_status_pass_and_not_muted(self):
|
||||
status = "PASS"
|
||||
muted = False
|
||||
result = get_finding_status_id(status, muted)
|
||||
|
||||
assert result == StatusID.Other
|
||||
File diff suppressed because it is too large
Load Diff
@@ -7,15 +7,13 @@ from prowler.lib.outputs.slack import (
|
||||
create_message_identity,
|
||||
send_slack_message,
|
||||
)
|
||||
from prowler.providers.azure.lib.audit_info.models import (
|
||||
Azure_Audit_Info,
|
||||
AzureIdentityInfo,
|
||||
AzureRegionConfig,
|
||||
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, set_mocked_aws_provider
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
AZURE_SUBSCRIPTION_NAME,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
from prowler.providers.common.models import Audit_Metadata
|
||||
from prowler.providers.gcp.lib.audit_info.models import GCP_Audit_Info
|
||||
|
||||
AWS_ACCOUNT_ID = "123456789012"
|
||||
from tests.providers.gcp.gcp_fixtures import set_mocked_gcp_provider
|
||||
|
||||
|
||||
def mock_create_message_blocks(*_):
|
||||
@@ -26,75 +24,36 @@ def mock_create_message_identity(*_):
|
||||
return "", ""
|
||||
|
||||
|
||||
class Test_Slack_Integration:
|
||||
def test_create_message_identity(self):
|
||||
# TODO(Audit_Info): use provider here
|
||||
aws_audit_info = AWS_Audit_Info(
|
||||
session_config=None,
|
||||
original_session=None,
|
||||
audit_session=None,
|
||||
audited_account=AWS_ACCOUNT_ID,
|
||||
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
|
||||
audited_identity_arn="test-arn",
|
||||
audited_user_id="test",
|
||||
audited_partition="aws",
|
||||
profile="default",
|
||||
profile_region="eu-west-1",
|
||||
credentials=None,
|
||||
assumed_role_info=None,
|
||||
audited_regions=["eu-west-2", "eu-west-1"],
|
||||
organizations_metadata=None,
|
||||
audit_resources=None,
|
||||
mfa_enabled=False,
|
||||
audit_metadata=Audit_Metadata(
|
||||
services_scanned=0,
|
||||
expected_checks=[],
|
||||
completed_checks=0,
|
||||
audit_progress=0,
|
||||
),
|
||||
audit_config=None,
|
||||
)
|
||||
gcp_audit_info = GCP_Audit_Info(
|
||||
credentials=None,
|
||||
default_project_id="test-project1",
|
||||
project_ids=["test-project1", "test-project2"],
|
||||
audit_resources=None,
|
||||
audit_metadata=None,
|
||||
audit_config=None,
|
||||
)
|
||||
azure_audit_info = Azure_Audit_Info(
|
||||
credentials=None,
|
||||
identity=AzureIdentityInfo(
|
||||
identity_id="",
|
||||
identity_type="",
|
||||
tenant_ids=[],
|
||||
domain="",
|
||||
subscriptions={
|
||||
"subscription 1": "qwerty",
|
||||
"subscription 2": "asdfg",
|
||||
},
|
||||
),
|
||||
audit_resources=None,
|
||||
audit_metadata=None,
|
||||
audit_config=None,
|
||||
AzureRegionConfig=AzureRegionConfig(),
|
||||
locations=None,
|
||||
)
|
||||
assert create_message_identity("aws", aws_audit_info) == (
|
||||
f"AWS Account *{aws_audit_info.audited_account}*",
|
||||
class TestSlackIntegration:
|
||||
def test_create_message_identity_aws(self):
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
|
||||
assert create_message_identity(aws_provider) == (
|
||||
f"AWS Account *{aws_provider.identity.account}*",
|
||||
aws_logo,
|
||||
)
|
||||
assert create_message_identity("gcp", gcp_audit_info) == (
|
||||
f"GCP Projects *{', '.join(gcp_audit_info.project_ids)}*",
|
||||
gcp_logo,
|
||||
)
|
||||
assert create_message_identity("azure", azure_audit_info) == (
|
||||
"Azure Subscriptions:\n- *subscription 1: qwerty*\n- *subscription 2: asdfg*\n",
|
||||
|
||||
def test_create_message_identity_azure(self):
|
||||
azure_provider = set_mocked_azure_provider()
|
||||
|
||||
assert create_message_identity(azure_provider) == (
|
||||
f"Azure Subscriptions:\n- *{AZURE_SUBSCRIPTION_ID}: {AZURE_SUBSCRIPTION_NAME}*\n",
|
||||
azure_logo,
|
||||
)
|
||||
|
||||
def test_create_message_identity_gcp(self):
|
||||
gcp_provider = set_mocked_gcp_provider(
|
||||
project_ids=["test-project1", "test-project2"],
|
||||
default_project_id="test-project1",
|
||||
)
|
||||
|
||||
assert create_message_identity(gcp_provider) == (
|
||||
f"GCP Projects *{', '.join(gcp_provider.project_ids)}*",
|
||||
gcp_logo,
|
||||
)
|
||||
|
||||
def test_create_message_blocks(self):
|
||||
aws_identity = f"AWS Account *{AWS_ACCOUNT_ID}*"
|
||||
aws_identity = f"AWS Account *{AWS_ACCOUNT_NUMBER}*"
|
||||
azure_identity = "Azure Subscriptions:\n- *subscription 1: qwerty*\n- *subscription 2: asdfg*\n"
|
||||
gcp_identity = "GCP Project *gcp-project*"
|
||||
stats = {}
|
||||
|
||||
@@ -156,8 +156,9 @@ class TestFilePermissions:
|
||||
temp_file.close()
|
||||
os.chmod(temp_file.name, 0o644) # Set permissions to 644 (-rw-r--r--)
|
||||
# Check ownership for the temporary file
|
||||
is_root = is_owned_by_root(temp_file.name)
|
||||
assert not is_root
|
||||
assert not is_owned_by_root(temp_file.name)
|
||||
os.unlink(temp_file.name)
|
||||
|
||||
assert not is_owned_by_root("not_existing_file")
|
||||
assert is_owned_by_root("/etc/passwd")
|
||||
# Not valid for darwin systems
|
||||
# assert is_owned_by_root("/etc/passwd")
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,510 +0,0 @@
|
||||
import re
|
||||
|
||||
import boto3
|
||||
import botocore
|
||||
from mock import patch
|
||||
from moto import mock_aws
|
||||
|
||||
from prowler.providers.aws.lib.arn.arn import parse_iam_credentials_arn
|
||||
from prowler.providers.aws.lib.credentials.credentials import (
|
||||
create_sts_session,
|
||||
validate_aws_credentials,
|
||||
)
|
||||
|
||||
AWS_ACCOUNT_NUMBER = "123456789012"
|
||||
|
||||
|
||||
# Mocking GetCallerIdentity for China and GovCloud
|
||||
make_api_call = botocore.client.BaseClient._make_api_call
|
||||
|
||||
|
||||
def mock_get_caller_identity_china(self, operation_name, kwarg):
|
||||
if operation_name == "GetCallerIdentity":
|
||||
return {
|
||||
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
|
||||
"Account": AWS_ACCOUNT_NUMBER,
|
||||
"Arn": f"arn:aws-cn:iam::{AWS_ACCOUNT_NUMBER}:user/test-user",
|
||||
}
|
||||
|
||||
return make_api_call(self, operation_name, kwarg)
|
||||
|
||||
|
||||
def mock_get_caller_identity_gov_cloud(self, operation_name, kwarg):
|
||||
if operation_name == "GetCallerIdentity":
|
||||
return {
|
||||
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
|
||||
"Account": AWS_ACCOUNT_NUMBER,
|
||||
"Arn": f"arn:aws-us-gov:iam::{AWS_ACCOUNT_NUMBER}:user/test-user",
|
||||
}
|
||||
|
||||
return make_api_call(self, operation_name, kwarg)
|
||||
|
||||
|
||||
class Test_AWS_Credentials:
|
||||
@mock_aws
|
||||
def test_validate_credentials_commercial_partition_with_regions(self):
|
||||
# AWS Region for AWS COMMERCIAL
|
||||
aws_region = "eu-west-1"
|
||||
aws_partition = "aws"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(session, [aws_region])
|
||||
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
def test_validate_credentials_commercial_partition_with_regions_none_and_profile_region_so_profile_region(
|
||||
self,
|
||||
):
|
||||
# AWS Region for AWS COMMERCIAL
|
||||
aws_region = "eu-west-1"
|
||||
aws_partition = "aws"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(session, None)
|
||||
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
def test_validate_credentials_commercial_partition_with_0_regions_and_profile_region_so_profile_region(
|
||||
self,
|
||||
):
|
||||
# AWS Region for AWS COMMERCIAL
|
||||
aws_region = "eu-west-1"
|
||||
aws_partition = "aws"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(session, [])
|
||||
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
def test_validate_credentials_commercial_partition_without_regions_and_profile_region_so_us_east_1(
|
||||
self,
|
||||
):
|
||||
# AWS Region for AWS COMMERCIAL
|
||||
aws_region = "eu-west-1"
|
||||
aws_partition = "aws"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=None,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(session, [])
|
||||
|
||||
assert get_caller_identity["region"] == "us-east-1"
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
def test_validate_credentials_commercial_partition_with_regions_none_and_profile_region_but_sts_endpoint_region(
|
||||
self,
|
||||
):
|
||||
# AWS Region for AWS COMMERCIAL
|
||||
aws_region = "eu-west-1"
|
||||
sts_endpoint_region = aws_region
|
||||
aws_partition = "aws"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(
|
||||
session, None, sts_endpoint_region
|
||||
)
|
||||
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
def test_validate_credentials_china_partition_without_regions_and_profile_region_so_us_east_1(
|
||||
self,
|
||||
):
|
||||
# AWS Region for AWS COMMERCIAL
|
||||
aws_region = "eu-west-1"
|
||||
aws_partition = "aws"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=None,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(session, [])
|
||||
|
||||
assert get_caller_identity["region"] == "us-east-1"
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
@patch(
|
||||
"botocore.client.BaseClient._make_api_call", new=mock_get_caller_identity_china
|
||||
)
|
||||
def test_validate_credentials_china_partition(self):
|
||||
# AWS Region for AWS CHINA
|
||||
aws_region = "cn-north-1"
|
||||
aws_partition = "aws-cn"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(session, [aws_region])
|
||||
|
||||
# To use GovCloud or China it is either required:
|
||||
# - Set the AWS profile region with a valid partition region
|
||||
# - Use the -f/--region with a valid partition region
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
@patch(
|
||||
"botocore.client.BaseClient._make_api_call", new=mock_get_caller_identity_china
|
||||
)
|
||||
def test_validate_credentials_china_partition_without_regions_but_sts_endpoint_region(
|
||||
self,
|
||||
):
|
||||
# AWS Region for AWS CHINA
|
||||
aws_region = "cn-north-1"
|
||||
sts_endpoint_region = aws_region
|
||||
aws_partition = "aws-cn"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(
|
||||
session, None, sts_endpoint_region
|
||||
)
|
||||
|
||||
# To use GovCloud or China it is either required:
|
||||
# - Set the AWS profile region with a valid partition region
|
||||
# - Use the -f/--region with a valid partition region
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
@patch(
|
||||
"botocore.client.BaseClient._make_api_call",
|
||||
new=mock_get_caller_identity_gov_cloud,
|
||||
)
|
||||
def test_validate_credentials_gov_cloud_partition(self):
|
||||
# AWS Region for US GOV CLOUD
|
||||
aws_region = "us-gov-east-1"
|
||||
aws_partition = "aws-us-gov"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(session, [aws_region])
|
||||
|
||||
# To use GovCloud or China it is either required:
|
||||
# - Set the AWS profile region with a valid partition region
|
||||
# - Use the -f/--region with a valid partition region
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
@patch(
|
||||
"botocore.client.BaseClient._make_api_call",
|
||||
new=mock_get_caller_identity_gov_cloud,
|
||||
)
|
||||
def test_validate_credentials_gov_cloud_partition_without_regions_but_sts_endpoint_region(
|
||||
self,
|
||||
):
|
||||
# AWS Region for US GOV CLOUD
|
||||
aws_region = "us-gov-east-1"
|
||||
sts_endpoint_region = aws_region
|
||||
aws_partition = "aws-us-gov"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
|
||||
get_caller_identity = validate_aws_credentials(
|
||||
session, None, sts_endpoint_region
|
||||
)
|
||||
|
||||
# To use GovCloud or China it is either required:
|
||||
# - Set the AWS profile region with a valid partition region
|
||||
# - Use the -f/--region with a valid partition region
|
||||
assert get_caller_identity["region"] == aws_region
|
||||
|
||||
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
|
||||
|
||||
assert caller_identity_arn.partition == aws_partition
|
||||
assert caller_identity_arn.region is None
|
||||
assert caller_identity_arn.resource == "test-user"
|
||||
assert caller_identity_arn.resource_type == "user"
|
||||
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
|
||||
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
|
||||
|
||||
@mock_aws
|
||||
def test_create_sts_session(self):
|
||||
aws_region = "eu-west-1"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
sts_client = create_sts_session(session, aws_region)
|
||||
|
||||
assert sts_client._endpoint._endpoint_prefix == "sts"
|
||||
assert sts_client._endpoint.host == f"https://sts.{aws_region}.amazonaws.com"
|
||||
|
||||
@mock_aws
|
||||
def test_create_sts_session_gov_cloud(self):
|
||||
aws_region = "us-gov-east-1"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
sts_client = create_sts_session(session, aws_region)
|
||||
|
||||
assert sts_client._endpoint._endpoint_prefix == "sts"
|
||||
assert sts_client._endpoint.host == f"https://sts.{aws_region}.amazonaws.com"
|
||||
|
||||
@mock_aws
|
||||
def test_create_sts_session_china(self):
|
||||
aws_region = "cn-north-1"
|
||||
# Create a mock IAM user
|
||||
iam_client = boto3.client("iam", region_name=aws_region)
|
||||
iam_user = iam_client.create_user(UserName="test-user")["User"]
|
||||
# Create a mock IAM access keys
|
||||
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
