chore(audit_info): Replace for provider and add tests (#3542)

Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
This commit is contained in:
Pepe Fagoaga
2024-03-19 09:53:05 +01:00
committed by GitHub
parent 63cd6c1290
commit 77823afa54
211 changed files with 6447 additions and 4978 deletions
+2 -4
View File
@@ -161,10 +161,8 @@ def prowler():
checks_to_execute, excluded_services, provider
)
# Once the audit_info is set and we have the eventual checks based on the resource identifier,
# Once the provider is set and we have the eventual checks based on the resource identifier,
# it is time to check what Prowler's checks are going to be executed
# TODO: the following if is done within the function
# if global_provider.audit_resources:
checks_from_resources = global_provider.get_checks_to_execute_by_audit_resources()
if checks_from_resources:
checks_to_execute = checks_to_execute.intersection(checks_from_resources)
@@ -211,7 +209,7 @@ def prowler():
# os.environ["SLACK_CHANNEL_ID"],
# stats,
# provider,
# audit_info,
# provider,
# )
# else:
# logger.critical(
-16
View File
@@ -92,22 +92,6 @@ def check_current_version():
return f"{prowler_version_string}"
# TODO: remove after changing tests for this function
# def change_config_var(variable: str, value: str, audit_info):
# try:
# if (
# hasattr(audit_info, "audit_config")
# and audit_info.audit_config is not None
# and variable in audit_info.audit_config
# ):
# audit_info.audit_config[variable] = value
# return audit_info
# except Exception as error:
# logger.error(
# f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
# )
# TODO: revisit this function
def update_provider_config(variable: str, value: str):
try:
+3 -3
View File
@@ -128,12 +128,12 @@ def parse_checks_from_folder(provider, input_folder: str) -> int:
try:
imported_checks = 0
# Check if input folder is a S3 URI
if provider.provider == "aws" and re.search(
if provider.type == "aws" and re.search(
"^s3://([^/]+)/(.*?([^/]+))/$", input_folder
):
bucket = input_folder.split("/")[2]
key = ("/").join(input_folder.split("/")[3:])
s3_resource = provider.session.session.resource("s3")
s3_resource = provider.session.current_session.resource("s3")
bucket = s3_resource.Bucket(bucket)
for obj in bucket.objects.filter(Prefix=key):
if not os.path.exists(os.path.dirname(obj.key)):
@@ -150,7 +150,7 @@ def parse_checks_from_folder(provider, input_folder: str) -> int:
# Copy checks to specific provider/service folder
check_service = check.name.split("_")[0]
prowler_dir = prowler.__path__
prowler_module = f"{prowler_dir[0]}/providers/{provider.provider}/services/{check_service}/{check.name}"
prowler_module = f"{prowler_dir[0]}/providers/{provider.type}/services/{check_service}/{check.name}"
if os.path.exists(prowler_module):
shutil.rmtree(prowler_module)
shutil.copytree(check_module, prowler_module)
+1
View File
@@ -103,6 +103,7 @@ def generate_provider_output(provider, finding, csv_data) -> FindingOutput:
return finding_output
# TODO: add test for outputs_unix_timestamp
def fill_common_finding_data(finding: dict, unix_timestamp: bool) -> dict:
finding_data = {
"timestamp": outputs_unix_timestamp(unix_timestamp, timestamp),
+2 -2
View File
@@ -23,7 +23,7 @@ from prowler.lib.outputs.compliance.mitre_attack_aws import (
def add_manual_controls(
output_options, audit_info, file_descriptors, input_compliance_frameworks
output_options, provider, file_descriptors, input_compliance_frameworks
):
try:
# Check if MANUAL control was already added to output
@@ -41,7 +41,7 @@ def add_manual_controls(
fill_compliance(
output_options,
manual_finding,
audit_info,
provider,
file_descriptors,
input_compliance_frameworks,
)
+61 -47
View File
@@ -2,6 +2,7 @@ from prowler.config.config import prowler_version, timestamp_utc
from prowler.lib.logger import logger
from prowler.lib.outputs.compliance.compliance import get_check_compliance
from prowler.lib.outputs.json_asff.models import (
Check_Output_JSON_ASFF,
Compliance,
ProductFields,
Resource,
@@ -44,51 +45,34 @@ def generate_json_asff_resource_tags(tags):
)
def fill_json_asff(finding_output, provider, finding, output_options):
def fill_json_asff(provider, finding):
"""
Fill the finding's output in JSON ASFF format.
Parameters:
- provider: The provider object containing information about the provider (e.g., AWS) and the output options object containing information about the desired output format.
- finding: The finding object containing information about the specific finding.
Returns:
- finding_output: The filled finding's output in JSON ASFF format.
"""
try:
# Check if there are no resources in the finding
if finding.resource_arn == "":
if finding.resource_id == "":
finding.resource_id = "NONE_PROVIDED"
finding.resource_arn = finding.resource_id
# The following line cannot be changed because it is the format we use to generate unique findings for AWS Security Hub
# If changed some findings could be lost because the unique identifier will be different
# TODO: get this from the provider output
finding_output.Id = f"prowler-{finding.check_metadata.CheckID}-{provider.identity.account}-{finding.region}-{hash_sha512(finding.resource_id)}"
finding_output.ProductArn = f"arn:{provider.identity.partition}:securityhub:{finding.region}::product/prowler/prowler"
finding_output.ProductFields = ProductFields(
ProviderVersion=prowler_version, ProwlerResourceName=finding.resource_arn
)
finding_output.GeneratorId = "prowler-" + finding.check_metadata.CheckID
finding_output.AwsAccountId = provider.identity.account
finding_output.Types = finding.check_metadata.CheckType
finding_output.FirstObservedAt = finding_output.UpdatedAt = (
finding_output.CreatedAt
) = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
finding_output.Severity = Severity(
Label=finding.check_metadata.Severity.upper()
)
finding_output.Title = finding.check_metadata.CheckTitle
# Description should NOT be longer than 1024 characters
finding_output.Description = (
(finding.status_extended[:1000] + "...")
if len(finding.status_extended) > 1000
else finding.status_extended
)
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
resource_tags = generate_json_asff_resource_tags(finding.resource_tags)
finding_output.Resources = [
Resource(
Id=finding.resource_arn,
Type=finding.check_metadata.ResourceType,
Partition=provider.identity.partition,
Region=finding.region,
Tags=resource_tags,
)
]
# Iterate for each compliance framework
compliance_summary = []
associated_standards = []
check_compliance = get_check_compliance(finding, "aws", output_options)
check_compliance = get_check_compliance(
finding, provider.type, provider.output_options
)
for key, value in check_compliance.items():
if (
len(associated_standards) < 20
@@ -102,19 +86,49 @@ def fill_json_asff(finding_output, provider, finding, output_options):
# Ensures finding_status matches allowed values in ASFF
finding_status = generate_json_asff_status(finding.status)
finding_output.Compliance = Compliance(
Status=finding_status,
AssociatedStandards=associated_standards,
RelatedRequirements=compliance_summary,
json_asff_output = Check_Output_JSON_ASFF(
# The following line cannot be changed because it is the format we use to generate unique findings for AWS Security Hub
# If changed some findings could be lost because the unique identifier will be different
# TODO: get this from the provider output
Id=f"prowler-{finding.check_metadata.CheckID}-{provider.identity.account}-{finding.region}-{hash_sha512(finding.resource_id)}",
ProductArn=f"arn:{provider.identity.partition}:securityhub:{finding.region}::product/prowler/prowler",
ProductFields=ProductFields(
ProviderVersion=prowler_version,
ProwlerResourceName=finding.resource_arn,
),
GeneratorId="prowler-" + finding.check_metadata.CheckID,
AwsAccountId=provider.identity.account,
Types=finding.check_metadata.CheckType,
FirstObservedAt=timestamp,
UpdatedAt=timestamp,
CreatedAt=timestamp,
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
Title=finding.check_metadata.CheckTitle,
# Description should NOT be longer than 1024 characters
Description=(
(finding.status_extended[:1000] + "...")
if len(finding.status_extended) > 1000
else finding.status_extended
),
Resources=[
Resource(
Id=finding.resource_arn,
Type=finding.check_metadata.ResourceType,
Partition=provider.identity.partition,
Region=finding.region,
Tags=resource_tags,
)
],
Compliance=Compliance(
Status=finding_status,
AssociatedStandards=associated_standards,
RelatedRequirements=compliance_summary,
),
Remediation={
"Recommendation": finding.check_metadata.Remediation.Recommendation
},
)
# Fill Recommendation Url if it is blank
if not finding.check_metadata.Remediation.Recommendation.Url:
finding.check_metadata.Remediation.Recommendation.Url = "https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
finding_output.Remediation = {
"Recommendation": finding.check_metadata.Remediation.Recommendation
}
return finding_output
return json_asff_output
except Exception as error:
logger.error(
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+3 -3
View File
@@ -36,16 +36,16 @@ class Check_Output_JSON_ASFF(BaseModel):
Id: str = ""
ProductArn: str = ""
RecordState: str = "ACTIVE"
ProductFields: ProductFields = None # type: ignore
ProductFields: ProductFields
GeneratorId: str = ""
AwsAccountId: str = ""
Types: list[str] = None
FirstObservedAt: str = ""
UpdatedAt: str = ""
CreatedAt: str = ""
Severity: Severity = None # type: ignore
Severity: Severity
Title: str = ""
Description: str = ""
Resources: list[Resource] = None
Compliance: Compliance = None # type: ignore
Compliance: Compliance
Remediation: dict = None
+13 -14
View File
@@ -93,6 +93,7 @@ def fill_json_ocsf(finding_output: FindingOutput) -> DetectionFinding:
uid=finding_output.resource_uid,
group=Group(name=finding_output.service_name),
type=finding_output.resource_type,
# TODO: this should be included only if using the Cloud profile
cloud_partition=finding_output.partition,
region=finding_output.region,
)
@@ -118,21 +119,19 @@ def fill_json_ocsf(finding_output: FindingOutput) -> DetectionFinding:
# TODO: Get the PID of the namespace (we only have the name of the namespace)
# detection_finding.namespace_pid=,
else:
detection_finding.cloud = (
Cloud(
account=Account(
name=finding_output.account_name,
type_id=cloud_account_type.value,
type=cloud_account_type.name,
uid=finding_output.account_uid,
),
org=Organization(
uid=finding_output.account_organization_uid,
name=finding_output.account_organization_name,
),
provider=finding_output.provider,
region=finding_output.region,
detection_finding.cloud = Cloud(
account=Account(
name=finding_output.account_name,
type_id=cloud_account_type.value,
type=cloud_account_type.name,
uid=finding_output.account_uid,
),
org=Organization(
uid=finding_output.account_organization_uid,
name=finding_output.account_organization_name,
),
provider=finding_output.provider,
region=finding_output.region,
)
return detection_finding
+2 -6
View File
@@ -19,7 +19,6 @@ from prowler.lib.outputs.compliance.compliance import (
from prowler.lib.outputs.csv.csv import generate_csv_fields
from prowler.lib.outputs.file_descriptors import fill_file_descriptors
from prowler.lib.outputs.json_asff.json_asff import fill_json_asff
from prowler.lib.outputs.json_asff.models import Check_Output_JSON_ASFF
from prowler.lib.outputs.json_ocsf.json_ocsf import fill_json_ocsf
from prowler.lib.outputs.utils import unroll_dict
@@ -105,13 +104,10 @@ def report(check_findings, provider):
if finding.check_metadata.Provider == "aws":
if "json-asff" in file_descriptors:
# Initialize this field using the class within fill_json_asff not here
finding_output = Check_Output_JSON_ASFF()
fill_json_asff(
finding_output, provider, finding, output_options
)
json_asff_finding = fill_json_asff(provider, finding)
json.dump(
finding_output.dict(exclude_none=True),
json_asff_finding.dict(exclude_none=True),
file_descriptors["json-asff"],
indent=4,
)
+18 -7
View File
@@ -23,18 +23,29 @@ def send_slack_message(token, channel, stats, provider, audit_info):
)
def create_message_identity(provider, audit_info):
# TODO: move this to each provider
def create_message_identity(provider):
"""
Create a Slack message identity based on the provider type.
Parameters:
- provider (Provider): The Provider (e.g. "AwsProvider", "GcpProvider", "AzureProvide").
Returns:
- identity (str): The message identity based on the provider type.
- logo (str): The logo URL associated with the provider type.
"""
try:
identity = ""
logo = aws_logo
if provider == "aws":
identity = f"AWS Account *{audit_info.audited_account}*"
elif provider == "gcp":
identity = f"GCP Projects *{', '.join(audit_info.project_ids)}*"
if provider.type == "aws":
identity = f"AWS Account *{provider.identity.account}*"
elif provider.type == "gcp":
identity = f"GCP Projects *{', '.join(provider.project_ids)}*"
logo = gcp_logo
elif provider == "azure":
elif provider.type == "azure":
printed_subscriptions = []
for key, value in audit_info.identity.subscriptions.items():
for key, value in provider.identity.subscriptions.items():
intermediate = f"- *{key}: {value}*\n"
printed_subscriptions.append(intermediate)
identity = f"Azure Subscriptions:\n{''.join(printed_subscriptions)}"
+66 -23
View File
@@ -21,6 +21,7 @@ from prowler.providers.aws.config import (
ROLE_SESSION_NAME,
)
from prowler.providers.aws.lib.arn.arn import parse_iam_credentials_arn
from prowler.providers.aws.lib.arn.models import ARN
from prowler.providers.aws.lib.organizations.organizations import (
get_organizations_metadata,
parse_organizations_metadata,
@@ -49,7 +50,7 @@ class AwsProvider(Provider):
_audit_config: dict
_ignore_unused_services: bool = False
_enabled_regions: set = set()
_mutelist: dict
_mutelist: dict = {}
_output_options: AWSOutputOptions
# TODO: this is not optional, enforce for all providers
audit_metadata: Audit_Metadata
@@ -81,7 +82,7 @@ class AwsProvider(Provider):
# Configure the initial AWS Session using the local credentials: profile or environment variables
aws_session = self.setup_session(input_mfa, input_profile, input_role)
session_config = self._set_session_config(aws_retries_max_attempts)
session_config = self.set_session_config(aws_retries_max_attempts)
# Current session and the original session points to the same session object until we get a new one, if needed
self._session = AWSSession(
current_session=aws_session,
@@ -356,14 +357,14 @@ class AwsProvider(Provider):
logger.info(f"Original AWS Caller Identity UserId: {caller_identity.user_id}")
logger.info(f"Original AWS Caller Identity ARN: {caller_identity.arn}")
partition = parse_iam_credentials_arn(caller_identity.arn).partition
partition = parse_iam_credentials_arn(caller_identity.arn.arn).partition
return AWSIdentityInfo(
account=caller_identity.account,
account_arn=f"arn:{partition}:iam::{caller_identity.account}:root",
user_id=caller_identity.user_id,
partition=partition,
identity_arn=caller_identity.arn,
identity_arn=caller_identity.arn.arn,
profile=input_profile,
profile_region=profile_region,
audited_regions=input_regions,
@@ -552,7 +553,6 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
json_regions = set(
data["services"][service]["regions"][self._identity.partition]
)
# Check for input aws audit_info.audited_regions
if self._identity.audited_regions:
# Get common regions between input and json
regions = json_regions.intersection(self._identity.audited_regions)
@@ -637,9 +637,24 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
audited_regions.add(region)
return audited_regions
def get_tagged_resources(self, input_resource_tags: list):
def get_tagged_resources(self, input_resource_tags: list[str]):
"""
get_tagged_resources returns a list of the resources that are going to be scanned based on the given input tags
Returns a list of the resources that are going to be scanned based on the given input tags.