|
||||
"AccessKey"
|
||||
]
|
||||
access_key_id = access_key["AccessKeyId"]
|
||||
secret_access_key = access_key["SecretAccessKey"]
|
||||
# Create AWS session to validate
|
||||
session = boto3.session.Session(
|
||||
aws_access_key_id=access_key_id,
|
||||
aws_secret_access_key=secret_access_key,
|
||||
region_name=aws_region,
|
||||
)
|
||||
sts_client = create_sts_session(session, aws_region)
|
||||
|
||||
assert sts_client._endpoint._endpoint_prefix == "sts"
|
||||
assert sts_client._endpoint.host == f"https://sts.{aws_region}.amazonaws.com"
|
||||
@@ -1,13 +1,11 @@
|
||||
import json
|
||||
|
||||
import boto3
|
||||
from moto import mock_aws
|
||||
|
||||
from prowler.providers.aws.lib.audit_info.models import AWS_Organizations_Info
|
||||
from prowler.providers.aws.lib.organizations.organizations import (
|
||||
get_organizations_metadata,
|
||||
parse_organizations_metadata,
|
||||
)
|
||||
from prowler.providers.aws.models import AWSOrganizationsInfo
|
||||
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1
|
||||
|
||||
|
||||
@@ -15,8 +13,6 @@ class Test_AWS_Organizations:
|
||||
@mock_aws
|
||||
def test_organizations(self):
|
||||
client = boto3.client("organizations", region_name=AWS_REGION_US_EAST_1)
|
||||
iam_client = boto3.client("iam", region_name=AWS_REGION_US_EAST_1)
|
||||
sts_client = boto3.client("sts", region_name=AWS_REGION_US_EAST_1)
|
||||
|
||||
mockname = "mock-account"
|
||||
mockdomain = "moto-example.org"
|
||||
@@ -31,53 +27,47 @@ class Test_AWS_Organizations:
|
||||
ResourceId=account_id, Tags=[{"Key": "key", "Value": "value"}]
|
||||
)
|
||||
|
||||
trust_policy_document = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": {
|
||||
"Effect": "Allow",
|
||||
"Principal": {"AWS": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"},
|
||||
"Action": "sts:AssumeRole",
|
||||
},
|
||||
}
|
||||
iam_role_arn = iam_client.role_arn = iam_client.create_role(
|
||||
RoleName="test-role",
|
||||
AssumeRolePolicyDocument=json.dumps(trust_policy_document),
|
||||
)["Role"]["Arn"]
|
||||
session_name = "new-session"
|
||||
assumed_role = sts_client.assume_role(
|
||||
RoleArn=iam_role_arn, RoleSessionName=session_name
|
||||
)
|
||||
|
||||
metadata, tags = get_organizations_metadata(account_id, assumed_role)
|
||||
metadata, tags = get_organizations_metadata(account_id, boto3.Session())
|
||||
org = parse_organizations_metadata(metadata, tags)
|
||||
|
||||
assert org.account_details_email == mockemail
|
||||
assert org.account_details_name == mockname
|
||||
assert isinstance(org, AWSOrganizationsInfo)
|
||||
assert org.account_email == mockemail
|
||||
assert org.account_name == mockname
|
||||
assert (
|
||||
org.account_details_arn
|
||||
org.organization_account_arn
|
||||
== f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:account/{org_id}/{account_id}"
|
||||
)
|
||||
assert org.account_details_org == org_id
|
||||
assert org.account_details_tags == "key:value"
|
||||
assert (
|
||||
org.organization_arn
|
||||
== f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:organization/{org_id}"
|
||||
)
|
||||
assert org.organization_id == org_id
|
||||
assert org.account_tags == "key:value"
|
||||
|
||||
def test_parse_organizations_metadata(self):
|
||||
tags = {"Tags": [{"Key": "test-key", "Value": "test-value"}]}
|
||||
name = "test-name"
|
||||
email = "test-email"
|
||||
organization_name = "test-org"
|
||||
name = "mock-account"
|
||||
email = "mock-account@moto-example.org"
|
||||
organization_name = "o-v4bzbxm7ib"
|
||||
arn = f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:organization/{organization_name}"
|
||||
metadata = {
|
||||
"Account": {
|
||||
"Name": name,
|
||||
"Email": email,
|
||||
"Arn": arn,
|
||||
"Id": AWS_ACCOUNT_NUMBER,
|
||||
"Arn": f"arn:aws:organizations::123456789012:account/o-v4bzbxm7ib/{AWS_ACCOUNT_NUMBER}",
|
||||
"Email": "mock-account@moto-example.org",
|
||||
"Name": "mock-account",
|
||||
"Status": "ACTIVE",
|
||||
}
|
||||
}
|
||||
|
||||
org = parse_organizations_metadata(metadata, tags)
|
||||
|
||||
assert isinstance(org, AWS_Organizations_Info)
|
||||
assert org.account_details_email == email
|
||||
assert org.account_details_name == name
|
||||
assert org.account_details_arn == arn
|
||||
assert org.account_details_org == organization_name
|
||||
assert org.account_details_tags == "test-key:test-value"
|
||||
assert isinstance(org, AWSOrganizationsInfo)
|
||||
assert org.account_email == email
|
||||
assert org.account_name == name
|
||||
assert (
|
||||
org.organization_account_arn
|
||||
== f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:account/{organization_name}/{AWS_ACCOUNT_NUMBER}"
|
||||
)
|
||||
assert org.organization_arn == arn
|
||||
assert org.account_tags == "test-key:test-value"
|
||||
|
||||
@@ -24,19 +24,19 @@ class TestS3:
|
||||
@mock_aws
|
||||
def test_send_to_s3_bucket(self):
|
||||
# Mock Audit Info
|
||||
audit_info = MagicMock()
|
||||
provider = MagicMock()
|
||||
|
||||
# Create mock session
|
||||
audit_info.audit_session = boto3.session.Session(region_name=AWS_REGION)
|
||||
audit_info.identity.account = AWS_ACCOUNT_ID
|
||||
provider.current_session = boto3.session.Session(region_name=AWS_REGION)
|
||||
provider.identity.account = AWS_ACCOUNT_ID
|
||||
|
||||
# Create mock bucket
|
||||
client = audit_info.audit_session.client("s3")
|
||||
client = provider.current_session.client("s3")
|
||||
client.create_bucket(Bucket=S3_BUCKET_NAME)
|
||||
|
||||
# Mocked CSV output file
|
||||
output_directory = f"{ACTUAL_DIRECTORY}/{FIXTURES_DIR_NAME}"
|
||||
filename = f"prowler-output-{audit_info.identity.account}"
|
||||
filename = f"prowler-output-{provider.identity.account}"
|
||||
|
||||
# Send mock CSV file to mock S3 Bucket
|
||||
send_to_s3_bucket(
|
||||
@@ -44,7 +44,7 @@ class TestS3:
|
||||
output_directory,
|
||||
OUTPUT_MODE_CSV,
|
||||
S3_BUCKET_NAME,
|
||||
audit_info.audit_session,
|
||||
provider.current_session,
|
||||
)
|
||||
|
||||
bucket_directory = get_s3_object_path(output_directory)
|
||||
@@ -63,19 +63,19 @@ class TestS3:
|
||||
@mock_aws
|
||||
def test_send_to_s3_bucket_compliance(self):
|
||||
# Mock Audit Info
|
||||
audit_info = MagicMock()
|
||||
provider = MagicMock()
|
||||
|
||||
# Create mock session
|
||||
audit_info.audit_session = boto3.session.Session(region_name=AWS_REGION)
|
||||
audit_info.identity.account = AWS_ACCOUNT_ID
|
||||
provider.current_session = boto3.session.Session(region_name=AWS_REGION)
|
||||
provider.identity.account = AWS_ACCOUNT_ID
|
||||
|
||||
# Create mock bucket
|
||||
client = audit_info.audit_session.client("s3")
|
||||
client = provider.current_session.client("s3")
|
||||
client.create_bucket(Bucket=S3_BUCKET_NAME)
|
||||
|
||||
# Mocked CSV output file
|
||||
output_directory = f"{ACTUAL_DIRECTORY}/{FIXTURES_DIR_NAME}"
|
||||
filename = f"prowler-output-{audit_info.identity.account}"
|
||||
filename = f"prowler-output-{provider.identity.account}"
|
||||
|
||||
# Send mock CSV file to mock S3 Bucket
|
||||
send_to_s3_bucket(
|
||||
@@ -83,7 +83,7 @@ class TestS3:
|
||||
output_directory,
|
||||
OUTPUT_MODE_CIS_1_4_AWS,
|
||||
S3_BUCKET_NAME,
|
||||
audit_info.audit_session,
|
||||
provider.current_session,
|
||||
)
|
||||
|
||||
bucket_directory = get_s3_object_path(output_directory)
|
||||
|
||||
@@ -18,7 +18,7 @@ from tests.providers.aws.utils import (
|
||||
AWS_COMMERCIAL_PARTITION,
|
||||
AWS_REGION_EU_WEST_1,
|
||||
AWS_REGION_EU_WEST_2,
|
||||
set_mocked_aws_audit_info,
|
||||
set_mocked_aws_provider,
|
||||
)
|
||||
|
||||
|
||||
@@ -108,11 +108,11 @@ class Test_SecurityHub:
|
||||
return finding
|
||||
|
||||
def set_mocked_output_options(
|
||||
self, is_quiet: bool = False, send_sh_only_fails: bool = False
|
||||
self, status: list[str] = [], send_sh_only_fails: bool = False
|
||||
):
|
||||
output_options = MagicMock
|
||||
output_options.bulk_checks_metadata = {}
|
||||
output_options.is_quiet = is_quiet
|
||||
output_options.status = status
|
||||
output_options.send_sh_only_fails = send_sh_only_fails
|
||||
|
||||
return output_options
|
||||
@@ -160,7 +160,7 @@ class Test_SecurityHub:
|
||||
(
|
||||
"root",
|
||||
WARNING,
|
||||
f"ClientError -- [68]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
|
||||
f"ClientError -- [64]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
|
||||
)
|
||||
]
|
||||
|
||||
@@ -220,7 +220,7 @@ class Test_SecurityHub:
|
||||
(
|
||||
"root",
|
||||
ERROR,
|
||||
f"ClientError -- [68]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
|
||||
f"ClientError -- [64]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
|
||||
)
|
||||
]
|
||||
|
||||
@@ -246,83 +246,83 @@ class Test_SecurityHub:
|
||||
(
|
||||
"root",
|
||||
ERROR,
|
||||
f"Exception -- [68]: {error_message}",
|
||||
f"Exception -- [64]: {error_message}",
|
||||
)
|
||||
]
|
||||
|
||||
def test_prepare_security_hub_findings_enabled_region_not_quiet(self):
|
||||
def test_prepare_security_hub_findings_enabled_region_all_statuses(self):
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(is_quiet=False)
|
||||
output_options = self.set_mocked_output_options()
|
||||
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {
|
||||
AWS_REGION_EU_WEST_1: [get_security_hub_finding("PASSED")],
|
||||
}
|
||||
|
||||
def test_prepare_security_hub_findings_quiet_INFO_finding(self):
|
||||
def test_prepare_security_hub_findings_all_statuses_MANUAL_finding(self):
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(is_quiet=False)
|
||||
findings = [self.generate_finding("INFO", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
output_options = self.set_mocked_output_options()
|
||||
findings = [self.generate_finding("MANUAL", AWS_REGION_EU_WEST_1)]
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {AWS_REGION_EU_WEST_1: []}
|
||||
|
||||
def test_prepare_security_hub_findings_disabled_region(self):
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(is_quiet=False)
|
||||
output_options = self.set_mocked_output_options()
|
||||
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_2)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {AWS_REGION_EU_WEST_1: []}
|
||||
|
||||
def test_prepare_security_hub_findings_quiet_PASS(self):
|
||||
def test_prepare_security_hub_findings_PASS_and_FAIL_statuses(self):
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(is_quiet=True)
|
||||
output_options = self.set_mocked_output_options(status=["FAIL"])
|
||||
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {AWS_REGION_EU_WEST_1: []}
|
||||
|
||||
def test_prepare_security_hub_findings_quiet_FAIL(self):
|
||||
def test_prepare_security_hub_findings_FAIL_and_FAIL_statuses(self):
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(is_quiet=True)
|
||||
output_options = self.set_mocked_output_options(status=["FAIL"])
|
||||
findings = [self.generate_finding("FAIL", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {AWS_REGION_EU_WEST_1: [get_security_hub_finding("FAILED")]}
|
||||
@@ -331,13 +331,13 @@ class Test_SecurityHub:
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(send_sh_only_fails=True)
|
||||
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {AWS_REGION_EU_WEST_1: []}
|
||||
@@ -346,26 +346,26 @@ class Test_SecurityHub:
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(send_sh_only_fails=True)
|
||||
findings = [self.generate_finding("FAIL", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {AWS_REGION_EU_WEST_1: [get_security_hub_finding("FAILED")]}
|
||||
|
||||
def test_prepare_security_hub_findings_no_audited_regions(self):
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(is_quiet=False)
|
||||
output_options = self.set_mocked_output_options()
|
||||
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info()
|
||||
aws_provider = set_mocked_aws_provider()
|
||||
|
||||
assert prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
) == {
|
||||
@@ -375,16 +375,16 @@ class Test_SecurityHub:
|
||||
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
|
||||
def test_batch_send_to_security_hub_one_finding(self):
|
||||
enabled_regions = [AWS_REGION_EU_WEST_1]
|
||||
output_options = self.set_mocked_output_options(is_quiet=False)
|
||||
output_options = self.set_mocked_output_options()
|
||||
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
|
||||
audit_info = set_mocked_aws_audit_info(
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
|
||||
)
|
||||
session = self.set_mocked_session(AWS_REGION_EU_WEST_1)
|
||||
|
||||
security_hub_findings = prepare_security_hub_findings(
|
||||
findings,
|
||||
audit_info,
|
||||
aws_provider,
|
||||
output_options,
|
||||
enabled_regions,
|
||||
)
|
||||
|
||||
@@ -6,7 +6,7 @@ from tests.providers.aws.utils import (
|
||||
AWS_ACCOUNT_NUMBER,
|
||||
AWS_COMMERCIAL_PARTITION,
|
||||
AWS_REGION_US_EAST_1,
|
||||
set_mocked_aws_audit_info,
|
||||
set_mocked_aws_provider,
|
||||
)
|
||||
|
||||
|
||||
@@ -22,10 +22,10 @@ def mock_generate_regional_clients(provider, service):
|
||||
"prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients",
|
||||
new=mock_generate_regional_clients,
|
||||
)
|
||||
class Test_AWSService:
|
||||
class TestAWSService:
|
||||
def test_AWSService_init(self):
|
||||
service_name = "s3"
|
||||
provider = set_mocked_aws_audit_info()
|
||||
provider = set_mocked_aws_provider()
|
||||
service = AWSService(service_name, provider)
|
||||
|
||||
assert service.provider == provider
|
||||
@@ -46,7 +46,7 @@ class Test_AWSService:
|
||||
|
||||
def test_AWSService_init_global_service(self):
|
||||
service_name = "cloudfront"
|
||||
provider = set_mocked_aws_audit_info()
|
||||
provider = set_mocked_aws_provider()
|
||||
service = AWSService(service_name, provider, global_service=True)
|
||||
|
||||
assert service.provider == provider
|
||||
|
||||
+2
-1
@@ -12,7 +12,6 @@ from tests.providers.aws.utils import AWS_REGION_US_EAST_1, set_mocked_aws_provi
|
||||
class Test_iam_securityaudit_role_created:
|
||||
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
|
||||
def test_securityaudit_role_created(self):
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
iam = client("iam")
|
||||
role_name = "test_securityaudit_role_created"
|
||||
assume_role_policy_document = {
|
||||
@@ -33,6 +32,8 @@ class Test_iam_securityaudit_role_created:
|
||||
PolicyArn="arn:aws:iam::aws:policy/SecurityAudit",
|
||||
)
|
||||
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=aws_provider,
|
||||
|
||||
+3
-1
@@ -17,7 +17,9 @@ from tests.providers.aws.utils import (
|
||||
class Test_organizations_account_part_of_organizations:
|
||||
@mock_aws
|
||||
def test_no_organization(self):
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
|
||||
+3
-1
@@ -13,7 +13,9 @@ from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provi
|
||||
class Test_organizations_delegated_administrators:
|
||||
@mock_aws
|
||||
def test_no_organization(self):
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
aws_provider._audit_config = {
|
||||
"organizations_trusted_delegated_administrators": []
|
||||
}
|
||||
|
||||
+3
-1
@@ -22,7 +22,9 @@ def scp_restrict_regions_with_deny():
|
||||
class Test_organizations_scp_check_deny_regions:
|
||||
@mock_aws
|
||||
def test_no_organization(self):
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
aws_provider._audit_config = {
|
||||
"organizations_enabled_regions": [AWS_REGION_EU_WEST_1]
|
||||
}
|
||||
|
||||
@@ -26,7 +26,9 @@ class Test_Organizations_Service:
|
||||
conn = client("organizations", region_name=AWS_REGION_EU_WEST_1)
|
||||
response = conn.create_organization()
|
||||
# Mock
|
||||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
|
||||
aws_provider = set_mocked_aws_provider(
|
||||
[AWS_REGION_EU_WEST_1], create_default_organization=False
|
||||
)
|
||||
organizations = Organizations(aws_provider)
|
||||
# Tests
|
||||
assert len(organizations.organizations) == 1
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
from argparse import Namespace
|
||||
|
||||
from boto3 import session
|
||||
from boto3 import client, session
|
||||
from botocore.config import Config
|
||||
from moto import mock_aws
|
||||
|
||||
@@ -20,8 +20,6 @@ AWS_REGION_EU_WEST_1 = "eu-west-1"
|
||||
AWS_REGION_EU_WEST_1_AZA = "eu-west-1a"
|
||||
AWS_REGION_EU_WEST_1_AZB = "eu-west-1b"
|
||||
AWS_REGION_EU_WEST_2 = "eu-west-2"
|
||||
AWS_REGION_CN_NORTHWEST_1 = "cn-northwest-1"
|
||||
AWS_REGION_CN_NORTH_1 = "cn-north-1"
|
||||
AWS_REGION_EU_SOUTH_2 = "eu-south-2"
|
||||
AWS_REGION_EU_SOUTH_3 = "eu-south-3"
|
||||
AWS_REGION_US_WEST_2 = "us-west-2"
|
||||
@@ -30,7 +28,8 @@ AWS_REGION_EU_CENTRAL_1 = "eu-central-1"
|
||||
|
||||
|
||||
# China Regions
|
||||
AWS_REGION_CHINA_NORHT_1 = "cn-north-1"
|
||||
AWS_REGION_CN_NORTHWEST_1 = "cn-northwest-1"
|
||||
AWS_REGION_CN_NORTH_1 = "cn-north-1"
|
||||
|
||||
# Gov Cloud Regions
|
||||
AWS_REGION_GOV_CLOUD_US_EAST_1 = "us-gov-east-1"
|
||||
@@ -44,37 +43,8 @@ AWS_GOV_CLOUD_PARTITION = "aws-us-gov"
|
||||
AWS_CHINA_PARTITION = "aws-cn"
|
||||
AWS_ISO_PARTITION = "aws-iso"
|
||||
|
||||
# Commercial Regions
|
||||
AWS_REGION_US_EAST_1 = "us-east-1"
|
||||
AWS_REGION_US_EAST_1_AZA = "us-east-1a"
|
||||
AWS_REGION_US_EAST_1_AZB = "us-east-1b"
|
||||
AWS_REGION_EU_WEST_1 = "eu-west-1"
|
||||
AWS_REGION_EU_WEST_1_AZA = "eu-west-1a"
|
||||
AWS_REGION_EU_WEST_1_AZB = "eu-west-1b"
|
||||
AWS_REGION_EU_WEST_2 = "eu-west-2"
|
||||
AWS_REGION_CN_NORTHWEST_1 = "cn-northwest-1"
|
||||
AWS_REGION_CN_NORTH_1 = "cn-north-1"
|
||||
AWS_REGION_EU_SOUTH_2 = "eu-south-2"
|
||||
AWS_REGION_EU_SOUTH_3 = "eu-south-3"
|
||||
AWS_REGION_US_WEST_2 = "us-west-2"
|
||||
AWS_REGION_US_EAST_2 = "us-east-2"
|
||||
AWS_REGION_EU_CENTRAL_1 = "eu-central-1"
|
||||
|
||||
|
||||
# China Regions
|
||||
AWS_REGION_CHINA_NORHT_1 = "cn-north-1"
|
||||
|
||||
# Gov Cloud Regions
|
||||
AWS_REGION_GOV_CLOUD_US_EAST_1 = "us-gov-east-1"
|
||||
|
||||
# Iso Regions
|
||||
AWS_REGION_ISO_GLOBAL = "aws-iso-global"
|
||||
|
||||
# AWS Partitions
|
||||
AWS_COMMERCIAL_PARTITION = "aws"
|
||||
AWS_GOV_CLOUD_PARTITION = "aws-us-gov"
|
||||
AWS_CHINA_PARTITION = "aws-cn"
|
||||
AWS_ISO_PARTITION = "aws-iso"
|
||||
# EC2
|
||||
EXAMPLE_AMI_ID = "ami-12c6146b"
|
||||
|
||||
|
||||
# Mocked AWS Provider
|
||||
@@ -89,16 +59,28 @@ def set_mocked_aws_provider(
|
||||
profile_region: str = None,
|
||||
audit_config: dict = {},
|
||||
ignore_unused_services: bool = False,
|
||||
# assumed_role_info: AWSAssumeRole = None,
|
||||
audit_session: session.Session = session.Session(
|
||||
profile_name=None,
|
||||
botocore_session=None,
|
||||
),
|
||||
original_session: session.Session = None,
|
||||
enabled_regions: set = None,
|
||||
arguments: Namespace = Namespace(),
|
||||
create_default_organization: bool = True,
|
||||
) -> AwsProvider:
|
||||
# Create default AWS Provider
|
||||
provider = AwsProvider(Namespace())
|
||||
if create_default_organization:
|
||||
# Create default AWS Organization
|
||||
create_default_aws_organization()
|
||||
|
||||
# Default arguments
|
||||
arguments = set_default_provider_arguments(arguments)
|
||||
|
||||
# AWS Provider
|
||||
provider = AwsProvider(arguments)
|
||||
|
||||
# Output options
|
||||
provider.output_options = arguments, {}
|
||||
|
||||
# Mock Session
|
||||
provider._session.session_config = None
|
||||
provider._session.original_session = original_session
|
||||
@@ -130,3 +112,36 @@ def set_mocked_aws_provider(
|
||||
)
|
||||
|
||||
return provider
|
||||
|
||||
|
||||
def set_default_provider_arguments(arguments: Namespace) -> Namespace:
|
||||
arguments.status = []
|
||||
arguments.output_modes = []
|
||||
arguments.output_directory = ""
|
||||
arguments.verbose = False
|
||||
arguments.only_logs = False
|
||||
arguments.unix_timestamp = False
|
||||
arguments.shodan = None
|
||||
arguments.security_hub = False
|
||||
arguments.send_sh_only_fails = False
|
||||
|
||||
return arguments
|
||||
|
||||
|
||||
@mock_aws
|
||||
def create_default_aws_organization():
|
||||
# Create default AWS Organization
|
||||
organizations_client = client("organizations", region_name=AWS_REGION_US_EAST_1)
|
||||
|
||||
mockname = "mock-account"
|
||||
mockdomain = "moto-example.org"
|
||||
mockemail = "@".join([mockname, mockdomain])
|
||||
|
||||
_ = organizations_client.create_organization(FeatureSet="ALL")["Organization"]["Id"]
|
||||
account_id = organizations_client.create_account(
|
||||
AccountName=mockname, Email=mockemail
|
||||
)["CreateAccountStatus"]["AccountId"]
|
||||
|
||||
_ = organizations_client.tag_resource(
|
||||
ResourceId=account_id, Tags=[{"Key": "test", "Value": "aws-provider"}]
|
||||
)
|
||||
|
||||
@@ -1,14 +1,13 @@
|
||||
from uuid import uuid4
|
||||
|
||||
from azure.identity import DefaultAzureCredential
|
||||
from mock import MagicMock
|
||||
|
||||
from prowler.providers.azure.lib.audit_info.models import (
|
||||
Azure_Audit_Info,
|
||||
Azure_Identity_Info,
|
||||
Azure_Region_Config,
|
||||
)
|
||||
from prowler.providers.azure.azure_provider import AzureProvider
|
||||
from prowler.providers.azure.models import AzureIdentityInfo, AzureRegionConfig
|
||||
|
||||
AZURE_SUBSCRIPTION = str(uuid4())
|
||||
AZURE_SUBSCRIPTION_ID = str(uuid4())
|
||||
AZURE_SUBSCRIPTION_NAME = "Subscription Name"
|
||||
|
||||
# Azure Identity
|
||||
IDENTITY_ID = "00000000-0000-0000-0000-000000000000"
|
||||
@@ -18,26 +17,26 @@ DOMAIN = "user.onmicrosoft.com"
|
||||
|
||||
|
||||
# Mocked Azure Audit Info
|
||||
def set_mocked_azure_audit_info(
|
||||
def set_mocked_azure_provider(
|
||||
credentials: DefaultAzureCredential = DefaultAzureCredential(),
|
||||
identity: Azure_Identity_Info = Azure_Identity_Info(
|
||||
identity: AzureIdentityInfo = AzureIdentityInfo(
|
||||
identity_id=IDENTITY_ID,
|
||||
identity_type=IDENTITY_TYPE,
|
||||
tenant_ids=TENANT_IDS,
|
||||
domain=DOMAIN,
|
||||
subscriptions={AZURE_SUBSCRIPTION: "id_subscription"},
|
||||
subscriptions={AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME},
|
||||
),
|
||||
audit_config: dict = None,
|
||||
azure_region_config: Azure_Region_Config = Azure_Region_Config(),
|
||||
azure_region_config: AzureRegionConfig = AzureRegionConfig(),
|
||||
locations: list = None,
|
||||
):
|
||||
audit_info = Azure_Audit_Info(
|
||||
credentials=credentials,
|
||||
identity=identity,
|
||||
audit_metadata=None,
|
||||
audit_resources=None,
|
||||
audit_config=audit_config,
|
||||
azure_region_config=azure_region_config,
|
||||
locations=locations,
|
||||
)
|
||||
return audit_info
|
||||
) -> AzureProvider:
|
||||
|
||||
provider = MagicMock()
|
||||
provider.type = "azure"
|
||||
provider.session.credentials = credentials
|
||||
provider.identity.locations = locations
|
||||
provider.identity = identity
|
||||
provider.audit_config = audit_config
|
||||
provider.region_config = azure_region_config
|
||||
|
||||
return provider
|
||||
|
||||
@@ -0,0 +1,214 @@
|
||||
from argparse import Namespace
|
||||
from datetime import datetime
|
||||
from os import rmdir
|
||||
|
||||
import pytest
|
||||
from azure.identity import DefaultAzureCredential
|
||||
from freezegun import freeze_time
|
||||
from mock import patch
|
||||
|
||||
from prowler.config.config import default_config_file_path
|
||||
from prowler.providers.azure.azure_provider import AzureProvider
|
||||
from prowler.providers.azure.models import (
|
||||
AzureIdentityInfo,
|
||||
AzureOutputOptions,
|
||||
AzureRegionConfig,
|
||||
)
|
||||
|
||||
|
||||
class TestAzureProvider:
|
||||
def test_azure_provider(self):
|
||||
arguments = Namespace()
|
||||
arguments.subscription_ids = None
|
||||
arguments.tenant_id = None
|
||||
# We need to set exactly one auth method
|
||||
arguments.az_cli_auth = True
|
||||
arguments.sp_env_auth = None
|
||||
arguments.browser_auth = None
|
||||
arguments.managed_identity_auth = None
|
||||
|
||||
arguments.config_file = default_config_file_path
|
||||
arguments.azure_region = "AzureCloud"
|
||||
|
||||
with patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
|
||||
return_value=AzureIdentityInfo(),
|
||||
), patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
|
||||
return_value={},
|
||||
):
|
||||
azure_provider = AzureProvider(arguments)
|
||||
|
||||
assert azure_provider.region_config == AzureRegionConfig(
|
||||
name="AzureCloud",
|
||||
authority=None,
|
||||
base_url="https://management.azure.com",
|
||||
credential_scopes=["https://management.azure.com/.default"],
|
||||
)
|
||||
assert isinstance(azure_provider.session, DefaultAzureCredential)
|
||||
assert azure_provider.identity == AzureIdentityInfo(
|
||||
identity_id="",
|
||||
identity_type="",
|
||||
tenant_ids=[],
|
||||
tenant_domain="Unknown tenant domain (missing AAD permissions)",
|
||||
subscriptions={},
|
||||
locations={},
|
||||
)
|
||||
assert azure_provider.audit_config == {
|
||||
"shodan_api_key": None,
|
||||
"php_latest_version": "8.2",
|
||||
"python_latest_version": "3.12",
|
||||
"java_latest_version": "17",
|
||||
}
|
||||
|
||||
def test_azure_provider_not_auth_methods(self):
|
||||
arguments = Namespace()
|
||||
arguments.subscription_ids = None
|
||||
arguments.tenant_id = None
|
||||
# We need to set exactly one auth method
|
||||
arguments.az_cli_auth = None
|
||||
arguments.sp_env_auth = None
|
||||
arguments.browser_auth = None
|
||||
arguments.managed_identity_auth = None
|
||||
|
||||
arguments.config_file = default_config_file_path
|
||||
arguments.azure_region = "AzureCloud"
|
||||
|
||||
with patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
|
||||
return_value=AzureIdentityInfo(),
|
||||
), patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
|
||||
return_value={},
|
||||
):
|
||||
|
||||
with pytest.raises(SystemExit) as exception:
|
||||
_ = AzureProvider(arguments)
|
||||
assert exception.type == SystemExit
|
||||
assert (
|
||||
exception.value.args[0]
|
||||
== "Azure provider requires at least one authentication method set: [--az-cli-auth | --sp-env-auth | --browser-auth | --managed-identity-auth]"
|
||||
)
|
||||
|
||||
def test_azure_provider_browser_auth_but_not_tenant_id(self):
|
||||
arguments = Namespace()
|
||||
arguments.subscription_ids = None
|
||||
arguments.tenant_id = None
|
||||
# We need to set exactly one auth method
|
||||