Parameters:
- input_resource_tags: A list of strings representing the tags to filter the resources. Each string should be in the format "key=value".
Returns:
- A list of strings representing the ARNs (Amazon Resource Names) of the tagged resources.
Note:
- This method uses the AWS Resource Groups Tagging API to retrieve the tagged resources.
- The method generates regional clients for the Resource Groups Tagging API for each enabled region in the AWS provider.
- The method paginates through the results of the 'get_resources' operation to retrieve all the tagged resources.
Example usage:
input_resource_tags = ["Environment=Production", "Owner=John Doe"]
tagged_resources = get_tagged_resources(input_resource_tags)
"""
try:
resource_tags = []
@@ -676,9 +691,8 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
def get_default_region(self, service: str) -> str:
"""get_default_region returns the default region based on the profile and audited service regions"""
service_regions = self.get_available_aws_service_regions(service)
default_region = (
self.get_global_region()
) # global region of the partition when all regions are audited and there is no profile region
default_region = self.get_global_region()
# global region of the partition when all regions are audited and there is no profile region
if self._identity.profile_region in service_regions:
# return profile region only if it is audited
default_region = self._identity.profile_region
@@ -704,10 +718,9 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
mfa_TOTP = input("Enter MFA code: ")
return AWSMFAInfo(arn=mfa_ARN, totp=mfa_TOTP)
# TODO: rename function
def _set_session_config(self, aws_retries_max_attempts: int) -> Config:
def set_session_config(self, aws_retries_max_attempts: int) -> Config:
"""
_set_session_config returns a botocore Config object with the Prowler user agent and the default retrier configuration if nothing is passed as argument
set_session_config returns a botocore Config object with the Prowler user agent and the default retrier configuration if nothing is passed as argument
"""
# Set the maximum retries for the standard retrier config
default_session_config = Config(
@@ -723,9 +736,7 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
},
)
# Merge the new configuration
default_session_config.merge(config)
# TODO: I don't understand the following line
# default_session_config = self.session.session_config.merge(config)
default_session_config = default_session_config.merge(config)
return default_session_config
@@ -801,7 +812,7 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
# TODO: review this function
# Maybe this should be done within the AwsProvider and not in __main__.py
def get_checks_to_execute_by_audit_resources(self) -> set[str]:
# Once the audit_info is set and we have the eventual checks from arn, it is time to exclude the others
# Once the provider is set and we have the eventual checks from arn, it is time to exclude the others
try:
checks = set()
# TODO: self._audit_resources should be a list[ARN] instead of list[str]
@@ -819,6 +830,12 @@ Caller Identity ARN: {Fore.YELLOW}[{self._identity.identity_arn}]{Style.RESET_AL
def read_aws_regions_file() -> dict:
"""
Reads the AWS services JSON file and returns the parsed data as a dictionary.
Returns:
dict: The parsed data from the AWS services JSON file.
"""
# Get JSON locally
actual_directory = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
with open_file(f"{actual_directory}/{aws_services_json_file}") as f:
@@ -827,7 +844,13 @@ def read_aws_regions_file() -> dict:
return data
def get_aws_available_regions():
def get_aws_available_regions() -> set:
"""
Get the available AWS regions from the AWS services JSON file.
Returns:
set: A set of available AWS regions.
"""
try:
data = read_aws_regions_file()
@@ -839,7 +862,7 @@ def get_aws_available_regions():
return regions
except Exception as error:
logger.error(f"{error.__class__.__name__}: {error}")
return []
return set()
# TODO: This can be moved to another class since it doesn't need self
@@ -858,7 +881,7 @@ def validate_aws_credentials(
return AWSCallerIdentity(
user_id=caller_identity.get("UserId"),
account=caller_identity.get("Account"),
arn=caller_identity.get("Arn"),
arn=ARN(caller_identity.get("Arn")),
region=aws_region,
)
except Exception as error:
@@ -890,6 +913,26 @@ def get_aws_region_for_sts(session_region: str, input_regions: set[str]) -> str:
def create_sts_session(
session: session.Session, aws_region: str
) -> session.Session.client:
return session.client(
"sts", aws_region, endpoint_url=f"https://sts.{aws_region}.amazonaws.com"
)
"""
Create an STS session client.
Parameters:
- session (session.Session): The AWS session object.
- aws_region (str): The AWS region to use for the session.
Returns:
- session.Session.client: The STS session client.
Example:
session = boto3.session.Session()
sts_client = create_sts_session(session, 'us-west-2')
"""
try:
return session.client(
"sts", aws_region, endpoint_url=f"https://sts.{aws_region}.amazonaws.com"
)
except Exception as error:
logger.critical(
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
sys.exit(1)
@@ -200,7 +200,7 @@ def validate_role_session_name(session_name):
validates that the role session name is valid
Documentation: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
"""
if fullmatch("[\w+=,.@-]{2,64}", session_name):
if fullmatch(r"[\w+=,.@-]{2,64}", session_name):
return session_name
else:
raise ArgumentTypeError(
+1
View File
@@ -19,6 +19,7 @@ def arn_type(arn: str) -> bool:
return arn
# TODO: review this function just to parse the ARN not to re-instantiate it
def parse_iam_credentials_arn(arn: str) -> ARN:
arn_parsed = ARN(arn)
# First check if region is empty (in IAM ARN's region is always empty)
@@ -1,6 +1,7 @@
import csv
import json
from copy import deepcopy
from typing import Any
from alive_progress import alive_bar
from botocore.client import ClientError
@@ -18,33 +19,32 @@ from prowler.providers.aws.lib.arn.models import get_arn_resource_type
from prowler.providers.aws.lib.s3.s3 import send_to_s3_bucket
# TODO(Audit_Info): use provider here
def quick_inventory(audit_info: AWS_Audit_Info, args):
def quick_inventory(provider: Any, args):
resources = []
global_resources = []
total_resources_per_region = {}
iam_was_scanned = False
# If not inputed regions, check all of them
if not audit_info.audited_regions:
if not provider.audited_regions:
# EC2 client for describing all regions
ec2_client = audit_info.audit_session.client(
"ec2", region_name=audit_info.profile_region
ec2_client = provider.audit_session.client(
"ec2", region_name=provider.profile_region
)
# Get all the available regions
audit_info.audited_regions = [
provider.audited_regions = [
region["RegionName"] for region in ec2_client.describe_regions()["Regions"]
]
with alive_bar(
total=len(audit_info.audited_regions),
total=len(provider.audited_regions),
ctrl_c=False,
bar="blocks",
spinner="classic",
stats=False,
enrich_print=False,
) as bar:
for region in sorted(audit_info.audited_regions):
bar.title = f"Inventorying AWS Account {orange_color}{audit_info.audited_account}{Style.RESET_ALL}"
for region in sorted(provider.audited_regions):
bar.title = f"Inventorying AWS Account {orange_color}{provider.audited_account}{Style.RESET_ALL}"
resources_in_region = []
# {
# eu-west-1: 100,...
@@ -53,13 +53,13 @@ def quick_inventory(audit_info: AWS_Audit_Info, args):
try:
# Scan IAM only once
if not iam_was_scanned:
global_resources.extend(get_iam_resources(audit_info.audit_session))
global_resources.extend(get_iam_resources(provider.audit_session))
iam_was_scanned = True
# Get regional S3 buckets since none-tagged buckets are not supported by the resourcegroupstaggingapi
resources_in_region.extend(get_regional_buckets(audit_info, region))
resources_in_region.extend(get_regional_buckets(provider, region))
client = audit_info.audit_session.client(
client = provider.audit_session.client(
"resourcegroupstaggingapi", region_name=region
)
# Get all the resources
@@ -109,7 +109,7 @@ def quick_inventory(audit_info: AWS_Audit_Info, args):
inventory_table = create_inventory_table(resources, total_resources_per_region)
print(
f"\nQuick Inventory of AWS Account {Fore.YELLOW}{audit_info.audited_account}{Style.RESET_ALL}:"
f"\nQuick Inventory of AWS Account {Fore.YELLOW}{provider.audited_account}{Style.RESET_ALL}:"
)
print(
@@ -119,7 +119,7 @@ def quick_inventory(audit_info: AWS_Audit_Info, args):
)
print(f"\nTotal resources found: {Fore.GREEN}{len(resources)}{Style.RESET_ALL}")
create_output(resources, audit_info, args)
create_output(resources, provider, args)
def create_inventory_table(resources: list, resources_in_region: dict) -> dict:
@@ -209,20 +209,19 @@ def create_inventory_table(resources: list, resources_in_region: dict) -> dict:
return inventory_table
# TODO(Audit_Info): use provider here
def create_output(resources: list, audit_info: AWS_Audit_Info, args):
def create_output(resources: list, provider: Any, args):
json_output = []
# Check if custom output filename was input, if not, set the default
if not hasattr(args, "output_filename") or args.output_filename is None:
output_file = (
f"prowler-inventory-{audit_info.audited_account}-{output_file_timestamp}"
f"prowler-inventory-{provider.audited_account}-{output_file_timestamp}"
)
else:
output_file = args.output_filename
for item in sorted(resources, key=lambda d: d["arn"]):
resource = {}
resource["AWS_AccountID"] = audit_info.audited_account
resource["AWS_AccountID"] = provider.audited_account
resource["AWS_Region"] = item["arn"].split(":")[3]
resource["AWS_Partition"] = item["arn"].split(":")[1]
resource["AWS_Service"] = item["arn"].split(":")[2]
@@ -289,11 +288,11 @@ def create_output(resources: list, audit_info: AWS_Audit_Info, args):
# Check if -B was input
if args.output_bucket:
output_bucket = args.output_bucket
bucket_session = audit_info.audit_session
bucket_session = provider.audit_session
# Check if -D was input
elif args.output_bucket_no_assume:
output_bucket = args.output_bucket_no_assume
bucket_session = audit_info.original_session
bucket_session = provider.original_session
send_to_s3_bucket(
output_file,
args.output_directory,
@@ -303,10 +302,9 @@ def create_output(resources: list, audit_info: AWS_Audit_Info, args):
)
# TODO(Audit_Info): use provider here
def get_regional_buckets(audit_info: AWS_Audit_Info, region: str) -> list:
def get_regional_buckets(provider: Any, region: str) -> list:
regional_buckets = []
s3_client = audit_info.audit_session.client("s3", region_name=region)
s3_client = provider.audit_session.client("s3", region_name=region)
try:
buckets = s3_client.list_buckets()
for bucket in buckets["Buckets"]:
@@ -329,7 +327,7 @@ def get_regional_buckets(audit_info: AWS_Audit_Info, region: str) -> list:
f"{region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
bucket_arn = (
f"arn:{audit_info.audited_partition}:s3:{region}::{bucket['Name']}"
f"arn:{provider.audited_partition}:s3:{region}::{bucket['Name']}"
)
regional_buckets.append({"arn": bucket_arn, "tags": bucket_tags})
except Exception as error:
@@ -4,7 +4,6 @@ from botocore.client import ClientError
from prowler.config.config import timestamp_utc
from prowler.lib.logger import logger
from prowler.lib.outputs.json_asff.json_asff import fill_json_asff
from prowler.lib.outputs.json_asff.models import Check_Output_JSON_ASFF
SECURITY_HUB_INTEGRATION_NAME = "prowler/prowler"
SECURITY_HUB_MAX_BATCH = 100
@@ -29,10 +28,8 @@ def prepare_security_hub_findings(
continue
# Handle status filters, if any
if (
not output_options.status
or finding.status in output_options.status
or output_options.send_sh_only_fails
if (finding.status != "FAIL" and output_options.send_sh_only_fails) or (
output_options.status and finding.status not in output_options.status
):
continue
@@ -40,9 +37,7 @@ def prepare_security_hub_findings(
region = finding.region
# Format the finding in the JSON ASFF format
finding_json_asff = fill_json_asff(
Check_Output_JSON_ASFF(), provider, finding, output_options
)
finding_json_asff = fill_json_asff(provider, finding)
# Include that finding within their region in the JSON format
security_hub_findings_per_region[region].append(
+1 -1
View File
@@ -70,7 +70,7 @@ class AWSSession:
class AWSCallerIdentity:
user_id: str
account: str
arn: str
arn: ARN
region: str
@@ -138,6 +138,7 @@ class AzureProvider(Provider):
self._mutelist = mutelist
# TODO: this should be moved to the argparse, if not we need to enforce it from the Provider
# previously was using the AzureException
def validate_arguments(
self, az_cli_auth, sp_env_auth, browser_auth, managed_entity_auth, tenant_id
):
@@ -1,15 +0,0 @@
from prowler.providers.azure.lib.audit_info.models import (
Azure_Audit_Info,
AzureIdentityInfo,
AzureRegionConfig,
)
azure_audit_info = Azure_Audit_Info(
credentials=None,
identity=AzureIdentityInfo(),
audit_resources=None,
audit_metadata=None,
audit_config=None,
azure_region_config=AzureRegionConfig(),
locations=None,
)
@@ -1,49 +0,0 @@
from dataclasses import dataclass
from typing import Any, Optional
from azure.identity import DefaultAzureCredential
from pydantic import BaseModel
class AzureIdentityInfo(BaseModel):
identity_id: str = ""
identity_type: str = ""
tenant_ids: list[str] = []
domain: str = "Unknown tenant domain (missing AAD permissions)"
subscriptions: dict = {}
class AzureRegionConfig(BaseModel):
name: str = ""
authority: str = None
base_url: str = ""
credential_scopes: list = []
@dataclass
class Azure_Audit_Info:
credentials: DefaultAzureCredential
identity: AzureIdentityInfo
audit_resources: Optional[Any]
audit_metadata: Optional[Any]
audit_config: dict
azure_region_config: AzureRegionConfig
locations: list[str]
def __init__(
self,
credentials,
identity,
audit_metadata,
audit_resources,
audit_config,
azure_region_config,
locations,
):
self.credentials = credentials
self.identity = identity
self.audit_metadata = audit_metadata
self.audit_resources = audit_resources
self.audit_config = audit_config
self.azure_region_config = azure_region_config
self.locations = locations
-7
View File
@@ -32,13 +32,6 @@ class AzureOutputOptions(ProviderOutputOptions):
# First call Provider_Output_Options init
super().__init__(arguments, bulk_checks_metadata)
# Confire Shodan API
# TODO: review shodan for the new AWS provider
# if arguments.shodan:
# audit_info = change_config_var(
# "shodan_api_key", arguments.shodan, audit_info
# )
# Check if custom output filename was input, if not, set the default
if (
not hasattr(arguments, "output_filename")
+1 -1
View File
@@ -17,7 +17,7 @@ class Audit_Metadata(BaseModel):
class ProviderOutputOptions:
status: bool
status: list[str]
output_modes: list
output_directory: str
bulk_checks_metadata: dict
+59 -16
View File
@@ -1,4 +1,5 @@
from abc import ABC, abstractmethod
from typing import Any
# TODO: with this we can enforce that all classes ending with "Provider" needs to inherint from the Provider class
# class ProviderMeta:
@@ -14,91 +15,131 @@ from abc import ABC, abstractmethod
# TODO: enforce audit_metadata for all the providers
class Provider(ABC):
"""
The Provider class is an abstract base class that defines the interface for all provider classes in the auditing system.
Attributes:
type (property): The type of the provider.
identity (property): The identity of the provider for auditing.
session (property): The session of the provider for auditing.
audit_config (property): The audit configuration of the provider.
output_options (property): The output configuration of the provider for auditing.
Methods:
print_credentials(): Displays the provider's credentials used for auditing in the command-line interface.
setup_session(): Sets up the session for the provider.
get_output_mapping(): Returns the output mapping between the provider and the generic model.
validate_arguments(): Validates the arguments for the provider.
get_checks_to_execute_by_audit_resources(): Returns a set of checks based on the input resources to scan.
Note:
This is an abstract base class and should not be instantiated directly. Each provider should implement its own
version of the Provider class by inheriting from this base class and implementing the required methods and properties.
"""
@property
@abstractmethod
def type(self):
def type(self) -> str:
"""
type method stores the provider's type.
This method needs to be created in each provider.
"""
raise NotImplementedError()
@property
@abstractmethod
def identity(self):
def identity(self) -> str:
"""
identity method stores the provider's identity to audit.
This method needs to be created in each provider.
"""
raise NotImplementedError()
@abstractmethod
def setup_session(self) -> Any:
"""
setup_session sets up the session for the provider.
This method needs to be created in each provider.
"""
raise NotImplementedError()
@property
@abstractmethod
def session(self):
def session(self) -> str:
"""
session method stores the provider's session to audit.
This method needs to be created in each provider.
"""
raise NotImplementedError()
@property
@abstractmethod
def audit_config(self):
def audit_config(self) -> str:
"""
audit_config method stores the provider's audit configuration.
This method needs to be created in each provider.
"""
raise NotImplementedError()
@abstractmethod
def print_credentials(self):
def print_credentials(self) -> None:
"""
print_credentials is used to display in the CLI the provider's credentials used to audit.
This method needs to be created in each provider.
"""
@abstractmethod
def setup_session(self):
pass
raise NotImplementedError()
@property
@abstractmethod
def output_options(self):
def output_options(self) -> str:
"""
output_options method returns the provider's audit output configuration.
This method needs to be created in each provider.
"""
raise NotImplementedError()
@output_options.setter
@abstractmethod
def output_options(self):
def output_options(self, value: str) -> Any:
"""
output_options.setter sets the provider's audit output configuration.
This method needs to be created in each provider.
"""
raise NotImplementedError()
@abstractmethod
def get_output_mapping(self):
def get_output_mapping(self) -> dict:
"""
get_output_mapping return the CSV output mapping between the provider and the generic model.
get_output_mapping returns the output mapping between the provider and the generic model.
This method needs to be created in each provider.
"""
raise NotImplementedError()
# TODO: probably this won't be here since we want to do the arguments validation during the parse()
def validate_arguments(self):
pass
def validate_arguments(self) -> None:
"""
validate_arguments validates the arguments for the provider.
def get_checks_to_execute_by_audit_resources(self):
This method can be overridden in each provider if needed.
"""
raise NotImplementedError()
def get_checks_to_execute_by_audit_resources(self) -> set:
"""
get_checks_to_execute_by_audit_resources returns a set of checks based on the input resources to scan.
This is a fallback that returns None if the service has not implemented this function.
"""
return set()
@property
@abstractmethod
@@ -108,6 +149,7 @@ class Provider(ABC):
This method needs to be created in each provider.
"""
raise NotImplementedError()
@mutelist.setter
@abstractmethod
@@ -117,3 +159,4 @@ class Provider(ABC):
This method needs to be created in each provider.
"""
raise NotImplementedError()
@@ -1,10 +0,0 @@
from prowler.providers.gcp.lib.audit_info.models import GCP_Audit_Info
gcp_audit_info = GCP_Audit_Info(
credentials=None,
default_project_id=None,
project_ids=[],
audit_resources=None,
audit_metadata=None,
audit_config=None,
)
@@ -1,30 +0,0 @@
from dataclasses import dataclass
from typing import Any, Optional
from google.oauth2.credentials import Credentials
@dataclass
class GCP_Audit_Info:
credentials: Credentials
default_project_id: str
project_ids: list
audit_resources: Optional[Any]
audit_metadata: Optional[Any]
audit_config: Optional[dict]
def __init__(
self,
credentials,
default_project_id,
project_ids,
audit_metadata,
audit_resources,
audit_config,
):
self.credentials = credentials
self.default_project_id = default_project_id
self.project_ids = project_ids
self.audit_metadata = audit_metadata
self.audit_resources = audit_resources
self.audit_config = audit_config
@@ -225,7 +225,7 @@ class KubernetesProvider(Provider):
)
sys.exit(1)
def get_all_namespaces(self):
def get_all_namespaces(self) -> list[str]:
"""
Retrieves all namespaces.
Returns:
@@ -1,9 +0,0 @@
from prowler.providers.kubernetes.lib.audit_info.models import Kubernetes_Audit_Info
kubernetes_audit_info = Kubernetes_Audit_Info(
api_client=None,
context=None,
audit_resources=None,
audit_metadata=None,
audit_config=None,
)
@@ -1,27 +0,0 @@
from dataclasses import dataclass
from typing import Any, Optional
from kubernetes import client
@dataclass
class Kubernetes_Audit_Info:
api_client: client.ApiClient
context: Optional[str]
audit_resources: Optional[Any]
audit_metadata: Optional[Any]
audit_config: Optional[dict]
def __init__(
self,
api_client,
context,
audit_metadata,
audit_resources,
audit_config,
):
self.api_client = api_client
self.context = context
self.audit_metadata = audit_metadata
self.audit_resources = audit_resources
self.audit_config = audit_config
+28 -51
View File
@@ -2,16 +2,17 @@ import os
import pathlib
from unittest import mock
import pytest
from requests import Response
from prowler.config.config import (
change_config_var,
check_current_version,
get_available_compliance_frameworks,
load_and_validate_config_file,
update_provider_config,
)
from prowler.providers.aws.aws_provider import get_aws_available_regions
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
from tests.providers.aws.utils import set_mocked_aws_provider
MOCK_PROWLER_VERSION = "3.3.0"
MOCK_OLD_PROWLER_VERSION = "0.0.0"
@@ -78,61 +79,30 @@ class Test_Config:
== f"Prowler {MOCK_OLD_PROWLER_VERSION} (latest is {MOCK_PROWLER_VERSION}, upgrade for the latest features)"
)
def test_change_config_var_aws(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=None,
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=None,
audit_config={"shodan_api_key": ""},
def test_update_provider_config_aws(self):
aws_provider = set_mocked_aws_provider(
audit_config={"shodan_api_key": "DEFAULT-KEY"}
)
updated_audit_info = change_config_var("shodan_api_key", "XXXXXX", audit_info)
assert audit_info == updated_audit_info
assert audit_info.audit_config.get(
"shodan_api_key"
) == updated_audit_info.audit_config.get("shodan_api_key")
with mock.patch(
"prowler.config.config.get_global_provider",
return_value=aws_provider,
):
update_provider_config("shodan_api_key", "TEST-API-KEY")
assert aws_provider.audit_config.get("shodan_api_key") == "TEST-API-KEY"
def test_change_config_var_aws_not_present(self):
audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=None,
audited_account=None,
audited_account_arn=None,
audited_user_id=None,
audited_partition="aws",
audited_identity_arn=None,
profile=None,
profile_region=None,
credentials=None,
assumed_role_info=None,
audited_regions=["us-east-1", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=None,
audit_config={},
def test_update_provider_config_aws_not_present(self):
aws_provider = set_mocked_aws_provider(
audit_config={"shodan_api_key": "DEFAULT-KEY"}
)
updated_audit_info = change_config_var("not_found", "no_value", audit_info)
assert audit_info == updated_audit_info
assert updated_audit_info.audit_config.get("not_found") is None
with mock.patch(
"prowler.config.config.get_global_provider",
return_value=aws_provider,
):
# Test load_and_validate_config_file
update_provider_config("not_found", "no_value")
assert aws_provider.audit_config.get("not_found") is None
def test_get_available_compliance_frameworks(self):
compliance_frameworks = [
@@ -202,3 +172,10 @@ class Test_Config:
assert load_and_validate_config_file("aws", config_test_file) == config_aws
assert load_and_validate_config_file("gcp", config_test_file) == {}
assert load_and_validate_config_file("azure", config_test_file) == {}
def test_load_and_validate_config_file_invalid_config_file_path(self):
provider = "aws"
config_file_path = "invalid/path/to/config.yaml"
with pytest.raises(SystemExit):
load_and_validate_config_file(provider, config_file_path)
+11 -329
View File
@@ -1,5 +1,6 @@
import os
import pathlib
from argparse import Namespace
from importlib.machinery import FileFinder
from pkgutil import ModuleInfo
@@ -23,14 +24,11 @@ from prowler.lib.check.check import (
update_audit_metadata,
)
from prowler.lib.check.models import load_check_metadata
from prowler.providers.aws.aws_provider import (
get_checks_from_input_arn,
get_regions_from_audit_resources,
)
from tests.providers.aws.utils import set_mocked_aws_audit_info
from prowler.providers.aws.aws_provider import AwsProvider
from tests.providers.aws.utils import AWS_REGION_US_EAST_1
AWS_ACCOUNT_NUMBER = "123456789012"
AWS_REGION = "us-east-1"
# AWS_ACCOUNT_NUMBER = "123456789012"
# AWS_REGION = "us-east-1"
expected_packages = [
ModuleInfo(
@@ -390,147 +388,7 @@ def mock_recover_checks_from_aws_provider(*_):
]
def mock_recover_checks_from_aws_provider_lambda_service(*_):
return [
(
"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
"/root_dir/fake_path/awslambda/awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
),
(
"awslambda_function_url_cors_policy",
"/root_dir/fake_path/awslambda/awslambda_function_url_cors_policy",
),
(
"awslambda_function_no_secrets_in_code",
"/root_dir/fake_path/awslambda/awslambda_function_no_secrets_in_code",
),
]
def mock_recover_checks_from_aws_provider_elb_service(*_):
return [
(
"elb_insecure_ssl_ciphers",
"/root_dir/fake_path/elb/elb_insecure_ssl_ciphers",
),
(
"elb_internet_facing",
"/root_dir/fake_path/elb/elb_internet_facing",
),
(
"elb_logging_enabled",
"/root_dir/fake_path/elb/elb_logging_enabled",
),
]
def mock_recover_checks_from_aws_provider_efs_service(*_):
return [
(
"efs_encryption_at_rest_enabled",
"/root_dir/fake_path/efs/efs_encryption_at_rest_enabled",
),
(
"efs_have_backup_enabled",
"/root_dir/fake_path/efs/efs_have_backup_enabled",
),
(
"efs_not_publicly_accessible",
"/root_dir/fake_path/efs/efs_not_publicly_accessible",
),
]
def mock_recover_checks_from_aws_provider_iam_service(*_):
return [
(
"iam_customer_attached_policy_no_administrative_privileges",
"/root_dir/fake_path/iam/iam_customer_attached_policy_no_administrative_privileges",
),
(
"iam_check_saml_providers_sts",
"/root_dir/fake_path/iam/iam_check_saml_providers_sts",
),
(
"iam_password_policy_minimum_length_14",
"/root_dir/fake_path/iam/iam_password_policy_minimum_length_14",
),
]
def mock_recover_checks_from_aws_provider_s3_service(*_):
return [
(
"s3_account_level_public_access_blocks",
"/root_dir/fake_path/s3/s3_account_level_public_access_blocks",
),
(
"s3_bucket_acl_prohibited",
"/root_dir/fake_path/s3/s3_bucket_acl_prohibited",
),
(
"s3_bucket_policy_public_write_access",
"/root_dir/fake_path/s3/s3_bucket_policy_public_write_access",
),
]
def mock_recover_checks_from_aws_provider_cloudwatch_service(*_):
return [
(
"cloudwatch_changes_to_network_acls_alarm_configured",
"/root_dir/fake_path/cloudwatch/cloudwatch_changes_to_network_acls_alarm_configured",
),
(
"cloudwatch_changes_to_network_gateways_alarm_configured",
"/root_dir/cloudwatch/cloudwatch_changes_to_network_gateways_alarm_configured",
),
(
"cloudwatch_changes_to_network_route_tables_alarm_configured",
"/root_dir/fake_path/cloudwatch/cloudwatch_changes_to_network_route_tables_alarm_configured",
),
]
def mock_recover_checks_from_aws_provider_ec2_service(*_):
return [
(
"ec2_securitygroup_allow_ingress_from_internet_to_any_port",
"/root_dir/fake_path/ec2/ec2_securitygroup_allow_ingress_from_internet_to_any_port",
),
(
"ec2_networkacl_allow_ingress_any_port",
"/root_dir/fake_path/ec2/ec2_networkacl_allow_ingress_any_port",