arguments.az_cli_auth = None
|
||||
arguments.sp_env_auth = None
|
||||
arguments.browser_auth = True
|
||||
arguments.managed_identity_auth = None
|
||||
|
||||
arguments.config_file = default_config_file_path
|
||||
arguments.azure_region = "AzureCloud"
|
||||
|
||||
with patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
|
||||
return_value=AzureIdentityInfo(),
|
||||
), patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
|
||||
return_value={},
|
||||
):
|
||||
|
||||
with pytest.raises(SystemExit) as exception:
|
||||
_ = AzureProvider(arguments)
|
||||
assert exception.type == SystemExit
|
||||
assert (
|
||||
exception.value.args[0]
|
||||
== "Azure Tenant ID (--tenant-id) is required for browser authentication mode"
|
||||
)
|
||||
|
||||
def test_azure_provider_not_browser_auth_but_tenant_id(self):
|
||||
arguments = Namespace()
|
||||
arguments.subscription_ids = None
|
||||
arguments.tenant_id = "test-tenant-id"
|
||||
# We need to set exactly one auth method
|
||||
arguments.az_cli_auth = None
|
||||
arguments.sp_env_auth = None
|
||||
arguments.browser_auth = False
|
||||
arguments.managed_identity_auth = None
|
||||
|
||||
arguments.config_file = default_config_file_path
|
||||
arguments.azure_region = "AzureCloud"
|
||||
|
||||
with patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
|
||||
return_value=AzureIdentityInfo(),
|
||||
), patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
|
||||
return_value={},
|
||||
):
|
||||
|
||||
with pytest.raises(SystemExit) as exception:
|
||||
_ = AzureProvider(arguments)
|
||||
assert exception.type == SystemExit
|
||||
assert (
|
||||
exception.value.args[0]
|
||||
== "Azure provider requires at least one authentication method set: [--az-cli-auth | --sp-env-auth | --browser-auth | --managed-identity-auth]"
|
||||
)
|
||||
|
||||
@freeze_time(datetime.today())
|
||||
def test_azure_provider_output_options_with_domain(self):
|
||||
arguments = Namespace()
|
||||
arguments.subscription_ids = None
|
||||
arguments.tenant_id = None
|
||||
|
||||
# We need to set exactly one auth method
|
||||
arguments.az_cli_auth = None
|
||||
arguments.sp_env_auth = True
|
||||
arguments.browser_auth = None
|
||||
arguments.managed_identity_auth = None
|
||||
|
||||
arguments.config_file = default_config_file_path
|
||||
arguments.azure_region = "AzureCloud"
|
||||
|
||||
# Output Options
|
||||
arguments.output_modes = ["csv"]
|
||||
arguments.output_directory = "output_test_directory"
|
||||
arguments.status = []
|
||||
arguments.verbose = True
|
||||
arguments.only_logs = False
|
||||
arguments.unix_timestamp = False
|
||||
arguments.shodan = "test-api-key"
|
||||
|
||||
tenant_domain = "test-domain"
|
||||
with patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
|
||||
return_value=AzureIdentityInfo(tenant_domain=tenant_domain),
|
||||
), patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
|
||||
return_value={},
|
||||
), patch(
|
||||
"prowler.providers.azure.azure_provider.AzureProvider.setup_session",
|
||||
return_value=DefaultAzureCredential(),
|
||||
):
|
||||
azure_provider = AzureProvider(arguments)
|
||||
|
||||
azure_provider.output_options = arguments, {}
|
||||
|
||||
assert isinstance(azure_provider.output_options, AzureOutputOptions)
|
||||
assert azure_provider.output_options.status == []
|
||||
assert azure_provider.output_options.output_modes == [
|
||||
"csv",
|
||||
]
|
||||
assert (
|
||||
azure_provider.output_options.output_directory
|
||||
== arguments.output_directory
|
||||
)
|
||||
assert azure_provider.output_options.bulk_checks_metadata == {}
|
||||
assert azure_provider.output_options.verbose
|
||||
# Flaky due to the millisecond part of the timestamp
|
||||
# assert (
|
||||
# azure_provider.output_options.output_filename
|
||||
# == f"prowler-output-{azure_provider.identity.tenant_domain}-{datetime.today().strftime('%Y%m%d%H%M%S')}"
|
||||
# )
|
||||
assert (
|
||||
f"prowler-output-{azure_provider.identity.tenant_domain}"
|
||||
in azure_provider.output_options.output_filename
|
||||
)
|
||||
|
||||
# Delete testing directory
|
||||
# TODO: move this to a fixtures file
|
||||
rmdir(f"{arguments.output_directory}/compliance")
|
||||
rmdir(arguments.output_directory)
|
||||
|
||||
+23
-8
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_aks_cluster_rbac_enabled:
|
||||
@@ -11,6 +14,9 @@ class Test_aks_cluster_rbac_enabled:
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_aks_cluster_rbac_enabled:
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_aks_cluster_rbac_enabled:
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -55,6 +64,9 @@ class Test_aks_cluster_rbac_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_aks_cluster_rbac_enabled:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"RBAC is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"RBAC is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_aks_rbac_not_enabled(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -91,6 +103,9 @@ class Test_aks_cluster_rbac_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -104,8 +119,8 @@ class Test_aks_cluster_rbac_enabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"RBAC is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"RBAC is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+29
-11
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_aks_clusters_created_with_private_nodes:
|
||||
@@ -11,6 +14,9 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -55,6 +64,9 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION_ID}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_aks_cluster_private_nodes(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -91,6 +103,9 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -104,17 +119,17 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Cluster 'cluster_name' was created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
== f"Cluster 'cluster_name' was created with private nodes in subscription '{AZURE_SUBSCRIPTION_ID}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_aks_cluster_public_and_private_nodes(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -131,6 +146,9 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -144,8 +162,8 @@ class Test_aks_clusters_created_with_private_nodes:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION_ID}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+29
-11
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_aks_clusters_public_access_disabled:
|
||||
@@ -11,6 +14,9 @@ class Test_aks_clusters_public_access_disabled:
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_aks_clusters_public_access_disabled:
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_aks_clusters_public_access_disabled:
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -55,6 +64,9 @@ class Test_aks_clusters_public_access_disabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_aks_clusters_public_access_disabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_aks_cluster_private_fqdn(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -91,6 +103,9 @@ class Test_aks_clusters_public_access_disabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -104,17 +119,17 @@ class Test_aks_clusters_public_access_disabled:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Public access to nodes is disabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
== f"Public access to nodes is disabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_aks_cluster_private_fqdn_with_public_ip(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -127,6 +142,9 @@ class Test_aks_clusters_public_access_disabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -140,8 +158,8 @@ class Test_aks_clusters_public_access_disabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
|
||||
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'"
|
||||
)
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+23
-8
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import Cluster
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_aks_network_policy_enabled:
|
||||
@@ -11,6 +14,9 @@ class Test_aks_network_policy_enabled:
|
||||
aks_client.clusters = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_aks_network_policy_enabled:
|
||||
|
||||
def test_aks_subscription_empty(self):
|
||||
aks_client = mock.MagicMock
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
|
||||
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_aks_network_policy_enabled:
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -55,6 +64,9 @@ class Test_aks_network_policy_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_aks_network_policy_enabled:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Network policy is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Network policy is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_aks_network_policy_disabled(self):
|
||||
aks_client = mock.MagicMock
|
||||
cluster_id = str(uuid4())
|
||||
aks_client.clusters = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
cluster_id: Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -91,6 +103,9 @@ class Test_aks_network_policy_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
|
||||
new=aks_client,
|
||||
):
|
||||
@@ -104,8 +119,8 @@ class Test_aks_network_policy_enabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Network policy is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Network policy is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "cluster_name"
|
||||
assert result[0].resource_id == cluster_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
@@ -2,14 +2,14 @@ from unittest.mock import patch
|
||||
|
||||
from prowler.providers.azure.services.aks.aks_service import AKS, Cluster
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION,
|
||||
set_mocked_azure_audit_info,
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
def mock_aks_get_clusters(_):
|
||||
return {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"cluster_id-1": Cluster(
|
||||
name="cluster_name",
|
||||
public_fqdn="public_fqdn",
|
||||
@@ -28,33 +28,36 @@ def mock_aks_get_clusters(_):
|
||||
)
|
||||
class Test_AppInsights_Service:
|
||||
def test__get_client__(self):
|
||||
aks = AKS(set_mocked_azure_audit_info())
|
||||
aks = AKS(set_mocked_azure_provider())
|
||||
assert (
|
||||
aks.clients[AZURE_SUBSCRIPTION].__class__.__name__
|
||||
aks.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
|
||||
== "ContainerServiceClient"
|
||||
)
|
||||
|
||||
def test__get_subscriptions__(self):
|
||||
aks = AKS(set_mocked_azure_audit_info())
|
||||
aks = AKS(set_mocked_azure_provider())
|
||||
assert aks.subscriptions.__class__.__name__ == "dict"
|
||||
|
||||
def test__get_components__(self):
|
||||
aks = AKS(set_mocked_azure_audit_info())
|
||||
aks = AKS(set_mocked_azure_provider())
|
||||
assert len(aks.clusters) == 1
|
||||
assert aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].name == "cluster_name"
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].public_fqdn
|
||||
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].name == "cluster_name"
|
||||
)
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].public_fqdn
|
||||
== "public_fqdn"
|
||||
)
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].private_fqdn
|
||||
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].private_fqdn
|
||||
== "private_fqdn"
|
||||
)
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].network_policy
|
||||
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].network_policy
|
||||
== "network_policy"
|
||||
)
|
||||
assert (
|
||||
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].agent_pool_profiles == []
|
||||
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].agent_pool_profiles
|
||||
== []
|
||||
)
|
||||
assert aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].rbac_enabled
|
||||
assert aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].rbac_enabled
|
||||
|
||||
+23
-8
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_client_certificates_on:
|
||||
@@ -11,6 +14,9 @@ class Test_app_client_certificates_on:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_client_certificates_on:
|
||||
|
||||
def test_app_subscription_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_client_certificates_on:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_client_certificates_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_app_client_certificates_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Clients are required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Clients are required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_client_certificates_off(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -91,6 +103,9 @@ class Test_app_client_certificates_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -104,8 +119,8 @@ class Test_app_client_certificates_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Clients are not required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Clients are not required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+23