),
(
"ec2_ami_public",
"/root_dir/fake_path/ec2/ec2_ami_public",
),
]
def mock_recover_checks_from_aws_provider_rds_service(*_):
return [
(
"rds_instance_backup_enabled",
"/root_dir/fake_path/rds/rds_instance_backup_enabled",
),
(
"rds_instance_deletion_protection",
"/root_dir/fake_path/rds/rds_instance_deletion_protection",
),
(
"rds_snapshots_public_access",
"/root_dir/fake_path/rds/rds_snapshots_public_access",
),
]
def mock_recover_checks_from_aws_provider_cognito_service(*_):
return []
class Test_Check:
class TestCheck:
def test_load_check_metadata(self):
test_cases = [
{
@@ -574,7 +432,7 @@ class Test_Check:
f"{pathlib.Path().absolute()}/tests/lib/check/fixtures/checks_folder"
)
# Create bucket and upload checks folder
s3_client = client("s3", region_name=AWS_REGION)
s3_client = client("s3", region_name=AWS_REGION_US_EAST_1)
s3_client.create_bucket(Bucket="test")
# Iterate through the files in the folder and upload each one
for subdir, _, files in os.walk(test_checks_folder):
@@ -601,14 +459,14 @@ class Test_Check:
"expected": 3,
},
]
arguments = Namespace()
aws_provider = AwsProvider(arguments)
for test in test_cases:
check_folder = test["input"]["path"]
provider = test["input"]["provider"]
assert (
parse_checks_from_folder(
set_mocked_aws_audit_info(), check_folder, provider
)
== test["expected"]
parse_checks_from_folder(aws_provider, check_folder) == test["expected"]
)
remove_custom_checks_module(check_folder, provider)
@@ -787,182 +645,6 @@ class Test_Check:
recovered_checks = recover_checks_from_service(service_list, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_elb_service,
)
def test_get_checks_from_input_arn_elb(self):
audit_resources = [
f"arn:aws:elasticloadbalancing:us-east-1:{AWS_ACCOUNT_NUMBER}:loadbalancer/test"
]
provider = "aws"
expected_checks = [
"elb_insecure_ssl_ciphers",
"elb_internet_facing",
"elb_logging_enabled",
]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_efs_service,
)
def test_get_checks_from_input_arn_efs(self):
audit_resources = [
f"arn:aws:elasticfilesystem:us-east-1:{AWS_ACCOUNT_NUMBER}:file-system/fs-01234567"
]
provider = "aws"
expected_checks = [
"efs_encryption_at_rest_enabled",
"efs_have_backup_enabled",
"efs_not_publicly_accessible",
]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_lambda_service,
)
def test_get_checks_from_input_arn_lambda(self):
audit_resources = ["arn:aws:lambda:us-east-1:123456789:function:test-lambda"]
provider = "aws"
expected_checks = [
"awslambda_function_invoke_api_operations_cloudtrail_logging_enabled",
"awslambda_function_no_secrets_in_code",
"awslambda_function_url_cors_policy",
]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_iam_service,
)
def test_get_checks_from_input_arn_iam(self):
audit_resources = [f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:user/user-name"]
provider = "aws"
expected_checks = [
"iam_check_saml_providers_sts",
"iam_customer_attached_policy_no_administrative_privileges",
"iam_password_policy_minimum_length_14",
]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_s3_service,
)
def test_get_checks_from_input_arn_s3(self):
audit_resources = ["arn:aws:s3:::bucket-name"]
provider = "aws"
expected_checks = [
"s3_account_level_public_access_blocks",
"s3_bucket_acl_prohibited",
"s3_bucket_policy_public_write_access",
]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_cloudwatch_service,
)
def test_get_checks_from_input_arn_cloudwatch(self):
audit_resources = [
f"arn:aws:logs:us-east-1:{AWS_ACCOUNT_NUMBER}:destination:testDestination"
]
provider = "aws"
expected_checks = [
"cloudwatch_changes_to_network_acls_alarm_configured",
"cloudwatch_changes_to_network_gateways_alarm_configured",
"cloudwatch_changes_to_network_route_tables_alarm_configured",
]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_cognito_service,
)
def test_get_checks_from_input_arn_cognito(self):
audit_resources = [
f"arn:aws:cognito-idp:us-east-1:{AWS_ACCOUNT_NUMBER}:userpool/test"
]
provider = "aws"
expected_checks = []
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_ec2_service,
)
def test_get_checks_from_input_arn_ec2_security_group(self):
audit_resources = [
f"arn:aws:ec2:us-east-1:{AWS_ACCOUNT_NUMBER}:security-group/sg-1111111111"
]
provider = "aws"
expected_checks = ["ec2_securitygroup_allow_ingress_from_internet_to_any_port"]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_ec2_service,
)
def test_get_checks_from_input_arn_ec2_acl(self):
audit_resources = [
f"arn:aws:ec2:us-west-2:{AWS_ACCOUNT_NUMBER}:network-acl/acl-1"
]
provider = "aws"
expected_checks = ["ec2_networkacl_allow_ingress_any_port"]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_rds_service,
)
def test_get_checks_from_input_arn_rds_snapshots(self):
audit_resources = [
f"arn:aws:rds:us-east-2:{AWS_ACCOUNT_NUMBER}:snapshot:rds:snapshot-1"
]
provider = "aws"
expected_checks = ["rds_snapshots_public_access"]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
@patch(
"prowler.lib.check.check.recover_checks_from_provider",
new=mock_recover_checks_from_aws_provider_ec2_service,
)
def test_get_checks_from_input_arn_ec2_ami(self):
audit_resources = [f"arn:aws:ec2:us-west-2:{AWS_ACCOUNT_NUMBER}:image/ami-1"]
provider = "aws"
expected_checks = ["ec2_ami_public"]
recovered_checks = get_checks_from_input_arn(audit_resources, provider)
assert recovered_checks == expected_checks
def test_get_regions_from_audit_resources_with_regions(self):
audit_resources = [
f"arn:aws:lambda:us-east-1:{AWS_ACCOUNT_NUMBER}:function:test-lambda",
f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:policy/test",
f"arn:aws:ec2:eu-west-1:{AWS_ACCOUNT_NUMBER}:security-group/sg-test",
"arn:aws:s3:::bucket-name",
"arn:aws:apigateway:us-east-2::/restapis/api-id/stages/stage-name",
]
expected_regions = {"us-east-1", "eu-west-1", "us-east-2"}
recovered_regions = get_regions_from_audit_resources(audit_resources)
assert recovered_regions == expected_regions
def test_get_regions_from_audit_resources_without_regions(self):
audit_resources = ["arn:aws:s3:::bucket-name"]
recovered_regions = get_regions_from_audit_resources(audit_resources)
assert not recovered_regions
# def test_parse_checks_from_compliance_framework_two(self):
# test_case = {
# "input": {"compliance_frameworks": ["cis_v1.4_aws", "ens_v3_aws"]},
@@ -85,7 +85,7 @@ class TestCustomChecksMetadata:
def test_parse_custom_checks_metadata_file_for_kubernetes(self):
assert parse_custom_checks_metadata_file(
KUBERNETES_PROVIDER, CUSTOM_CHECKS_METADATA_FIXTURE_FILE
) == {"Checks": {"bigquery_dataset_cmk_encryption": {"Severity": "low"}}}
) == {"Checks": {"apiserver_anonymous_requests": {"Severity": "low"}}}
def test_parse_custom_checks_metadata_file_for_aws_validation_error(self, caplog):
caplog.set_level(logging.CRITICAL)
-1
View File
@@ -79,7 +79,6 @@ class Test_Parser:
assert not parsed.output_bucket
assert not parsed.output_bucket_no_assume
assert not parsed.shodan
assert not parsed.mutelist_file
assert not parsed.resource_tags
assert not parsed.ignore_unused_services
+54
View File
@@ -0,0 +1,54 @@
from datetime import datetime
from prowler.config.config import prowler_version
from prowler.lib.outputs.common_models import FindingOutput
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER
# TODO: customize it per provider
def generate_finding_output(status, severity, muted, region) -> FindingOutput:
# TODO: Include metadata from a valid file
return FindingOutput(
auth_method="profile: default",
timestamp=datetime.now(),
account_uid=AWS_ACCOUNT_NUMBER,
account_name=AWS_ACCOUNT_NUMBER,
account_email="",
account_organization_uid="test-organization-id",
account_organization_name="test-organization",
account_tags="",
finding_uid="test-unique-finding",
provider="aws",
check_id="test-check-id",
check_title="test-check-id",
check_type="test-type",
status=status,
status_extended="status extended",
muted=muted,
service_name="test-service",
subservice_name="",
severity=severity,
resource_type="test-resource",
resource_uid="resource-id",
resource_name="resource_name",
resource_details="resource_details",
resource_tags="",
partition="aws",
region=region,
description="check description",
risk="",
related_url="",
remediation_recommendation_text="",
remediation_recommendation_url="",
remediation_code_nativeiac="",
remediation_code_terraform="",
remediation_code_cli="",
remediation_code_other="",
compliance="",
categories="",
depends_on="",
related_to="",
notes="",
prowler_version=prowler_version,
)
@@ -0,0 +1,457 @@
from os import path
import mock
from prowler.config.config import prowler_version, timestamp_utc
from prowler.lib.check.models import Check_Report, load_check_metadata
from prowler.lib.outputs.json_asff.json_asff import (
fill_json_asff,
generate_json_asff_resource_tags,
generate_json_asff_status,
)
from prowler.lib.outputs.json_asff.models import (
Check_Output_JSON_ASFF,
Compliance,
ProductFields,
Resource,
Severity,
)
from prowler.lib.utils.utils import hash_sha512
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, set_mocked_aws_provider
METADATA_FIXTURE_PATH = (
f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json"
)
class TestOutputJSONASFF:
def test_fill_json_asff(self):
aws_provider = set_mocked_aws_provider()
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
finding.resource_details = "Test resource details"
finding.resource_id = "test-resource"
finding.resource_arn = "test-arn"
finding.region = "eu-west-1"
finding.status = "PASS"
finding.status_extended = "This is a test"
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
expected = Check_Output_JSON_ASFF(
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
ProductFields=ProductFields(
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
),
GeneratorId="prowler-" + finding.check_metadata.CheckID,
AwsAccountId=AWS_ACCOUNT_NUMBER,
Types=finding.check_metadata.CheckType,
FirstObservedAt=timestamp,
UpdatedAt=timestamp,
CreatedAt=timestamp,
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
Title=finding.check_metadata.CheckTitle,
Description=finding.status_extended,
Resources=[
Resource(
Id="test-arn",
Type=finding.check_metadata.ResourceType,
Partition="aws",
Region="eu-west-1",
)
],
Compliance=Compliance(
Status="PASS" + "ED",
RelatedRequirements=[],
AssociatedStandards=[],
),
Remediation={
"Recommendation": finding.check_metadata.Remediation.Recommendation
},
)
assert fill_json_asff(aws_provider, finding) == expected
def test_fill_json_asff_without_remediation_recommendation_url(self):
aws_provider = set_mocked_aws_provider()
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
# Empty the Remediation.Recomendation.URL
finding.check_metadata.Remediation.Recommendation.Url = ""
finding.resource_details = "Test resource details"
finding.resource_id = "test-resource"
finding.resource_arn = "test-arn"
finding.region = "eu-west-1"
finding.status = "PASS"
finding.status_extended = "This is a test"
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
expected = Check_Output_JSON_ASFF(
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
ProductFields=ProductFields(
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
),
GeneratorId="prowler-" + finding.check_metadata.CheckID,
AwsAccountId=AWS_ACCOUNT_NUMBER,
Types=finding.check_metadata.CheckType,
FirstObservedAt=timestamp,
UpdatedAt=timestamp,
CreatedAt=timestamp,
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
Title=finding.check_metadata.CheckTitle,
Description=finding.status_extended,
Resources=[
Resource(
Id="test-arn",
Type=finding.check_metadata.ResourceType,
Partition="aws",
Region="eu-west-1",
)
],
Compliance=Compliance(
Status="PASS" + "ED",
RelatedRequirements=[],
AssociatedStandards=[],
),
Remediation={
"Recommendation": finding.check_metadata.Remediation.Recommendation,
# "Code": finding.check_metadata.Remediation.Code,
},
)
expected.Remediation["Recommendation"].Text = (
finding.check_metadata.Remediation.Recommendation.Text
)
expected.Remediation["Recommendation"].Url = (
"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
)
assert fill_json_asff(aws_provider, finding) == expected
def test_fill_json_asff_with_long_description(self):
aws_provider = set_mocked_aws_provider()
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
# Empty the Remediation.Recomendation.URL
finding.check_metadata.Remediation.Recommendation.Url = ""
finding.resource_details = "Test resource details"
finding.resource_id = "test-resource"
finding.resource_arn = "test-arn"
finding.region = "eu-west-1"
finding.status = "PASS"
finding.status_extended = "x" * 2000 # it has to be limited to 1000+...