-8
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_ensure_auth_is_set_up:
|
||||
@@ -11,6 +14,9 @@ class Test_app_ensure_auth_is_set_up:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_ensure_auth_is_set_up:
|
||||
|
||||
def test_app_subscription_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_ensure_auth_is_set_up:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_ensure_auth_is_set_up:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_app_ensure_auth_is_set_up:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Authentication is set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Authentication is set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_auth_disabled(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=False,
|
||||
@@ -91,6 +103,9 @@ class Test_app_ensure_auth_is_set_up:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -104,8 +119,8 @@ class Test_app_ensure_auth_is_set_up:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Authentication is not set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Authentication is not set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+23
-8
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_ensure_http_is_redirected_to_https:
|
||||
@@ -11,6 +14,9 @@ class Test_app_ensure_http_is_redirected_to_https:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_ensure_http_is_redirected_to_https:
|
||||
|
||||
def test_app_subscriptions_empty_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_ensure_http_is_redirected_to_https:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_ensure_http_is_redirected_to_https:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_app_ensure_http_is_redirected_to_https:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"HTTP is not redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"HTTP is not redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_http_to_https_enabled(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -91,6 +103,9 @@ class Test_app_ensure_http_is_redirected_to_https:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -104,8 +119,8 @@ class Test_app_ensure_http_is_redirected_to_https:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"HTTP is redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"HTTP is redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+43
-16
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_ensure_java_version_is_latest:
|
||||
@@ -11,6 +14,9 @@ class Test_app_ensure_java_version_is_latest:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_ensure_java_version_is_latest:
|
||||
|
||||
def test_app_subscriptions_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_ensure_java_version_is_latest:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_ensure_java_version_is_latest:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -70,7 +82,7 @@ class Test_app_ensure_java_version_is_latest:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -87,6 +99,9 @@ class Test_app_ensure_java_version_is_latest:
|
||||
app_client.audit_config = {"java_latest_version": "17"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -100,17 +115,17 @@ class Test_app_ensure_java_version_is_latest:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_linux_java_version_not_latest(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -127,6 +142,9 @@ class Test_app_ensure_java_version_is_latest:
|
||||
app_client.audit_config = {"java_latest_version": "17"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -140,17 +158,17 @@ class Test_app_ensure_java_version_is_latest:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Java version is set to 'Tomcat|9.0-java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Java version is set to 'Tomcat|9.0-java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_windows_java_version_latest(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -167,6 +185,9 @@ class Test_app_ensure_java_version_is_latest:
|
||||
app_client.audit_config = {"java_latest_version": "17"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -180,17 +201,17 @@ class Test_app_ensure_java_version_is_latest:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_windows_java_version_not_latest(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -207,6 +228,9 @@ class Test_app_ensure_java_version_is_latest:
|
||||
app_client.audit_config = {"java_latest_version": "17"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -220,17 +244,17 @@ class Test_app_ensure_java_version_is_latest:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Java version is set to 'java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Java version is set to 'java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_linux_php_version_latest(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -247,6 +271,9 @@ class Test_app_ensure_java_version_is_latest:
|
||||
app_client.audit_config = {"java_latest_version": "17"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
|
||||
+27
-9
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_ensure_php_version_is_latest:
|
||||
@@ -11,6 +14,9 @@ class Test_app_ensure_php_version_is_latest:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_ensure_php_version_is_latest:
|
||||
|
||||
def test_app_subscription_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_ensure_php_version_is_latest:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_ensure_php_version_is_latest:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -70,7 +82,7 @@ class Test_app_ensure_php_version_is_latest:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -85,6 +97,9 @@ class Test_app_ensure_php_version_is_latest:
|
||||
app_client.audit_config = {"php_latest_version": "8.2"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -98,17 +113,17 @@ class Test_app_ensure_php_version_is_latest:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"PHP version is set to 'php|8.0', the latest version that you could use is the '8.2' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"PHP version is set to 'php|8.0', the latest version that you could use is the '8.2' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_php_version_latest(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -123,6 +138,9 @@ class Test_app_ensure_php_version_is_latest:
|
||||
app_client.audit_config = {"php_latest_version": "8.2"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -136,8 +154,8 @@ class Test_app_ensure_php_version_is_latest:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"PHP version is set to '8.2' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"PHP version is set to '8.2' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+27
-9
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_ensure_python_version_is_latest:
|
||||
@@ -11,6 +14,9 @@ class Test_app_ensure_python_version_is_latest:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_ensure_python_version_is_latest:
|
||||
|
||||
def test_app_subscriptions_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_ensure_python_version_is_latest:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_ensure_python_version_is_latest:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -70,7 +82,7 @@ class Test_app_ensure_python_version_is_latest:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -85,6 +97,9 @@ class Test_app_ensure_python_version_is_latest:
|
||||
app_client.audit_config = {"python_latest_version": "3.12"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -98,17 +113,17 @@ class Test_app_ensure_python_version_is_latest:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Python version is set to '3.12' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Python version is set to '3.12' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_python_version_not_latest(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -123,6 +138,9 @@ class Test_app_ensure_python_version_is_latest:
|
||||
app_client.audit_config = {"python_latest_version": "3.12"}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -136,8 +154,8 @@ class Test_app_ensure_python_version_is_latest:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Python version is 'python|3.10', the latest version that you could use is the '3.12' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Python version is 'python|3.10', the latest version that you could use is the '3.12' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+29
-11
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_ensure_using_http20:
|
||||
@@ -11,6 +14,9 @@ class Test_app_ensure_using_http20:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_ensure_using_http20:
|
||||
|
||||
def test_app_subscription_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_ensure_using_http20:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_ensure_using_http20:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_app_ensure_using_http20:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_http20_enabled(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -91,6 +103,9 @@ class Test_app_ensure_using_http20:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -104,17 +119,17 @@ class Test_app_ensure_using_http20:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"HTTP/2.0 is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"HTTP/2.0 is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_http20_not_enabled(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -127,6 +142,9 @@ class Test_app_ensure_using_http20:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -140,8 +158,8 @@ class Test_app_ensure_using_http20:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+29
-11
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_ftp_deployment_disabled:
|
||||
@@ -11,6 +14,9 @@ class Test_app_ftp_deployment_disabled:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_ftp_deployment_disabled:
|
||||
|
||||
def test_app_subscriptions_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_ftp_deployment_disabled:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_ftp_deployment_disabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_app_ftp_deployment_disabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_ftp_deployment_disabled(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -91,6 +103,9 @@ class Test_app_ftp_deployment_disabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -104,17 +119,17 @@ class Test_app_ftp_deployment_disabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_ftp_deploy_enabled(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -127,6 +142,9 @@ class Test_app_ftp_deployment_disabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -140,8 +158,8 @@ class Test_app_ftp_deployment_disabled:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"FTP is disabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"FTP is disabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+29
-11
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_minimum_tls_version_12:
|
||||
@@ -11,6 +14,9 @@ class Test_app_minimum_tls_version_12:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_minimum_tls_version_12:
|
||||
|
||||
def test_app_subscriptions_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_minimum_tls_version_12:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_minimum_tls_version_12:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_app_minimum_tls_version_12:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_min_tls_version_12(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -91,6 +103,9 @@ class Test_app_minimum_tls_version_12:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -104,17 +119,17 @@ class Test_app_minimum_tls_version_12:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Minimum TLS version is set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Minimum TLS version is set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_min_tls_version_10(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=False,
|
||||
@@ -127,6 +142,9 @@ class Test_app_minimum_tls_version_12:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -140,8 +158,8 @@ class Test_app_minimum_tls_version_12:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+23
-8
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import WebApp
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_app_register_with_identity:
|
||||
@@ -11,6 +14,9 @@ class Test_app_register_with_identity:
|
||||
app_client.apps = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_app_register_with_identity:
|
||||
|
||||
def test_app_subscriptions_empty(self):
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {AZURE_SUBSCRIPTION: {}}
|
||||
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_app_register_with_identity:
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -55,6 +64,9 @@ class Test_app_register_with_identity:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -68,17 +80,17 @@ class Test_app_register_with_identity:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}' does not have an identity configured."