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
expected = Check_Output_JSON_ASFF(
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
ProductFields=ProductFields(
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
),
GeneratorId="prowler-" + finding.check_metadata.CheckID,
AwsAccountId=AWS_ACCOUNT_NUMBER,
Types=finding.check_metadata.CheckType,
FirstObservedAt=timestamp,
UpdatedAt=timestamp,
CreatedAt=timestamp,
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
Title=finding.check_metadata.CheckTitle,
Description=finding.status_extended[:1000] + "...",
Resources=[
Resource(
Id="test-arn",
Type=finding.check_metadata.ResourceType,
Partition="aws",
Region="eu-west-1",
)
],
Compliance=Compliance(
Status="PASS" + "ED",
RelatedRequirements=[],
AssociatedStandards=[],
),
Remediation={
"Recommendation": finding.check_metadata.Remediation.Recommendation,
# "Code": finding.check_metadata.Remediation.Code,
},
)
expected.Remediation["Recommendation"].Text = (
finding.check_metadata.Remediation.Recommendation.Text
)
expected.Remediation["Recommendation"].Url = (
"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
)
assert fill_json_asff(aws_provider, finding) == expected
def test_fill_json_asff_with_long_associated_standards(self):
aws_provider = set_mocked_aws_provider()
with mock.patch(
"prowler.lib.outputs.json_asff.json_asff.get_check_compliance",
return_value={
"CISA": ["your-systems-3", "your-data-2"],
"SOC2": ["cc_2_1", "cc_7_2", "cc_a_1_2"],
"CIS-1.4": ["3.1"],
"CIS-1.5": ["3.1"],
"GDPR": ["article_25", "article_30"],
"AWS-Foundational-Security-Best-Practices": ["cloudtrail"],
"HIPAA": [
"164_308_a_1_ii_d",
"164_308_a_3_ii_a",
"164_308_a_6_ii",
"164_312_b",
"164_312_e_2_i",
],
"ISO27001": ["A.12.4"],
"GxP-21-CFR-Part-11": ["11.10-e", "11.10-k", "11.300-d"],
"AWS-Well-Architected-Framework-Security-Pillar": [
"SEC04-BP02",
"SEC04-BP03",
],
"GxP-EU-Annex-11": [
"1-risk-management",
"4.2-validation-documentation-change-control",
],
"NIST-800-171-Revision-2": [
"3_1_12",
"3_3_1",
"3_3_2",
"3_3_3",
"3_4_1",
"3_6_1",
"3_6_2",
"3_13_1",
"3_13_2",
"3_14_6",
"3_14_7",
],
"NIST-800-53-Revision-4": [
"ac_2_4",
"ac_2",
"au_2",
"au_3",
"au_12",
"cm_2",
],
"NIST-800-53-Revision-5": [
"ac_2_4",
"ac_3_1",
"ac_3_10",
"ac_4_26",
"ac_6_9",
"au_2_b",
"au_3_1",
"au_3_a",
"au_3_b",
"au_3_c",
"au_3_d",
"au_3_e",
"au_3_f",
"au_6_3",
"au_6_4",
"au_6_6",
"au_6_9",
"au_8_b",
"au_10",
"au_12_a",
"au_12_c",
"au_12_1",
"au_12_2",
"au_12_3",
"au_12_4",
"au_14_a",
"au_14_b",
"au_14_3",
"ca_7_b",
"cm_5_1_b",
"cm_6_a",
"cm_9_b",
"ia_3_3_b",
"ma_4_1_a",
"pm_14_a_1",
"pm_14_b",
"pm_31",
"sc_7_9_b",
"si_1_1_c",
"si_3_8_b",
"si_4_2",
"si_4_17",
"si_4_20",
"si_7_8",
"si_10_1_c",
],
"ENS-RD2022": [
"op.acc.6.r5.aws.iam.1",
"op.exp.5.aws.ct.1",
"op.exp.8.aws.ct.1",
"op.exp.8.aws.ct.6",
"op.exp.9.aws.ct.1",
"op.mon.1.aws.ct.1",
],
"NIST-CSF-1.1": [
"ae_1",
"ae_3",
"ae_4",
"cm_1",
"cm_3",
"cm_6",
"cm_7",
"am_3",
"ac_6",
"ds_5",
"ma_2",
"pt_1",
],
"RBI-Cyber-Security-Framework": ["annex_i_7_4"],
"FFIEC": [
"d2-ma-ma-b-1",
"d2-ma-ma-b-2",
"d3-dc-an-b-3",
"d3-dc-an-b-4",
"d3-dc-an-b-5",
"d3-dc-ev-b-1",
"d3-dc-ev-b-3",
"d3-pc-im-b-3",
"d3-pc-im-b-7",
"d5-dr-de-b-3",
],
"PCI-3.2.1": ["cloudtrail"],
"FedRamp-Moderate-Revision-4": [
"ac-2-4",
"ac-2-g",
"au-2-a-d",
"au-3",
"au-6-1-3",
"au-12-a-c",
"ca-7-a-b",
"si-4-16",
"si-4-2",
"si-4-4",
"si-4-5",
],
"FedRAMP-Low-Revision-4": ["ac-2", "au-2", "ca-7"],
},
):
finding = Check_Report(load_check_metadata(METADATA_FIXTURE_PATH).json())
# Empty the Remediation.Recomendation.URL
finding.check_metadata.Remediation.Recommendation.Url = ""
finding.resource_details = "Test resource details"
finding.resource_id = "test-resource"
finding.resource_arn = "test-arn"
finding.region = "eu-west-1"
finding.status = "PASS"
finding.status_extended = "This is a test"
timestamp = timestamp_utc.strftime("%Y-%m-%dT%H:%M:%SZ")
expected = Check_Output_JSON_ASFF(
Id=f"prowler-{finding.check_metadata.CheckID}-123456789012-eu-west-1-{hash_sha512('test-resource')}",
ProductArn="arn:aws:securityhub:eu-west-1::product/prowler/prowler",
ProductFields=ProductFields(
ProviderVersion=prowler_version, ProwlerResourceName="test-arn"
),
GeneratorId="prowler-" + finding.check_metadata.CheckID,
AwsAccountId=AWS_ACCOUNT_NUMBER,
Types=finding.check_metadata.CheckType,
FirstObservedAt=timestamp,
UpdatedAt=timestamp,
CreatedAt=timestamp,
Severity=Severity(Label=finding.check_metadata.Severity.upper()),
Title=finding.check_metadata.CheckTitle,
Description=finding.status_extended,
Resources=[
Resource(
Id="test-arn",
Type=finding.check_metadata.ResourceType,
Partition="aws",
Region="eu-west-1",
)
],
Compliance=Compliance(
Status="PASS" + "ED",
RelatedRequirements=[
"CISA your-systems-3 your-data-2",
"SOC2 cc_2_1 cc_7_2 cc_a_1_2",
"CIS-1.4 3.1",
"CIS-1.5 3.1",
"GDPR article_25 article_30",
"AWS-Foundational-Security-Best-Practices cloudtrail",
"HIPAA 164_308_a_1_ii_d 164_308_a_3_ii_a 164_308_a_6_ii 164_312_",
"ISO27001 A.12.4",
"GxP-21-CFR-Part-11 11.10-e 11.10-k 11.300-d",
"AWS-Well-Architected-Framework-Security-Pillar SEC04-BP02 SEC04",
"GxP-EU-Annex-11 1-risk-management 4.2-validation-documentation-",
"NIST-800-171-Revision-2 3_1_12 3_3_1 3_3_2 3_3_3 3_4_1 3_6_1 3_",
"NIST-800-53-Revision-4 ac_2_4 ac_2 au_2 au_3 au_12 cm_2",
"NIST-800-53-Revision-5 ac_2_4 ac_3_1 ac_3_10 ac_4_26 ac_6_9 au_",
"ENS-RD2022 op.acc.6.r5.aws.iam.1 op.exp.5.aws.ct.1 op.exp.8.aws",
"NIST-CSF-1.1 ae_1 ae_3 ae_4 cm_1 cm_3 cm_6 cm_7 am_3 ac_6 ds_5 ",
"RBI-Cyber-Security-Framework annex_i_7_4",
"FFIEC d2-ma-ma-b-1 d2-ma-ma-b-2 d3-dc-an-b-3 d3-dc-an-b-4 d3-dc",
"PCI-3.2.1 cloudtrail",
"FedRamp-Moderate-Revision-4 ac-2-4 ac-2-g au-2-a-d au-3 au-6-1-",
],
AssociatedStandards=[
{"StandardsId": "CISA"},
{"StandardsId": "SOC2"},
{"StandardsId": "CIS-1.4"},
{"StandardsId": "CIS-1.5"},
{"StandardsId": "GDPR"},
{"StandardsId": "AWS-Foundational-Security-Best-Practices"},
{"StandardsId": "HIPAA"},
{"StandardsId": "ISO27001"},
{"StandardsId": "GxP-21-CFR-Part-11"},
{
"StandardsId": "AWS-Well-Architected-Framework-Security-Pillar"
},
{"StandardsId": "GxP-EU-Annex-11"},
{"StandardsId": "NIST-800-171-Revision-2"},
{"StandardsId": "NIST-800-53-Revision-4"},
{"StandardsId": "NIST-800-53-Revision-5"},
{"StandardsId": "ENS-RD2022"},
{"StandardsId": "NIST-CSF-1.1"},
{"StandardsId": "RBI-Cyber-Security-Framework"},
{"StandardsId": "FFIEC"},
{"StandardsId": "PCI-3.2.1"},
{"StandardsId": "FedRamp-Moderate-Revision-4"},
],
),
Remediation={
"Recommendation": finding.check_metadata.Remediation.Recommendation,
# "Code": finding.check_metadata.Remediation.Code,
},
)
expected.Remediation["Recommendation"].Text = (
finding.check_metadata.Remediation.Recommendation.Text
)
expected.Remediation["Recommendation"].Url = (
"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html"
)
assert fill_json_asff(aws_provider, finding) == expected
def test_generate_json_asff_status(self):
assert generate_json_asff_status("PASS") == "PASSED"
assert generate_json_asff_status("FAIL") == "FAILED"
assert generate_json_asff_status("MUTED") == "MUTED"
assert generate_json_asff_status("SOMETHING ELSE") == "NOT_AVAILABLE"
def test_generate_json_asff_resource_tags(self):
assert generate_json_asff_resource_tags(None) is None
assert generate_json_asff_resource_tags([]) is None
assert generate_json_asff_resource_tags([{}]) is None
assert generate_json_asff_resource_tags([{"key1": "value1"}]) == {
"key1": "value1"
}
assert generate_json_asff_resource_tags(
[{"Key": "key1", "Value": "value1"}]
) == {"key1": "value1"}
@@ -0,0 +1,225 @@
# from datetime import datetime
from os import path
from py_ocsf_models.events.base_event import SeverityID, StatusID
from py_ocsf_models.events.findings.detection_finding import (
TypeID as DetectionFindingTypeID,
)
from py_ocsf_models.events.findings.finding import ActivityID, FindingInformation
from py_ocsf_models.objects.account import Account, TypeID
from py_ocsf_models.objects.cloud import Cloud
from py_ocsf_models.objects.group import Group
from py_ocsf_models.objects.metadata import Metadata
from py_ocsf_models.objects.organization import Organization
from py_ocsf_models.objects.product import Product
# from py_ocsf_models.events.findings.detection_finding import DetectionFinding
from py_ocsf_models.objects.remediation import Remediation
from py_ocsf_models.objects.resource_details import ResourceDetails
from prowler.config.config import prowler_version
from prowler.lib.outputs.json_ocsf.json_ocsf import (
fill_json_ocsf,
get_account_type_id_by_provider,
get_finding_status_id,
)
from tests.lib.outputs.fixtures.fixtures import generate_finding_output
from tests.providers.aws.utils import AWS_REGION_EU_WEST_1
METADATA_FIXTURE_PATH = (
f"{path.dirname(path.realpath(__file__))}/../fixtures/metadata.json"
)
class TestOutputJSONOCSF:
# test_fill_json_ocsf_iso_format_timestamp
def test_finding_output_cloud_pass_low_muted(self):
finding_output = generate_finding_output(
"PASS", "low", True, AWS_REGION_EU_WEST_1
)
finding_json_ocsf = fill_json_ocsf(finding_output)
# Activity
assert finding_json_ocsf.activity_id == ActivityID.Create.value
assert finding_json_ocsf.activity_name == ActivityID.Create.name
# Finding Information
finding_information = finding_json_ocsf.finding_info
assert isinstance(finding_information, FindingInformation)
assert finding_information.created_time == finding_output.timestamp
assert finding_information.desc == finding_output.description
assert finding_information.title == finding_output.check_title
assert finding_information.uid == finding_output.finding_uid
assert finding_information.product_uid == "prowler"
# Event time
assert finding_json_ocsf.event_time == finding_output.timestamp
# Remediation
remediation = finding_json_ocsf.remediation
assert isinstance(remediation, Remediation)
assert remediation.desc == finding_output.remediation_recommendation_text
assert remediation.references == []
# Severity
assert finding_json_ocsf.severity_id == SeverityID.Low
assert finding_json_ocsf.severity == SeverityID.Low.name
# Status
assert finding_json_ocsf.status_id == StatusID.Suppressed.value
assert finding_json_ocsf.status == StatusID.Suppressed.name
assert finding_json_ocsf.status_code == finding_output.status
assert finding_json_ocsf.status_detail == finding_output.status_extended
# ResourceDetails
resource_details = finding_json_ocsf.resources
assert len(resource_details) == 1
assert isinstance(resource_details, list)
assert isinstance(resource_details[0], ResourceDetails)
assert resource_details[0].labels == []
assert resource_details[0].name == finding_output.resource_name
assert resource_details[0].uid == finding_output.resource_uid
assert resource_details[0].type == finding_output.resource_type
assert resource_details[0].cloud_partition == finding_output.partition
assert resource_details[0].region == finding_output.region
resource_details_group = resource_details[0].group
assert isinstance(resource_details_group, Group)
assert resource_details_group.name == finding_output.service_name
# Metadata
metadata = finding_json_ocsf.metadata
assert isinstance(metadata, Metadata)
metadata_product = metadata.product
assert isinstance(metadata_product, Product)
assert metadata_product.name == "Prowler"
assert metadata_product.vendor_name == "Prowler"
assert metadata_product.version == prowler_version
# Type
assert finding_json_ocsf.type_uid == DetectionFindingTypeID.Create
assert finding_json_ocsf.type_name == DetectionFindingTypeID.Create.name
# Cloud
cloud = finding_json_ocsf.cloud
assert isinstance(cloud, Cloud)
assert cloud.provider == "aws"
assert cloud.region == finding_output.region
cloud_account = cloud.account
assert isinstance(cloud_account, Account)
assert cloud_account.name == finding_output.account_name
assert cloud_account.type_id == TypeID.AWS_Account
assert cloud_account.type == TypeID.AWS_Account.name
assert cloud_account.uid == finding_output.account_uid
cloud_organization = cloud.org
assert isinstance(cloud_organization, Organization)
assert cloud_organization.uid == finding_output.account_organization_uid
assert cloud_organization.name == finding_output.account_organization_name
def test_finding_output_cloud_fail_low_not_muted(self):
finding_output = generate_finding_output(
"FAIL", "low", False, AWS_REGION_EU_WEST_1
)
finding_json_ocsf = fill_json_ocsf(finding_output)
# Status
assert finding_json_ocsf.status_id == StatusID.New.value
assert finding_json_ocsf.status == StatusID.New.name
assert finding_json_ocsf.status_code == finding_output.status
assert finding_json_ocsf.status_detail == finding_output.status_extended
def test_finding_output_cloud_pass_low_not_muted(self):
finding_output = generate_finding_output(
"PASS", "low", False, AWS_REGION_EU_WEST_1
)
finding_json_ocsf = fill_json_ocsf(finding_output)
# Status
assert finding_json_ocsf.status_id == StatusID.Other.value
assert finding_json_ocsf.status == StatusID.Other.name
assert finding_json_ocsf.status_code == finding_output.status
assert finding_json_ocsf.status_detail == finding_output.status_extended
# Returns TypeID.AWS_Account when provider is 'aws'
def test_returns_aws_account_when_provider_is_aws(self):
provider = "aws"
result = get_account_type_id_by_provider(provider)
assert result == TypeID.AWS_Account
# Returns TypeID.Azure_AD_Account when provider is 'azure'
def test_returns_azure_ad_account_when_provider_is_azure(self):
provider = "azure"
result = get_account_type_id_by_provider(provider)
assert result == TypeID.Azure_AD_Account
# Returns TypeID.GCP_Account when provider is 'gcp'
def test_returns_gcp_account_when_provider_is_gcp(self):
provider = "gcp"
result = get_account_type_id_by_provider(provider)
assert result == TypeID.GCP_Account
# Returns TypeID.Other when provider is None
def test_returns_other_when_provider_is_none(self):
provider = None
result = get_account_type_id_by_provider(provider)
assert result == TypeID.Other
# Returns StatusID.New when status is "FAIL" and muted is False
def test_new_when_status_fail_and_not_muted(self):
status = "FAIL"
muted = False
result = get_finding_status_id(status, muted)
assert result == StatusID.New