|
||||
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}' does not have an identity configured."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_app_identity(self):
|
||||
resource_id = f"/subscriptions/{uuid4()}"
|
||||
app_client = mock.MagicMock
|
||||
app_client.apps = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id=resource_id,
|
||||
auth_enabled=True,
|
||||
@@ -91,6 +103,9 @@ class Test_app_register_with_identity:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
|
||||
new=app_client,
|
||||
):
|
||||
@@ -104,8 +119,8 @@ class Test_app_register_with_identity:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}' has an identity configured."
|
||||
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}' has an identity configured."
|
||||
)
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].resource_name == "app_id-1"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
@@ -4,14 +4,14 @@ from azure.mgmt.web.models import ManagedServiceIdentity, SiteConfigResource
|
||||
|
||||
from prowler.providers.azure.services.app.app_service import App, WebApp
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION,
|
||||
set_mocked_azure_audit_info,
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
def mock_app_get_apps(self):
|
||||
return {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": WebApp(
|
||||
resource_id="/subscriptions/resource_id",
|
||||
configurations=SiteConfigResource(),
|
||||
@@ -30,42 +30,42 @@ def mock_app_get_apps(self):
|
||||
)
|
||||
class Test_App_Service:
|
||||
def test__get_client__(self):
|
||||
app_service = App(set_mocked_azure_audit_info())
|
||||
app_service = App(set_mocked_azure_provider())
|
||||
assert (
|
||||
app_service.clients[AZURE_SUBSCRIPTION].__class__.__name__
|
||||
app_service.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
|
||||
== "WebSiteManagementClient"
|
||||
)
|
||||
|
||||
def test__get_subscriptions__(self):
|
||||
app_service = App(set_mocked_azure_audit_info())
|
||||
app_service = App(set_mocked_azure_provider())
|
||||
assert app_service.subscriptions.__class__.__name__ == "dict"
|
||||
|
||||
def test__get_apps__(self):
|
||||
app_service = App(set_mocked_azure_audit_info())
|
||||
app_service = App(set_mocked_azure_provider())
|
||||
assert len(app_service.apps) == 1
|
||||
assert (
|
||||
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].resource_id
|
||||
app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].resource_id
|
||||
== "/subscriptions/resource_id"
|
||||
)
|
||||
assert app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].auth_enabled
|
||||
assert app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].auth_enabled
|
||||
assert (
|
||||
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].client_cert_mode
|
||||
app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].client_cert_mode
|
||||
== "Required"
|
||||
)
|
||||
assert app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].https_only
|
||||
assert app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].https_only
|
||||
assert (
|
||||
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].identity.type
|
||||
app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].identity.type
|
||||
== "SystemAssigned"
|
||||
)
|
||||
assert (
|
||||
app_service.apps[AZURE_SUBSCRIPTION][
|
||||
app_service.apps[AZURE_SUBSCRIPTION_ID][
|
||||
"app_id-1"
|
||||
].configurations.__class__.__name__
|
||||
== "SiteConfigResource"
|
||||
)
|
||||
|
||||
def test__get_client_cert_mode__(self):
|
||||
app_service = App(set_mocked_azure_audit_info())
|
||||
app_service = App(set_mocked_azure_provider())
|
||||
assert (
|
||||
app_service.__get_client_cert_mode__(False, "OptionalInteractiveUser")
|
||||
== "Ignore"
|
||||
|
||||
+19
-7
@@ -1,7 +1,10 @@
|
||||
from unittest import mock
|
||||
|
||||
from prowler.providers.azure.services.appinsights.appinsights_service import Component
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_appinsights_ensure_is_configured:
|
||||
@@ -10,6 +13,9 @@ class Test_appinsights_ensure_is_configured:
|
||||
appinsights_client.components = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.appinsights.appinsights_ensure_is_configured.appinsights_ensure_is_configured.appinsights_client",
|
||||
new=appinsights_client,
|
||||
):
|
||||
@@ -23,9 +29,12 @@ class Test_appinsights_ensure_is_configured:
|
||||
|
||||
def test_no_appinsights(self):
|
||||
appinsights_client = mock.MagicMock
|
||||
appinsights_client.components = {AZURE_SUBSCRIPTION: {}}
|
||||
appinsights_client.components = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.appinsights.appinsights_ensure_is_configured.appinsights_ensure_is_configured.appinsights_client",
|
||||
new=appinsights_client,
|
||||
):
|
||||
@@ -36,19 +45,19 @@ class Test_appinsights_ensure_is_configured:
|
||||
check = appinsights_ensure_is_configured()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].resource_id == "AppInsights"
|
||||
assert result[0].resource_name == "AppInsights"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There are no AppInsight configured in susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There are no AppInsight configured in susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
|
||||
def test_appinsights_configured(self):
|
||||
appinsights_client = mock.MagicMock
|
||||
appinsights_client.components = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": Component(
|
||||
resource_id="/subscriptions/resource_id",
|
||||
resource_name="AppInsightsTest",
|
||||
@@ -57,6 +66,9 @@ class Test_appinsights_ensure_is_configured:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.appinsights.appinsights_ensure_is_configured.appinsights_ensure_is_configured.appinsights_client",
|
||||
new=appinsights_client,
|
||||
):
|
||||
@@ -67,11 +79,11 @@ class Test_appinsights_ensure_is_configured:
|
||||
check = appinsights_ensure_is_configured()
|
||||
result = check.execute()
|
||||
assert len(result) == 1
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].status == "PASS"
|
||||
assert result[0].resource_id == "AppInsights"
|
||||
assert result[0].resource_name == "AppInsights"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There is at least one AppInsight configured in susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There is at least one AppInsight configured in susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
|
||||
@@ -5,14 +5,14 @@ from prowler.providers.azure.services.appinsights.appinsights_service import (
|
||||
Component,
|
||||
)
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION,
|
||||
set_mocked_azure_audit_info,
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
def mock_appinsights_get_components(_):
|
||||
return {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"app_id-1": Component(
|
||||
resource_id="/subscriptions/resource_id",
|
||||
resource_name="AppInsightsTest",
|
||||
@@ -27,24 +27,24 @@ def mock_appinsights_get_components(_):
|
||||
)
|
||||
class Test_AppInsights_Service:
|
||||
def test__get_client__(self):
|
||||
app_insights = AppInsights(set_mocked_azure_audit_info())
|
||||
app_insights = AppInsights(set_mocked_azure_provider())
|
||||
assert (
|
||||
app_insights.clients[AZURE_SUBSCRIPTION].__class__.__name__
|
||||
app_insights.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
|
||||
== "ApplicationInsightsManagementClient"
|
||||
)
|
||||
|
||||
def test__get_subscriptions__(self):
|
||||
app_insights = AppInsights(set_mocked_azure_audit_info())
|
||||
app_insights = AppInsights(set_mocked_azure_provider())
|
||||
assert app_insights.subscriptions.__class__.__name__ == "dict"
|
||||
|
||||
def test__get_components__(self):
|
||||
appinsights = AppInsights(set_mocked_azure_audit_info())
|
||||
appinsights = AppInsights(set_mocked_azure_provider())
|
||||
assert len(appinsights.components) == 1
|
||||
assert (
|
||||
appinsights.components[AZURE_SUBSCRIPTION]["app_id-1"].resource_id
|
||||
appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].resource_id
|
||||
== "/subscriptions/resource_id"
|
||||
)
|
||||
assert (
|
||||
appinsights.components[AZURE_SUBSCRIPTION]["app_id-1"].resource_name
|
||||
appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].resource_name
|
||||
== "AppInsightsTest"
|
||||
)
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
@@ -11,6 +14,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
cosmosdb_client.accounts = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_firewall_use_selected_networks.cosmosdb_account_firewall_use_selected_networks.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -27,7 +33,7 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
account_name = "Account Name"
|
||||
account_id = str(uuid4())
|
||||
cosmosdb_client.accounts = {
|
||||
AZURE_SUBSCRIPTION: [
|
||||
AZURE_SUBSCRIPTION_ID: [
|
||||
Account(
|
||||
id=account_id,
|
||||
name=account_name,
|
||||
@@ -42,6 +48,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_firewall_use_selected_networks.cosmosdb_account_firewall_use_selected_networks.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -55,9 +64,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} has firewall rules that allow access from all networks."
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} has firewall rules that allow access from all networks."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == account_name
|
||||
assert result[0].resource_id == account_id
|
||||
|
||||
@@ -66,7 +75,7 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
account_name = "Account Name"
|
||||
account_id = str(uuid4())
|
||||
cosmosdb_client.accounts = {
|
||||
AZURE_SUBSCRIPTION: [
|
||||
AZURE_SUBSCRIPTION_ID: [
|
||||
Account(
|
||||
id=account_id,
|
||||
name=account_name,
|
||||
@@ -81,6 +90,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_firewall_use_selected_networks.cosmosdb_account_firewall_use_selected_networks.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -94,8 +106,8 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} has firewall rules that allow access only from selected networks."