# Returns StatusID.Suppressed when status is "FAIL" and muted is True
def test_suppressed_when_status_fail_and_muted(self):
status = "FAIL"
muted = True
result = get_finding_status_id(status, muted)
assert result == StatusID.Suppressed
# Returns StatusID.Other when status is None and muted is False
def test_other_when_status_whatever_and_not_muted(self):
status = None
muted = False
result = get_finding_status_id(status, muted)
assert result == StatusID.Other
# Returns StatusID.Suppresed when status is None and muted is True
def test_other_when_status_whatever_and_muted(self):
status = None
muted = True
result = get_finding_status_id(status, muted)
assert result == StatusID.Suppressed
# Returns StatusID.Suppressed when muted is True and status is not "FAIL"
def test_suppressed_when_status_pass_and_muted(self):
status = "PASS"
muted = True
result = get_finding_status_id(status, muted)
assert result == StatusID.Suppressed
# Returns StatusID.Other when muted is False and status is not "FAIL"
def test_other_when_status_pass_and_not_muted(self):
status = "PASS"
muted = False
result = get_finding_status_id(status, muted)
assert result == StatusID.Other
File diff suppressed because it is too large Load Diff
+30 -71
View File
@@ -7,15 +7,13 @@ from prowler.lib.outputs.slack import (
create_message_identity,
send_slack_message,
)
from prowler.providers.azure.lib.audit_info.models import (
Azure_Audit_Info,
AzureIdentityInfo,
AzureRegionConfig,
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, set_mocked_aws_provider
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
AZURE_SUBSCRIPTION_NAME,
set_mocked_azure_provider,
)
from prowler.providers.common.models import Audit_Metadata
from prowler.providers.gcp.lib.audit_info.models import GCP_Audit_Info
AWS_ACCOUNT_ID = "123456789012"
from tests.providers.gcp.gcp_fixtures import set_mocked_gcp_provider
def mock_create_message_blocks(*_):
@@ -26,75 +24,36 @@ def mock_create_message_identity(*_):
return "", ""
class Test_Slack_Integration:
def test_create_message_identity(self):
# TODO(Audit_Info): use provider here
aws_audit_info = AWS_Audit_Info(
session_config=None,
original_session=None,
audit_session=None,
audited_account=AWS_ACCOUNT_ID,
audited_account_arn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:root",
audited_identity_arn="test-arn",
audited_user_id="test",
audited_partition="aws",
profile="default",
profile_region="eu-west-1",
credentials=None,
assumed_role_info=None,
audited_regions=["eu-west-2", "eu-west-1"],
organizations_metadata=None,
audit_resources=None,
mfa_enabled=False,
audit_metadata=Audit_Metadata(
services_scanned=0,
expected_checks=[],
completed_checks=0,
audit_progress=0,
),
audit_config=None,
)
gcp_audit_info = GCP_Audit_Info(
credentials=None,
default_project_id="test-project1",
project_ids=["test-project1", "test-project2"],
audit_resources=None,
audit_metadata=None,
audit_config=None,
)
azure_audit_info = Azure_Audit_Info(
credentials=None,
identity=AzureIdentityInfo(
identity_id="",
identity_type="",
tenant_ids=[],
domain="",
subscriptions={
"subscription 1": "qwerty",
"subscription 2": "asdfg",
},
),
audit_resources=None,
audit_metadata=None,
audit_config=None,
AzureRegionConfig=AzureRegionConfig(),
locations=None,
)
assert create_message_identity("aws", aws_audit_info) == (
f"AWS Account *{aws_audit_info.audited_account}*",
class TestSlackIntegration:
def test_create_message_identity_aws(self):
aws_provider = set_mocked_aws_provider()
assert create_message_identity(aws_provider) == (
f"AWS Account *{aws_provider.identity.account}*",
aws_logo,
)
assert create_message_identity("gcp", gcp_audit_info) == (
f"GCP Projects *{', '.join(gcp_audit_info.project_ids)}*",
gcp_logo,
)
assert create_message_identity("azure", azure_audit_info) == (
"Azure Subscriptions:\n- *subscription 1: qwerty*\n- *subscription 2: asdfg*\n",
def test_create_message_identity_azure(self):
azure_provider = set_mocked_azure_provider()
assert create_message_identity(azure_provider) == (
f"Azure Subscriptions:\n- *{AZURE_SUBSCRIPTION_ID}: {AZURE_SUBSCRIPTION_NAME}*\n",
azure_logo,
)
def test_create_message_identity_gcp(self):
gcp_provider = set_mocked_gcp_provider(
project_ids=["test-project1", "test-project2"],
default_project_id="test-project1",
)
assert create_message_identity(gcp_provider) == (
f"GCP Projects *{', '.join(gcp_provider.project_ids)}*",
gcp_logo,
)
def test_create_message_blocks(self):
aws_identity = f"AWS Account *{AWS_ACCOUNT_ID}*"
aws_identity = f"AWS Account *{AWS_ACCOUNT_NUMBER}*"
azure_identity = "Azure Subscriptions:\n- *subscription 1: qwerty*\n- *subscription 2: asdfg*\n"
gcp_identity = "GCP Project *gcp-project*"
stats = {}
+4 -3
View File
@@ -156,8 +156,9 @@ class TestFilePermissions:
temp_file.close()
os.chmod(temp_file.name, 0o644) # Set permissions to 644 (-rw-r--r--)
# Check ownership for the temporary file
is_root = is_owned_by_root(temp_file.name)
assert not is_root
assert not is_owned_by_root(temp_file.name)
os.unlink(temp_file.name)
assert not is_owned_by_root("not_existing_file")
assert is_owned_by_root("/etc/passwd")
# Not valid for darwin systems
# assert is_owned_by_root("/etc/passwd")
File diff suppressed because it is too large Load Diff
@@ -1,510 +0,0 @@
import re
import boto3
import botocore
from mock import patch
from moto import mock_aws
from prowler.providers.aws.lib.arn.arn import parse_iam_credentials_arn
from prowler.providers.aws.lib.credentials.credentials import (
create_sts_session,
validate_aws_credentials,
)
AWS_ACCOUNT_NUMBER = "123456789012"
# Mocking GetCallerIdentity for China and GovCloud
make_api_call = botocore.client.BaseClient._make_api_call
def mock_get_caller_identity_china(self, operation_name, kwarg):
if operation_name == "GetCallerIdentity":
return {
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
"Account": AWS_ACCOUNT_NUMBER,
"Arn": f"arn:aws-cn:iam::{AWS_ACCOUNT_NUMBER}:user/test-user",
}
return make_api_call(self, operation_name, kwarg)
def mock_get_caller_identity_gov_cloud(self, operation_name, kwarg):
if operation_name == "GetCallerIdentity":
return {
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
"Account": AWS_ACCOUNT_NUMBER,
"Arn": f"arn:aws-us-gov:iam::{AWS_ACCOUNT_NUMBER}:user/test-user",
}
return make_api_call(self, operation_name, kwarg)
class Test_AWS_Credentials:
@mock_aws
def test_validate_credentials_commercial_partition_with_regions(self):
# AWS Region for AWS COMMERCIAL
aws_region = "eu-west-1"
aws_partition = "aws"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(session, [aws_region])
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
def test_validate_credentials_commercial_partition_with_regions_none_and_profile_region_so_profile_region(
self,
):
# AWS Region for AWS COMMERCIAL
aws_region = "eu-west-1"
aws_partition = "aws"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(session, None)
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
def test_validate_credentials_commercial_partition_with_0_regions_and_profile_region_so_profile_region(
self,
):
# AWS Region for AWS COMMERCIAL
aws_region = "eu-west-1"
aws_partition = "aws"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(session, [])
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
def test_validate_credentials_commercial_partition_without_regions_and_profile_region_so_us_east_1(
self,
):
# AWS Region for AWS COMMERCIAL
aws_region = "eu-west-1"
aws_partition = "aws"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=None,
)
get_caller_identity = validate_aws_credentials(session, [])
assert get_caller_identity["region"] == "us-east-1"
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
def test_validate_credentials_commercial_partition_with_regions_none_and_profile_region_but_sts_endpoint_region(
self,
):
# AWS Region for AWS COMMERCIAL
aws_region = "eu-west-1"
sts_endpoint_region = aws_region
aws_partition = "aws"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(
session, None, sts_endpoint_region
)
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
def test_validate_credentials_china_partition_without_regions_and_profile_region_so_us_east_1(
self,
):
# AWS Region for AWS COMMERCIAL
aws_region = "eu-west-1"
aws_partition = "aws"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=None,
)
get_caller_identity = validate_aws_credentials(session, [])
assert get_caller_identity["region"] == "us-east-1"
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
@patch(
"botocore.client.BaseClient._make_api_call", new=mock_get_caller_identity_china
)
def test_validate_credentials_china_partition(self):
# AWS Region for AWS CHINA
aws_region = "cn-north-1"
aws_partition = "aws-cn"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(session, [aws_region])
# To use GovCloud or China it is either required:
# - Set the AWS profile region with a valid partition region
# - Use the -f/--region with a valid partition region
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
@patch(
"botocore.client.BaseClient._make_api_call", new=mock_get_caller_identity_china
)
def test_validate_credentials_china_partition_without_regions_but_sts_endpoint_region(
self,
):
# AWS Region for AWS CHINA
aws_region = "cn-north-1"
sts_endpoint_region = aws_region
aws_partition = "aws-cn"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(
session, None, sts_endpoint_region
)
# To use GovCloud or China it is either required:
# - Set the AWS profile region with a valid partition region
# - Use the -f/--region with a valid partition region
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
@patch(
"botocore.client.BaseClient._make_api_call",
new=mock_get_caller_identity_gov_cloud,
)
def test_validate_credentials_gov_cloud_partition(self):
# AWS Region for US GOV CLOUD
aws_region = "us-gov-east-1"
aws_partition = "aws-us-gov"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(session, [aws_region])
# To use GovCloud or China it is either required:
# - Set the AWS profile region with a valid partition region
# - Use the -f/--region with a valid partition region
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
@patch(
"botocore.client.BaseClient._make_api_call",
new=mock_get_caller_identity_gov_cloud,
)
def test_validate_credentials_gov_cloud_partition_without_regions_but_sts_endpoint_region(
self,
):
# AWS Region for US GOV CLOUD
aws_region = "us-gov-east-1"
sts_endpoint_region = aws_region
aws_partition = "aws-us-gov"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
get_caller_identity = validate_aws_credentials(
session, None, sts_endpoint_region
)
# To use GovCloud or China it is either required:
# - Set the AWS profile region with a valid partition region
# - Use the -f/--region with a valid partition region
assert get_caller_identity["region"] == aws_region
caller_identity_arn = parse_iam_credentials_arn(get_caller_identity["Arn"])
assert caller_identity_arn.partition == aws_partition
assert caller_identity_arn.region is None
assert caller_identity_arn.resource == "test-user"
assert caller_identity_arn.resource_type == "user"
assert re.match("[0-9a-zA-Z]{20}", get_caller_identity["UserId"])
assert get_caller_identity["Account"] == AWS_ACCOUNT_NUMBER
@mock_aws
def test_create_sts_session(self):
aws_region = "eu-west-1"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
sts_client = create_sts_session(session, aws_region)
assert sts_client._endpoint._endpoint_prefix == "sts"
assert sts_client._endpoint.host == f"https://sts.{aws_region}.amazonaws.com"
@mock_aws
def test_create_sts_session_gov_cloud(self):
aws_region = "us-gov-east-1"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
sts_client = create_sts_session(session, aws_region)
assert sts_client._endpoint._endpoint_prefix == "sts"
assert sts_client._endpoint.host == f"https://sts.{aws_region}.amazonaws.com"
@mock_aws
def test_create_sts_session_china(self):
aws_region = "cn-north-1"
# Create a mock IAM user
iam_client = boto3.client("iam", region_name=aws_region)
iam_user = iam_client.create_user(UserName="test-user")["User"]
# Create a mock IAM access keys
access_key = iam_client.create_access_key(UserName=iam_user["UserName"])[
"AccessKey"
]
access_key_id = access_key["AccessKeyId"]
secret_access_key = access_key["SecretAccessKey"]
# Create AWS session to validate
session = boto3.session.Session(
aws_access_key_id=access_key_id,
aws_secret_access_key=secret_access_key,
region_name=aws_region,
)
sts_client = create_sts_session(session, aws_region)
assert sts_client._endpoint._endpoint_prefix == "sts"
assert sts_client._endpoint.host == f"https://sts.{aws_region}.amazonaws.com"
@@ -1,13 +1,11 @@
import json
import boto3
from moto import mock_aws
from prowler.providers.aws.lib.audit_info.models import AWS_Organizations_Info
from prowler.providers.aws.lib.organizations.organizations import (
get_organizations_metadata,
parse_organizations_metadata,
)
from prowler.providers.aws.models import AWSOrganizationsInfo
from tests.providers.aws.utils import AWS_ACCOUNT_NUMBER, AWS_REGION_US_EAST_1
@@ -15,8 +13,6 @@ class Test_AWS_Organizations:
@mock_aws
def test_organizations(self):
client = boto3.client("organizations", region_name=AWS_REGION_US_EAST_1)
iam_client = boto3.client("iam", region_name=AWS_REGION_US_EAST_1)
sts_client = boto3.client("sts", region_name=AWS_REGION_US_EAST_1)
mockname = "mock-account"
mockdomain = "moto-example.org"
@@ -31,53 +27,47 @@ class Test_AWS_Organizations:
ResourceId=account_id, Tags=[{"Key": "key", "Value": "value"}]
)
trust_policy_document = {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": f"arn:aws:iam::{AWS_ACCOUNT_NUMBER}:root"},
"Action": "sts:AssumeRole",
},
}
iam_role_arn = iam_client.role_arn = iam_client.create_role(
RoleName="test-role",
AssumeRolePolicyDocument=json.dumps(trust_policy_document),
)["Role"]["Arn"]
session_name = "new-session"
assumed_role = sts_client.assume_role(
RoleArn=iam_role_arn, RoleSessionName=session_name
)
metadata, tags = get_organizations_metadata(account_id, assumed_role)
metadata, tags = get_organizations_metadata(account_id, boto3.Session())
org = parse_organizations_metadata(metadata, tags)
assert org.account_details_email == mockemail