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} has firewall rules that allow access only from selected networks."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == account_name
|
||||
assert result[0].resource_id == account_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
@@ -11,6 +14,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
cosmosdb_client.accounts = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_aad_and_rbac.cosmosdb_account_use_aad_and_rbac.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -27,7 +33,7 @@ class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
account_name = "Account Name"
|
||||
account_id = str(uuid4())
|
||||
cosmosdb_client.accounts = {
|
||||
AZURE_SUBSCRIPTION: [
|
||||
AZURE_SUBSCRIPTION_ID: [
|
||||
Account(
|
||||
id=account_id,
|
||||
name=account_name,
|
||||
@@ -43,6 +49,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_aad_and_rbac.cosmosdb_account_use_aad_and_rbac.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -56,9 +65,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is not using AAD and RBAC"
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is not using AAD and RBAC"
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == account_name
|
||||
assert result[0].resource_id == account_id
|
||||
|
||||
@@ -67,7 +76,7 @@ class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
account_name = "Account Name"
|
||||
account_id = str(uuid4())
|
||||
cosmosdb_client.accounts = {
|
||||
AZURE_SUBSCRIPTION: [
|
||||
AZURE_SUBSCRIPTION_ID: [
|
||||
Account(
|
||||
id=account_id,
|
||||
name=account_name,
|
||||
@@ -83,6 +92,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_aad_and_rbac.cosmosdb_account_use_aad_and_rbac.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -96,8 +108,8 @@ class Test_cosmosdb_account_use_aad_and_rbac:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is using AAD and RBAC"
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is using AAD and RBAC"
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == account_name
|
||||
assert result[0].resource_id == account_id
|
||||
|
||||
+19
-7
@@ -4,7 +4,10 @@ from uuid import uuid4
|
||||
from azure.mgmt.cosmosdb.models import PrivateEndpointConnection
|
||||
|
||||
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_cosmosdb_account_use_private_endpoints:
|
||||
@@ -13,6 +16,9 @@ class Test_cosmosdb_account_use_private_endpoints:
|
||||
cosmosdb_client.accounts = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_private_endpoints.cosmosdb_account_use_private_endpoints.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -29,7 +35,7 @@ class Test_cosmosdb_account_use_private_endpoints:
|
||||
account_name = "Account Name"
|
||||
account_id = str(uuid4())
|
||||
cosmosdb_client.accounts = {
|
||||
AZURE_SUBSCRIPTION: [
|
||||
AZURE_SUBSCRIPTION_ID: [
|
||||
Account(
|
||||
id=account_id,
|
||||
name=account_name,
|
||||
@@ -45,6 +51,9 @@ class Test_cosmosdb_account_use_private_endpoints:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_private_endpoints.cosmosdb_account_use_private_endpoints.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -58,9 +67,9 @@ class Test_cosmosdb_account_use_private_endpoints:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is not using private endpoints connections"
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is not using private endpoints connections"
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == account_name
|
||||
assert result[0].resource_id == account_id
|
||||
|
||||
@@ -69,7 +78,7 @@ class Test_cosmosdb_account_use_private_endpoints:
|
||||
account_name = "Account Name"
|
||||
account_id = str(uuid4())
|
||||
cosmosdb_client.accounts = {
|
||||
AZURE_SUBSCRIPTION: [
|
||||
AZURE_SUBSCRIPTION_ID: [
|
||||
Account(
|
||||
id=account_id,
|
||||
name=account_name,
|
||||
@@ -89,6 +98,9 @@ class Test_cosmosdb_account_use_private_endpoints:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_private_endpoints.cosmosdb_account_use_private_endpoints.cosmosdb_client",
|
||||
new=cosmosdb_client,
|
||||
):
|
||||
@@ -102,8 +114,8 @@ class Test_cosmosdb_account_use_private_endpoints:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is using private endpoints connections"
|
||||
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is using private endpoints connections"
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == account_name
|
||||
assert result[0].resource_id == account_id
|
||||
|
||||
@@ -2,14 +2,14 @@ from unittest.mock import patch
|
||||
|
||||
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account, CosmosDB
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION,
|
||||
set_mocked_azure_audit_info,
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
def mock_cosmosdb_get_accounts(_):
|
||||
return {
|
||||
AZURE_SUBSCRIPTION: [
|
||||
AZURE_SUBSCRIPTION_ID: [
|
||||
Account(
|
||||
id="account_id",
|
||||
name="account_name",
|
||||
@@ -30,23 +30,25 @@ def mock_cosmosdb_get_accounts(_):
|
||||
)
|
||||
class Test_CosmosDB_Service:
|
||||
def test__get_client__(self):
|
||||
account = CosmosDB(set_mocked_azure_audit_info())
|
||||
account = CosmosDB(set_mocked_azure_provider())
|
||||
assert (
|
||||
account.clients[AZURE_SUBSCRIPTION].__class__.__name__
|
||||
account.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
|
||||
== "CosmosDBManagementClient"
|
||||
)
|
||||
|
||||
def test__get_accounts__(self):
|
||||
account = CosmosDB(set_mocked_azure_audit_info())
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].__class__.__name__ == "Account"
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].id == "account_id"
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].name == "account_name"
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].kind is None
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].location is None
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].type is None
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].tags is None
|
||||
account = CosmosDB(set_mocked_azure_provider())
|
||||
assert (
|
||||
account.accounts[AZURE_SUBSCRIPTION][0].is_virtual_network_filter_enabled
|
||||
account.accounts[AZURE_SUBSCRIPTION_ID][0].__class__.__name__ == "Account"
|
||||
)
|
||||
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].id == "account_id"
|
||||
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].name == "account_name"
|
||||
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].kind is None
|
||||
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].location is None
|
||||
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].type is None
|
||||
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].tags is None
|
||||
assert (
|
||||
account.accounts[AZURE_SUBSCRIPTION_ID][0].is_virtual_network_filter_enabled
|
||||
is None
|
||||
)
|
||||
assert account.accounts[AZURE_SUBSCRIPTION][0].disable_local_auth is None
|
||||
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].disable_local_auth is None
|
||||
|
||||
+45
-21
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import SecurityContacts
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
defender_client.security_contacts = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="",
|
||||
@@ -40,6 +46,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -53,9 +62,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -63,7 +72,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="bad_email",
|
||||
@@ -77,6 +86,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -90,9 +102,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -100,7 +112,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="test@test.es, test@test.email.com",
|
||||
@@ -114,6 +126,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -127,9 +142,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -137,7 +152,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="test@test.com",
|
||||
@@ -151,6 +166,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -164,9 +182,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -174,7 +192,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="test@test.mail.es; bad_mail",
|
||||
@@ -188,6 +206,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -201,18 +222,18 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
def test_defender_default_security_contact_not_found(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default",
|
||||
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default",
|
||||
emails="",
|
||||
phone="",
|
||||
alert_notifications_minimal_severity="",
|
||||
@@ -224,6 +245,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -237,11 +261,11 @@ class Test_defender_additional_email_configured_with_a_security_contact:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default"
|
||||
== f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default"
|
||||
)
|
||||
|
||||
+21
-6
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Assesment
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
defender_client.assessments = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
|
||||
def test_defender_subscriptions_with_no_assessments(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {AZURE_SUBSCRIPTION: {}}
|
||||
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
defender_client = mock.MagicMock
|
||||
resource_id = str(uuid4())
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Install endpoint protection solution on virtual machines": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -52,6 +61,9 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -65,7 +77,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Endpoint protection is set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Endpoint protection is set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
@@ -74,7 +86,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
defender_client = mock.MagicMock
|
||||
resource_id = str(uuid4())
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Install endpoint protection solution on virtual machines": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -84,6 +96,9 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -97,7 +112,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Endpoint protection is not set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Endpoint protection is not set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+27
-12
@@ -4,7 +4,10 @@ from uuid import uuid4
|
||||
from prowler.providers.azure.services.defender.defender_service import (
|
||||
AutoProvisioningSetting,
|
||||
)
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
@@ -13,6 +16,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
defender_client.auto_provisioning_settings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -28,7 +34,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.auto_provisioning_settings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": AutoProvisioningSetting(
|
||||
resource_id=resource_id,
|
||||
resource_name="default",
|
||||
@@ -39,6 +45,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -52,9 +61,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to OFF."
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -62,7 +71,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.auto_provisioning_settings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": AutoProvisioningSetting(
|
||||
resource_id=resource_id,
|
||||
resource_name="default",
|
||||
@@ -73,6 +82,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -86,9 +98,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to ON."
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to ON."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -96,7 +108,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.auto_provisioning_settings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": AutoProvisioningSetting(
|
||||
resource_id=resource_id,
|
||||
resource_name="default",
|
||||
@@ -113,6 +125,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -126,17 +141,17 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to ON."
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to ON."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
assert result[1].status == "FAIL"
|
||||
assert (
|
||||
result[1].status_extended
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to OFF."
|
||||
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF."
|
||||
)
|
||||
assert result[1].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[1].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[1].resource_name == "default2"
|
||||
assert result[1].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Assesment
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
defender_client.assessments = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Machines should have a vulnerability assessment solution": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Vulnerability assessment is not set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Vulnerability assessment is not set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Machines should have a vulnerability assessment solution": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Vulnerability assessment is set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Vulnerability assessment is set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+35
-14
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Assesment
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_container_images_resolved_vulnerabilities:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
defender_client.assessments = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -24,9 +30,12 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
|
||||
def test_defender_subscription_empty(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {AZURE_SUBSCRIPTION: {}}
|
||||
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -41,7 +50,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
def test_defender_subscription_no_assesment(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
@@ -51,6 +60,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -65,7 +77,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
def test_defender_subscription_assesment_unhealthy(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
@@ -75,6 +87,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -88,26 +103,26 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_id
|
||||
)
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_name
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Azure running container images have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Azure running container images have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
|
||||
def test_defender_subscription_assesment_healthy(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
@@ -117,6 +132,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -130,26 +148,26 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_id
|
||||
)
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION][
|
||||
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
|
||||
].resource_name
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Azure running container images do not have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
|
||||
== f"Azure running container images do not have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION_ID}'."
|
||||
)
|
||||
|
||||
def test_defender_subscription_assesment_not_applicable(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
|
||||
resource_id=str(uuid4()),
|
||||
resource_name=str(uuid4()),
|
||||
@@ -159,6 +177,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
|
||||
+36
-15
@@ -3,7 +3,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_container_images_scan_enabled:
|
||||
@@ -12,6 +15,9 @@ class Test_defender_container_images_scan_enabled:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -25,9 +31,12 @@ class Test_defender_container_images_scan_enabled:
|
||||
|
||||
def test_defender_subscription_empty(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {AZURE_SUBSCRIPTION: {}}
|
||||
defender_client.pricings = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_defender_container_images_scan_enabled:
|
||||
def test_defender_subscription_no_containers(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"NotContainers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
@@ -52,6 +61,9 @@ class Test_defender_container_images_scan_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -66,7 +78,7 @@ class Test_defender_container_images_scan_enabled:
|
||||
def test_defender_subscription_containers_no_extensions(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Containers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
@@ -77,6 +89,9 @@ class Test_defender_container_images_scan_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -89,21 +104,21 @@ class Test_defender_container_images_scan_enabled:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].status_extended == (
|
||||
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
|
||||
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION][
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION_ID][
|
||||
"Containers"
|
||||
].resource_id
|
||||
)
|
||||
assert result[0].resource_name == "Dender plan for Containers"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_defender_subscription_containers_container_images_scan_off(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Containers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
@@ -114,6 +129,9 @@ class Test_defender_container_images_scan_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -126,21 +144,21 @@ class Test_defender_container_images_scan_enabled:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].status_extended == (
|
||||
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
|
||||
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION][
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION_ID][
|
||||
"Containers"
|
||||
].resource_id
|
||||
)
|
||||
assert result[0].resource_name == "Dender plan for Containers"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_defender_subscription_containers_container_images_scan_on(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Containers": Pricing(
|
||||
resource_id=str(uuid4()),
|
||||
pricing_tier="Free",
|
||||
@@ -151,6 +169,9 @@ class Test_defender_container_images_scan_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -163,13 +184,13 @@ class Test_defender_container_images_scan_enabled:
|
||||
assert len(result) == 1
|
||||
assert result[0].status == "PASS"
|
||||
assert result[0].status_extended == (
|
||||
f"Container image scan is enabled in subscription {AZURE_SUBSCRIPTION}."
|
||||
f"Container image scan is enabled in subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION][
|
||||
== defender_client.pricings[AZURE_SUBSCRIPTION_ID][
|
||||
"Containers"
|
||||
].resource_id
|
||||
)
|
||||
assert result[0].resource_name == "Dender plan for Containers"
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_app_services_is_on.defender_ensure_defender_for_app_services_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"AppServices": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_app_services_is_on.defender_ensure_defender_for_app_services_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan App Services"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"AppServices": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_app_services_is_on.defender_ensure_defender_for_app_services_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_app_services_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan App Services"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_arm_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Arm": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan ARM"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Arm": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_arm_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan ARM"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_azure_sql_databases_is_on.defender_ensure_defender_for_azure_sql_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServers": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_azure_sql_databases_is_on.defender_ensure_defender_for_azure_sql_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Azure SQL DB Servers"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServers": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_azure_sql_databases_is_on.defender_ensure_defender_for_azure_sql_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Azure SQL DB Servers"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_containers_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_containers_is_on.defender_ensure_defender_for_containers_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Containers": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_containers_is_on.defender_ensure_defender_for_containers_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Container Registries"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Containers": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_containers_is_on.defender_ensure_defender_for_containers_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_containers_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Container Registries"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_cosmosdb_is_on.defender_ensure_defender_for_cosmosdb_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"CosmosDbs": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_cosmosdb_is_on.defender_ensure_defender_for_cosmosdb_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Cosmos DB"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"CosmosDbs": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_cosmosdb_is_on.defender_ensure_defender_for_cosmosdb_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Cosmos DB"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+35
-11
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_databases_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServers": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -51,7 +60,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServerVirtualMachines": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -61,6 +70,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -76,7 +88,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"OpenSourceRelationalDatabases": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -86,6 +98,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -101,7 +116,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"CosmosDbs": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -111,6 +126,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -126,7 +144,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServers": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -151,6 +169,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -164,9 +185,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Databases"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -174,7 +195,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServers": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -199,6 +220,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -212,8 +236,8 @@ class Test_defender_ensure_defender_for_databases_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Databases"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_dns_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_dns_is_on.defender_ensure_defender_for_dns_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Dns": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_dns_is_on.defender_ensure_defender_for_dns_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan DNS"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Dns": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_dns_is_on.defender_ensure_defender_for_dns_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_dns_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan DNS"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_keyvault_is_on.defender_ensure_defender_for_keyvault_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"KeyVaults": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_keyvault_is_on.defender_ensure_defender_for_keyvault_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan KeyVaults"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"KeyVaults": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_keyvault_is_on.defender_ensure_defender_for_keyvault_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan KeyVaults"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_os_relational_databases_is_on.defender_ensure_defender_for_os_relational_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"OpenSourceRelationalDatabases": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_os_relational_databases_is_on.defender_ensure_defender_for_os_relational_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== "Defender plan Open-Source Relational Databases"
|
||||
@@ -62,7 +71,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"OpenSourceRelationalDatabases": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -72,6 +81,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_os_relational_databases_is_on.defender_ensure_defender_for_os_relational_databases_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -85,9 +97,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert (
|
||||
result[0].resource_name
|
||||
== "Defender plan Open-Source Relational Databases"
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_server_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_server_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_server_is_on.defender_ensure_defender_for_server_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_server_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"VirtualMachines": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_server_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_server_is_on.defender_ensure_defender_for_server_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_server_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Servers"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_server_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"VirtualMachines": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_server_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_server_is_on.defender_ensure_defender_for_server_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_server_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Servers"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_sql_servers_is_on.defender_ensure_defender_for_sql_servers_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServerVirtualMachines": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_sql_servers_is_on.defender_ensure_defender_for_sql_servers_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan SQL Server VMs"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"SqlServerVirtualMachines": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_sql_servers_is_on.defender_ensure_defender_for_sql_servers_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan SQL Server VMs"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+19
-7
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Pricing
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_defender_for_storage_is_on:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
|
||||
defender_client.pricings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_storage_is_on.defender_ensure_defender_for_storage_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"StorageAccounts": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Not Standard",
|
||||
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_storage_is_on.defender_ensure_defender_for_storage_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
|
||||
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Storage Accounts"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.pricings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"StorageAccounts": Pricing(
|
||||
resource_id=resource_id,
|
||||
pricing_tier="Standard",
|
||||
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_defender_for_storage_is_on.defender_ensure_defender_for_storage_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_storage_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
|
||||
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "Defender plan Storage Accounts"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
+31
-13
@@ -4,7 +4,10 @@ from uuid import uuid4
|
||||
from prowler.providers.azure.services.defender.defender_service import (
|
||||
IoTSecuritySolution,
|
||||
)
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
@@ -13,6 +16,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
defender_client.iot_security_solutions = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,9 +32,12 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
|
||||
def test_defender_no_iot_hub_solutions(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION: {}}
|
||||
defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -42,7 +51,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"No IoT Security Solutions found in the subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"No IoT Security Solutions found in the subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].resource_name == "IoT Hub Defender"
|
||||
assert result[0].resource_id == "IoT Hub Defender"
|
||||
@@ -51,7 +60,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.iot_security_solutions = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"iot_sec_solution": IoTSecuritySolution(
|
||||
resource_id=resource_id, status="Disabled"
|
||||
)
|
||||
@@ -59,6 +68,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -72,7 +84,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"The security solution iot_sec_solution is disabled in susbscription {AZURE_SUBSCRIPTION}"
|
||||
== f"The security solution iot_sec_solution is disabled in susbscription {AZURE_SUBSCRIPTION_ID}"
|
||||
)
|
||||
assert result[0].resource_name == "iot_sec_solution"
|
||||
assert result[0].resource_id == resource_id
|
||||
@@ -81,7 +93,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.iot_security_solutions = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"iot_sec_solution": IoTSecuritySolution(
|
||||
resource_id=resource_id, status="Enabled"
|
||||
)
|
||||
@@ -89,6 +101,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -102,18 +117,18 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"The security solution iot_sec_solution is enabled in susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"The security solution iot_sec_solution is enabled in susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].resource_name == "iot_sec_solution"
|
||||
assert result[0].resource_id == resource_id
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
def test_defender_multiple_iot_hub_solution_enabled_and_disabled(self):
|
||||
resource_id_enabled = str(uuid4())
|
||||
resource_id_disabled = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.iot_security_solutions = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"iot_sec_solution_enabled": IoTSecuritySolution(
|
||||
resource_id=resource_id_enabled, status="Enabled"
|
||||
),
|
||||
@@ -124,6 +139,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -137,17 +155,17 @@ class Test_defender_ensure_iot_hub_defender_is_on:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"The security solution iot_sec_solution_enabled is enabled in susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"The security solution iot_sec_solution_enabled is enabled in susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].resource_name == "iot_sec_solution_enabled"
|
||||
assert result[0].resource_id == resource_id_enabled
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
assert result[1].status == "FAIL"
|
||||
assert (
|
||||
result[1].status_extended
|
||||
== f"The security solution iot_sec_solution_disabled is disabled in susbscription {AZURE_SUBSCRIPTION}"
|
||||
== f"The security solution iot_sec_solution_disabled is disabled in susbscription {AZURE_SUBSCRIPTION_ID}"
|
||||
)
|
||||
assert result[1].resource_name == "iot_sec_solution_disabled"
|
||||
assert result[1].resource_id == resource_id_disabled
|
||||
assert result[1].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[1].subscription == AZURE_SUBSCRIPTION_ID
|
||||
|
||||
+25
-10
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Setting
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_mcas_is_enabled:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
defender_client.settings = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.settings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"MCAS": Setting(
|
||||
resource_id=resource_id,
|
||||
resource_type="Microsoft.Security/locations/settings",
|
||||
@@ -37,6 +43,9 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -50,9 +59,9 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Microsoft Defender for Cloud Apps is disabeld for subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Microsoft Defender for Cloud Apps is disabeld for subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "MCAS"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -60,7 +69,7 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.settings = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"MCAS": Setting(
|
||||
resource_id=resource_id,
|
||||
resource_type="Microsoft.Security/locations/settings",
|
||||
@@ -71,6 +80,9 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -84,17 +96,20 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Microsoft Defender for Cloud Apps is enabled for subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Microsoft Defender for Cloud Apps is enabled for subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "MCAS"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
def test_defender_mcas_no_settings(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.settings = {AZURE_SUBSCRIPTION: {}}
|
||||
defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -108,8 +123,8 @@ class Test_defender_ensure_mcas_is_enabled:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Microsoft Defender for Cloud Apps not exists for subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Microsoft Defender for Cloud Apps not exists for subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "MCAS"
|
||||
assert result[0].resource_id == "MCAS"
|
||||
|
||||
+27
-12
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import SecurityContacts
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
defender_client.security_contacts = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="",
|
||||
@@ -40,6 +46,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -53,9 +62,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -63,7 +72,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="",
|
||||
@@ -77,6 +86,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -90,18 +102,18 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Notifiy alerts are enabled for severity high in susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Notifiy alerts are enabled for severity high in susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
def test_defender_default_security_contact_not_found(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default",
|
||||
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default",
|
||||
emails="",
|
||||
phone="",
|
||||
alert_notifications_minimal_severity="",
|
||||
@@ -113,6 +125,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -126,11 +141,11 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION}."
|
||||
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default"
|
||||
== f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default"
|
||||
)
|
||||
|
||||
+33
-15
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import SecurityContacts
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_notify_emails_to_owners:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
defender_client.security_contacts = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="",
|
||||
@@ -40,6 +46,9 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -53,9 +62,9 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -63,7 +72,7 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="",
|
||||
@@ -77,6 +86,9 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -90,9 +102,9 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -100,7 +112,7 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=resource_id,
|
||||
emails="test@test.es",
|
||||
@@ -114,6 +126,9 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -127,18 +142,18 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"The Owner role is notified for subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"The Owner role is notified for subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
def test_defender_default_security_contact_not_found(self):
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.security_contacts = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"default": SecurityContacts(
|
||||
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default",
|
||||
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default",
|
||||
emails="",
|
||||
phone="",
|
||||
alert_notifications_minimal_severity="",
|
||||
@@ -150,6 +165,9 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -163,11 +181,11 @@ class Test_defender_ensure_notify_emails_to_owners:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "default"
|
||||
assert (
|
||||
result[0].resource_id
|
||||
== f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default"
|
||||
== f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default"
|
||||
)
|
||||
|
||||
+31
-13
@@ -2,7 +2,10 @@ from unittest import mock
|
||||
from uuid import uuid4
|
||||
|
||||
from prowler.providers.azure.services.defender.defender_service import Assesment
|
||||
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
|
||||
from tests.providers.azure.azure_fixtures import (
|
||||
AZURE_SUBSCRIPTION_ID,
|
||||
set_mocked_azure_provider,
|
||||
)
|
||||
|
||||
|
||||
class Test_defender_ensure_system_updates_are_applied:
|
||||
@@ -11,6 +14,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
defender_client.assessments = {}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -26,7 +32,7 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Log Analytics agent should be installed on virtual machines": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -46,6 +52,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -59,9 +68,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -71,7 +80,7 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Log Analytics agent should be installed on virtual machines": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -91,6 +100,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -104,9 +116,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -114,7 +126,7 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Log Analytics agent should be installed on virtual machines": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -134,6 +146,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -147,9 +162,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
assert result[0].status == "FAIL"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
@@ -159,7 +174,7 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
resource_id = str(uuid4())
|
||||
defender_client = mock.MagicMock
|
||||
defender_client.assessments = {
|
||||
AZURE_SUBSCRIPTION: {
|
||||
AZURE_SUBSCRIPTION_ID: {
|
||||
"Log Analytics agent should be installed on virtual machines": Assesment(
|
||||
resource_id=resource_id,
|
||||
resource_name="vm1",
|
||||
@@ -179,6 +194,9 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
}
|
||||
|
||||
with mock.patch(
|
||||
"prowler.providers.common.common.get_global_provider",
|
||||
return_value=set_mocked_azure_provider(),
|
||||
), mock.patch(
|
||||
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
|
||||
new=defender_client,
|
||||
):
|
||||
@@ -192,8 +210,8 @@ class Test_defender_ensure_system_updates_are_applied:
|
||||
assert result[0].status == "PASS"
|
||||
assert (
|
||||
result[0].status_extended
|
||||
== f"System updates are applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
|
||||
== f"System updates are applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
|
||||
)
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION
|
||||
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
|
||||
assert result[0].resource_name == "vm1"
|
||||
assert result[0].resource_id == resource_id
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user