assert org.account_details_name == mockname
assert isinstance(org, AWSOrganizationsInfo)
assert org.account_email == mockemail
assert org.account_name == mockname
assert (
org.account_details_arn
org.organization_account_arn
== f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:account/{org_id}/{account_id}"
)
assert org.account_details_org == org_id
assert org.account_details_tags == "key:value"
assert (
org.organization_arn
== f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:organization/{org_id}"
)
assert org.organization_id == org_id
assert org.account_tags == "key:value"
def test_parse_organizations_metadata(self):
tags = {"Tags": [{"Key": "test-key", "Value": "test-value"}]}
name = "test-name"
email = "test-email"
organization_name = "test-org"
name = "mock-account"
email = "mock-account@moto-example.org"
organization_name = "o-v4bzbxm7ib"
arn = f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:organization/{organization_name}"
metadata = {
"Account": {
"Name": name,
"Email": email,
"Arn": arn,
"Id": AWS_ACCOUNT_NUMBER,
"Arn": f"arn:aws:organizations::123456789012:account/o-v4bzbxm7ib/{AWS_ACCOUNT_NUMBER}",
"Email": "mock-account@moto-example.org",
"Name": "mock-account",
"Status": "ACTIVE",
}
}
org = parse_organizations_metadata(metadata, tags)
assert isinstance(org, AWS_Organizations_Info)
assert org.account_details_email == email
assert org.account_details_name == name
assert org.account_details_arn == arn
assert org.account_details_org == organization_name
assert org.account_details_tags == "test-key:test-value"
assert isinstance(org, AWSOrganizationsInfo)
assert org.account_email == email
assert org.account_name == name
assert (
org.organization_account_arn
== f"arn:aws:organizations::{AWS_ACCOUNT_NUMBER}:account/{organization_name}/{AWS_ACCOUNT_NUMBER}"
)
assert org.organization_arn == arn
assert org.account_tags == "test-key:test-value"
+12 -12
View File
@@ -24,19 +24,19 @@ class TestS3:
@mock_aws
def test_send_to_s3_bucket(self):
# Mock Audit Info
audit_info = MagicMock()
provider = MagicMock()
# Create mock session
audit_info.audit_session = boto3.session.Session(region_name=AWS_REGION)
audit_info.identity.account = AWS_ACCOUNT_ID
provider.current_session = boto3.session.Session(region_name=AWS_REGION)
provider.identity.account = AWS_ACCOUNT_ID
# Create mock bucket
client = audit_info.audit_session.client("s3")
client = provider.current_session.client("s3")
client.create_bucket(Bucket=S3_BUCKET_NAME)
# Mocked CSV output file
output_directory = f"{ACTUAL_DIRECTORY}/{FIXTURES_DIR_NAME}"
filename = f"prowler-output-{audit_info.identity.account}"
filename = f"prowler-output-{provider.identity.account}"
# Send mock CSV file to mock S3 Bucket
send_to_s3_bucket(
@@ -44,7 +44,7 @@ class TestS3:
output_directory,
OUTPUT_MODE_CSV,
S3_BUCKET_NAME,
audit_info.audit_session,
provider.current_session,
)
bucket_directory = get_s3_object_path(output_directory)
@@ -63,19 +63,19 @@ class TestS3:
@mock_aws
def test_send_to_s3_bucket_compliance(self):
# Mock Audit Info
audit_info = MagicMock()
provider = MagicMock()
# Create mock session
audit_info.audit_session = boto3.session.Session(region_name=AWS_REGION)
audit_info.identity.account = AWS_ACCOUNT_ID
provider.current_session = boto3.session.Session(region_name=AWS_REGION)
provider.identity.account = AWS_ACCOUNT_ID
# Create mock bucket
client = audit_info.audit_session.client("s3")
client = provider.current_session.client("s3")
client.create_bucket(Bucket=S3_BUCKET_NAME)
# Mocked CSV output file
output_directory = f"{ACTUAL_DIRECTORY}/{FIXTURES_DIR_NAME}"
filename = f"prowler-output-{audit_info.identity.account}"
filename = f"prowler-output-{provider.identity.account}"
# Send mock CSV file to mock S3 Bucket
send_to_s3_bucket(
@@ -83,7 +83,7 @@ class TestS3:
output_directory,
OUTPUT_MODE_CIS_1_4_AWS,
S3_BUCKET_NAME,
audit_info.audit_session,
provider.current_session,
)
bucket_directory = get_s3_object_path(output_directory)
@@ -18,7 +18,7 @@ from tests.providers.aws.utils import (
AWS_COMMERCIAL_PARTITION,
AWS_REGION_EU_WEST_1,
AWS_REGION_EU_WEST_2,
set_mocked_aws_audit_info,
set_mocked_aws_provider,
)
@@ -108,11 +108,11 @@ class Test_SecurityHub:
return finding
def set_mocked_output_options(
self, is_quiet: bool = False, send_sh_only_fails: bool = False
self, status: list[str] = [], send_sh_only_fails: bool = False
):
output_options = MagicMock
output_options.bulk_checks_metadata = {}
output_options.is_quiet = is_quiet
output_options.status = status
output_options.send_sh_only_fails = send_sh_only_fails
return output_options
@@ -160,7 +160,7 @@ class Test_SecurityHub:
(
"root",
WARNING,
f"ClientError -- [68]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
f"ClientError -- [64]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
)
]
@@ -220,7 +220,7 @@ class Test_SecurityHub:
(
"root",
ERROR,
f"ClientError -- [68]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
f"ClientError -- [64]: An error occurred ({error_code}) when calling the {operation_name} operation: {error_message}",
)
]
@@ -246,83 +246,83 @@ class Test_SecurityHub:
(
"root",
ERROR,
f"Exception -- [68]: {error_message}",
f"Exception -- [64]: {error_message}",
)
]
def test_prepare_security_hub_findings_enabled_region_not_quiet(self):
def test_prepare_security_hub_findings_enabled_region_all_statuses(self):
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(is_quiet=False)
output_options = self.set_mocked_output_options()
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {
AWS_REGION_EU_WEST_1: [get_security_hub_finding("PASSED")],
}
def test_prepare_security_hub_findings_quiet_INFO_finding(self):
def test_prepare_security_hub_findings_all_statuses_MANUAL_finding(self):
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(is_quiet=False)
findings = [self.generate_finding("INFO", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info(
output_options = self.set_mocked_output_options()
findings = [self.generate_finding("MANUAL", AWS_REGION_EU_WEST_1)]
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {AWS_REGION_EU_WEST_1: []}
def test_prepare_security_hub_findings_disabled_region(self):
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(is_quiet=False)
output_options = self.set_mocked_output_options()
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_2)]
audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {AWS_REGION_EU_WEST_1: []}
def test_prepare_security_hub_findings_quiet_PASS(self):
def test_prepare_security_hub_findings_PASS_and_FAIL_statuses(self):
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(is_quiet=True)
output_options = self.set_mocked_output_options(status=["FAIL"])
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {AWS_REGION_EU_WEST_1: []}
def test_prepare_security_hub_findings_quiet_FAIL(self):
def test_prepare_security_hub_findings_FAIL_and_FAIL_statuses(self):
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(is_quiet=True)
output_options = self.set_mocked_output_options(status=["FAIL"])
findings = [self.generate_finding("FAIL", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {AWS_REGION_EU_WEST_1: [get_security_hub_finding("FAILED")]}
@@ -331,13 +331,13 @@ class Test_SecurityHub:
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(send_sh_only_fails=True)
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {AWS_REGION_EU_WEST_1: []}
@@ -346,26 +346,26 @@ class Test_SecurityHub:
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(send_sh_only_fails=True)
findings = [self.generate_finding("FAIL", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {AWS_REGION_EU_WEST_1: [get_security_hub_finding("FAILED")]}
def test_prepare_security_hub_findings_no_audited_regions(self):
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(is_quiet=False)
output_options = self.set_mocked_output_options()
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info()
aws_provider = set_mocked_aws_provider()
assert prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
) == {
@@ -375,16 +375,16 @@ class Test_SecurityHub:
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
def test_batch_send_to_security_hub_one_finding(self):
enabled_regions = [AWS_REGION_EU_WEST_1]
output_options = self.set_mocked_output_options(is_quiet=False)
output_options = self.set_mocked_output_options()
findings = [self.generate_finding("PASS", AWS_REGION_EU_WEST_1)]
audit_info = set_mocked_aws_audit_info(
aws_provider = set_mocked_aws_provider(
audited_regions=[AWS_REGION_EU_WEST_1, AWS_REGION_EU_WEST_2]
)
session = self.set_mocked_session(AWS_REGION_EU_WEST_1)
security_hub_findings = prepare_security_hub_findings(
findings,
audit_info,
aws_provider,
output_options,
enabled_regions,
)
@@ -6,7 +6,7 @@ from tests.providers.aws.utils import (
AWS_ACCOUNT_NUMBER,
AWS_COMMERCIAL_PARTITION,
AWS_REGION_US_EAST_1,
set_mocked_aws_audit_info,
set_mocked_aws_provider,
)
@@ -22,10 +22,10 @@ def mock_generate_regional_clients(provider, service):
"prowler.providers.aws.aws_provider.AwsProvider.generate_regional_clients",
new=mock_generate_regional_clients,
)
class Test_AWSService:
class TestAWSService:
def test_AWSService_init(self):
service_name = "s3"
provider = set_mocked_aws_audit_info()
provider = set_mocked_aws_provider()
service = AWSService(service_name, provider)
assert service.provider == provider
@@ -46,7 +46,7 @@ class Test_AWSService:
def test_AWSService_init_global_service(self):
service_name = "cloudfront"
provider = set_mocked_aws_audit_info()
provider = set_mocked_aws_provider()
service = AWSService(service_name, provider, global_service=True)
assert service.provider == provider
@@ -12,7 +12,6 @@ from tests.providers.aws.utils import AWS_REGION_US_EAST_1, set_mocked_aws_provi
class Test_iam_securityaudit_role_created:
@mock_aws(config={"iam": {"load_aws_managed_policies": True}})
def test_securityaudit_role_created(self):
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
iam = client("iam")
role_name = "test_securityaudit_role_created"
assume_role_policy_document = {
@@ -33,6 +32,8 @@ class Test_iam_securityaudit_role_created:
PolicyArn="arn:aws:iam::aws:policy/SecurityAudit",
)
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=aws_provider,
@@ -17,7 +17,9 @@ from tests.providers.aws.utils import (
class Test_organizations_account_part_of_organizations:
@mock_aws
def test_no_organization(self):
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1], create_default_organization=False
)
with mock.patch(
"prowler.providers.common.common.get_global_provider",
@@ -13,7 +13,9 @@ from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provi
class Test_organizations_delegated_administrators:
@mock_aws
def test_no_organization(self):
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1], create_default_organization=False
)
aws_provider._audit_config = {
"organizations_trusted_delegated_administrators": []
}
@@ -22,7 +22,9 @@ def scp_restrict_regions_with_deny():
class Test_organizations_scp_check_deny_regions:
@mock_aws
def test_no_organization(self):
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1], create_default_organization=False
)
aws_provider._audit_config = {
"organizations_enabled_regions": [AWS_REGION_EU_WEST_1]
}
@@ -26,7 +26,9 @@ class Test_Organizations_Service:
conn = client("organizations", region_name=AWS_REGION_EU_WEST_1)
response = conn.create_organization()
# Mock
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
aws_provider = set_mocked_aws_provider(
[AWS_REGION_EU_WEST_1], create_default_organization=False
)
organizations = Organizations(aws_provider)
# Tests
assert len(organizations.organizations) == 1
+53 -38
View File
@@ -1,6 +1,6 @@
from argparse import Namespace
from boto3 import session
from boto3 import client, session
from botocore.config import Config
from moto import mock_aws
@@ -20,8 +20,6 @@ AWS_REGION_EU_WEST_1 = "eu-west-1"
AWS_REGION_EU_WEST_1_AZA = "eu-west-1a"
AWS_REGION_EU_WEST_1_AZB = "eu-west-1b"
AWS_REGION_EU_WEST_2 = "eu-west-2"
AWS_REGION_CN_NORTHWEST_1 = "cn-northwest-1"
AWS_REGION_CN_NORTH_1 = "cn-north-1"
AWS_REGION_EU_SOUTH_2 = "eu-south-2"
AWS_REGION_EU_SOUTH_3 = "eu-south-3"
AWS_REGION_US_WEST_2 = "us-west-2"
@@ -30,7 +28,8 @@ AWS_REGION_EU_CENTRAL_1 = "eu-central-1"
# China Regions
AWS_REGION_CHINA_NORHT_1 = "cn-north-1"
AWS_REGION_CN_NORTHWEST_1 = "cn-northwest-1"
AWS_REGION_CN_NORTH_1 = "cn-north-1"
# Gov Cloud Regions
AWS_REGION_GOV_CLOUD_US_EAST_1 = "us-gov-east-1"
@@ -44,37 +43,8 @@ AWS_GOV_CLOUD_PARTITION = "aws-us-gov"
AWS_CHINA_PARTITION = "aws-cn"
AWS_ISO_PARTITION = "aws-iso"
# Commercial Regions
AWS_REGION_US_EAST_1 = "us-east-1"
AWS_REGION_US_EAST_1_AZA = "us-east-1a"
AWS_REGION_US_EAST_1_AZB = "us-east-1b"
AWS_REGION_EU_WEST_1 = "eu-west-1"
AWS_REGION_EU_WEST_1_AZA = "eu-west-1a"
AWS_REGION_EU_WEST_1_AZB = "eu-west-1b"
AWS_REGION_EU_WEST_2 = "eu-west-2"
AWS_REGION_CN_NORTHWEST_1 = "cn-northwest-1"
AWS_REGION_CN_NORTH_1 = "cn-north-1"
AWS_REGION_EU_SOUTH_2 = "eu-south-2"
AWS_REGION_EU_SOUTH_3 = "eu-south-3"
AWS_REGION_US_WEST_2 = "us-west-2"
AWS_REGION_US_EAST_2 = "us-east-2"
AWS_REGION_EU_CENTRAL_1 = "eu-central-1"
# China Regions
AWS_REGION_CHINA_NORHT_1 = "cn-north-1"
# Gov Cloud Regions
AWS_REGION_GOV_CLOUD_US_EAST_1 = "us-gov-east-1"
# Iso Regions
AWS_REGION_ISO_GLOBAL = "aws-iso-global"
# AWS Partitions
AWS_COMMERCIAL_PARTITION = "aws"
AWS_GOV_CLOUD_PARTITION = "aws-us-gov"
AWS_CHINA_PARTITION = "aws-cn"
AWS_ISO_PARTITION = "aws-iso"
# EC2
EXAMPLE_AMI_ID = "ami-12c6146b"
# Mocked AWS Provider
@@ -89,16 +59,28 @@ def set_mocked_aws_provider(
profile_region: str = None,
audit_config: dict = {},
ignore_unused_services: bool = False,
# assumed_role_info: AWSAssumeRole = None,
audit_session: session.Session = session.Session(
profile_name=None,
botocore_session=None,
),
original_session: session.Session = None,
enabled_regions: set = None,
arguments: Namespace = Namespace(),
create_default_organization: bool = True,
) -> AwsProvider:
# Create default AWS Provider
provider = AwsProvider(Namespace())
if create_default_organization:
# Create default AWS Organization
create_default_aws_organization()
# Default arguments
arguments = set_default_provider_arguments(arguments)
# AWS Provider
provider = AwsProvider(arguments)
# Output options
provider.output_options = arguments, {}
# Mock Session
provider._session.session_config = None
provider._session.original_session = original_session
@@ -130,3 +112,36 @@ def set_mocked_aws_provider(
)
return provider
def set_default_provider_arguments(arguments: Namespace) -> Namespace:
arguments.status = []
arguments.output_modes = []
arguments.output_directory = ""
arguments.verbose = False
arguments.only_logs = False
arguments.unix_timestamp = False
arguments.shodan = None
arguments.security_hub = False
arguments.send_sh_only_fails = False
return arguments
@mock_aws
def create_default_aws_organization():
# Create default AWS Organization
organizations_client = client("organizations", region_name=AWS_REGION_US_EAST_1)
mockname = "mock-account"
mockdomain = "moto-example.org"
mockemail = "@".join([mockname, mockdomain])
_ = organizations_client.create_organization(FeatureSet="ALL")["Organization"]["Id"]
account_id = organizations_client.create_account(
AccountName=mockname, Email=mockemail
)["CreateAccountStatus"]["AccountId"]
_ = organizations_client.tag_resource(
ResourceId=account_id, Tags=[{"Key": "test", "Value": "aws-provider"}]
)
+20 -21
View File
@@ -1,14 +1,13 @@
from uuid import uuid4
from azure.identity import DefaultAzureCredential
from mock import MagicMock
from prowler.providers.azure.lib.audit_info.models import (
Azure_Audit_Info,
Azure_Identity_Info,
Azure_Region_Config,
)
from prowler.providers.azure.azure_provider import AzureProvider
from prowler.providers.azure.models import AzureIdentityInfo, AzureRegionConfig
AZURE_SUBSCRIPTION = str(uuid4())
AZURE_SUBSCRIPTION_ID = str(uuid4())
AZURE_SUBSCRIPTION_NAME = "Subscription Name"
# Azure Identity
IDENTITY_ID = "00000000-0000-0000-0000-000000000000"
@@ -18,26 +17,26 @@ DOMAIN = "user.onmicrosoft.com"
# Mocked Azure Audit Info
def set_mocked_azure_audit_info(
def set_mocked_azure_provider(
credentials: DefaultAzureCredential = DefaultAzureCredential(),
identity: Azure_Identity_Info = Azure_Identity_Info(
identity: AzureIdentityInfo = AzureIdentityInfo(
identity_id=IDENTITY_ID,
identity_type=IDENTITY_TYPE,
tenant_ids=TENANT_IDS,
domain=DOMAIN,
subscriptions={AZURE_SUBSCRIPTION: "id_subscription"},
subscriptions={AZURE_SUBSCRIPTION_ID: AZURE_SUBSCRIPTION_NAME},
),
audit_config: dict = None,
azure_region_config: Azure_Region_Config = Azure_Region_Config(),
azure_region_config: AzureRegionConfig = AzureRegionConfig(),
locations: list = None,
):
audit_info = Azure_Audit_Info(
credentials=credentials,
identity=identity,
audit_metadata=None,
audit_resources=None,
audit_config=audit_config,
azure_region_config=azure_region_config,
locations=locations,
)
return audit_info
) -> AzureProvider:
provider = MagicMock()
provider.type = "azure"
provider.session.credentials = credentials
provider.identity.locations = locations
provider.identity = identity
provider.audit_config = audit_config
provider.region_config = azure_region_config
return provider
@@ -0,0 +1,214 @@
from argparse import Namespace
from datetime import datetime
from os import rmdir
import pytest
from azure.identity import DefaultAzureCredential
from freezegun import freeze_time
from mock import patch
from prowler.config.config import default_config_file_path
from prowler.providers.azure.azure_provider import AzureProvider
from prowler.providers.azure.models import (
AzureIdentityInfo,
AzureOutputOptions,
AzureRegionConfig,
)
class TestAzureProvider:
def test_azure_provider(self):
arguments = Namespace()
arguments.subscription_ids = None
arguments.tenant_id = None
# We need to set exactly one auth method
arguments.az_cli_auth = True
arguments.sp_env_auth = None
arguments.browser_auth = None
arguments.managed_identity_auth = None
arguments.config_file = default_config_file_path
arguments.azure_region = "AzureCloud"
with patch(
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
return_value=AzureIdentityInfo(),
), patch(
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
return_value={},
):
azure_provider = AzureProvider(arguments)
assert azure_provider.region_config == AzureRegionConfig(
name="AzureCloud",
authority=None,
base_url="https://management.azure.com",
credential_scopes=["https://management.azure.com/.default"],
)
assert isinstance(azure_provider.session, DefaultAzureCredential)
assert azure_provider.identity == AzureIdentityInfo(
identity_id="",
identity_type="",
tenant_ids=[],
tenant_domain="Unknown tenant domain (missing AAD permissions)",
subscriptions={},
locations={},
)
assert azure_provider.audit_config == {
"shodan_api_key": None,
"php_latest_version": "8.2",
"python_latest_version": "3.12",
"java_latest_version": "17",
}
def test_azure_provider_not_auth_methods(self):
arguments = Namespace()
arguments.subscription_ids = None
arguments.tenant_id = None
# We need to set exactly one auth method
arguments.az_cli_auth = None
arguments.sp_env_auth = None
arguments.browser_auth = None
arguments.managed_identity_auth = None
arguments.config_file = default_config_file_path
arguments.azure_region = "AzureCloud"
with patch(
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
return_value=AzureIdentityInfo(),
), patch(
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
return_value={},
):
with pytest.raises(SystemExit) as exception:
_ = AzureProvider(arguments)
assert exception.type == SystemExit
assert (
exception.value.args[0]
== "Azure provider requires at least one authentication method set: [--az-cli-auth | --sp-env-auth | --browser-auth | --managed-identity-auth]"
)
def test_azure_provider_browser_auth_but_not_tenant_id(self):
arguments = Namespace()
arguments.subscription_ids = None
arguments.tenant_id = None
# We need to set exactly one auth method
arguments.az_cli_auth = None
arguments.sp_env_auth = None
arguments.browser_auth = True
arguments.managed_identity_auth = None
arguments.config_file = default_config_file_path
arguments.azure_region = "AzureCloud"
with patch(
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
return_value=AzureIdentityInfo(),
), patch(
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
return_value={},
):
with pytest.raises(SystemExit) as exception:
_ = AzureProvider(arguments)
assert exception.type == SystemExit
assert (
exception.value.args[0]
== "Azure Tenant ID (--tenant-id) is required for browser authentication mode"
)
def test_azure_provider_not_browser_auth_but_tenant_id(self):
arguments = Namespace()
arguments.subscription_ids = None
arguments.tenant_id = "test-tenant-id"
# We need to set exactly one auth method
arguments.az_cli_auth = None
arguments.sp_env_auth = None
arguments.browser_auth = False
arguments.managed_identity_auth = None
arguments.config_file = default_config_file_path
arguments.azure_region = "AzureCloud"
with patch(
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
return_value=AzureIdentityInfo(),
), patch(
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
return_value={},
):
with pytest.raises(SystemExit) as exception:
_ = AzureProvider(arguments)
assert exception.type == SystemExit
assert (
exception.value.args[0]
== "Azure provider requires at least one authentication method set: [--az-cli-auth | --sp-env-auth | --browser-auth | --managed-identity-auth]"
)
@freeze_time(datetime.today())
def test_azure_provider_output_options_with_domain(self):
arguments = Namespace()
arguments.subscription_ids = None
arguments.tenant_id = None
# We need to set exactly one auth method
arguments.az_cli_auth = None
arguments.sp_env_auth = True
arguments.browser_auth = None
arguments.managed_identity_auth = None
arguments.config_file = default_config_file_path
arguments.azure_region = "AzureCloud"
# Output Options
arguments.output_modes = ["csv"]
arguments.output_directory = "output_test_directory"
arguments.status = []
arguments.verbose = True
arguments.only_logs = False
arguments.unix_timestamp = False
arguments.shodan = "test-api-key"
tenant_domain = "test-domain"
with patch(
"prowler.providers.azure.azure_provider.AzureProvider.setup_identity",
return_value=AzureIdentityInfo(tenant_domain=tenant_domain),
), patch(
"prowler.providers.azure.azure_provider.AzureProvider.get_locations",
return_value={},
), patch(
"prowler.providers.azure.azure_provider.AzureProvider.setup_session",
return_value=DefaultAzureCredential(),
):
azure_provider = AzureProvider(arguments)
azure_provider.output_options = arguments, {}
assert isinstance(azure_provider.output_options, AzureOutputOptions)
assert azure_provider.output_options.status == []
assert azure_provider.output_options.output_modes == [
"csv",
]
assert (
azure_provider.output_options.output_directory
== arguments.output_directory
)
assert azure_provider.output_options.bulk_checks_metadata == {}
assert azure_provider.output_options.verbose
# Flaky due to the millisecond part of the timestamp
# assert (
# azure_provider.output_options.output_filename
# == f"prowler-output-{azure_provider.identity.tenant_domain}-{datetime.today().strftime('%Y%m%d%H%M%S')}"
# )
assert (
f"prowler-output-{azure_provider.identity.tenant_domain}"
in azure_provider.output_options.output_filename
)
# Delete testing directory
# TODO: move this to a fixtures file
rmdir(f"{arguments.output_directory}/compliance")
rmdir(arguments.output_directory)
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.aks.aks_service import Cluster
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_aks_cluster_rbac_enabled:
@@ -11,6 +14,9 @@ class Test_aks_cluster_rbac_enabled:
aks_client.clusters = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
new=aks_client,
):
@@ -24,9 +30,12 @@ class Test_aks_cluster_rbac_enabled:
def test_aks_subscription_empty(self):
aks_client = mock.MagicMock
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
new=aks_client,
):
@@ -42,7 +51,7 @@ class Test_aks_cluster_rbac_enabled:
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -55,6 +64,9 @@ class Test_aks_cluster_rbac_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
new=aks_client,
):
@@ -68,17 +80,17 @@ class Test_aks_cluster_rbac_enabled:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"RBAC is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
== f"RBAC is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "cluster_name"
assert result[0].resource_id == cluster_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_aks_rbac_not_enabled(self):
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -91,6 +103,9 @@ class Test_aks_cluster_rbac_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_cluster_rbac_enabled.aks_cluster_rbac_enabled.aks_client",
new=aks_client,
):
@@ -104,8 +119,8 @@ class Test_aks_cluster_rbac_enabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"RBAC is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
== f"RBAC is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "cluster_name"
assert result[0].resource_id == cluster_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.aks.aks_service import Cluster
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_aks_clusters_created_with_private_nodes:
@@ -11,6 +14,9 @@ class Test_aks_clusters_created_with_private_nodes:
aks_client.clusters = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
new=aks_client,
):
@@ -24,9 +30,12 @@ class Test_aks_clusters_created_with_private_nodes:
def test_aks_subscription_empty(self):
aks_client = mock.MagicMock
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
new=aks_client,
):
@@ -42,7 +51,7 @@ class Test_aks_clusters_created_with_private_nodes:
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -55,6 +64,9 @@ class Test_aks_clusters_created_with_private_nodes:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
new=aks_client,
):
@@ -68,17 +80,17 @@ class Test_aks_clusters_created_with_private_nodes:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION_ID}'"
)
assert result[0].resource_id == cluster_id
assert result[0].resource_name == "cluster_name"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_aks_cluster_private_nodes(self):
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -91,6 +103,9 @@ class Test_aks_clusters_created_with_private_nodes:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
new=aks_client,
):
@@ -104,17 +119,17 @@ class Test_aks_clusters_created_with_private_nodes:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Cluster 'cluster_name' was created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
== f"Cluster 'cluster_name' was created with private nodes in subscription '{AZURE_SUBSCRIPTION_ID}'"
)
assert result[0].resource_id == cluster_id
assert result[0].resource_name == "cluster_name"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_aks_cluster_public_and_private_nodes(self):
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -131,6 +146,9 @@ class Test_aks_clusters_created_with_private_nodes:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_created_with_private_nodes.aks_clusters_created_with_private_nodes.aks_client",
new=aks_client,
):
@@ -144,8 +162,8 @@ class Test_aks_clusters_created_with_private_nodes:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION}'"
== f"Cluster 'cluster_name' was not created with private nodes in subscription '{AZURE_SUBSCRIPTION_ID}'"
)
assert result[0].resource_id == cluster_id
assert result[0].resource_name == "cluster_name"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.aks.aks_service import Cluster
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_aks_clusters_public_access_disabled:
@@ -11,6 +14,9 @@ class Test_aks_clusters_public_access_disabled:
aks_client.clusters = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
new=aks_client,
):
@@ -24,9 +30,12 @@ class Test_aks_clusters_public_access_disabled:
def test_aks_subscription_empty(self):
aks_client = mock.MagicMock
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
new=aks_client,
):
@@ -42,7 +51,7 @@ class Test_aks_clusters_public_access_disabled:
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -55,6 +64,9 @@ class Test_aks_clusters_public_access_disabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
new=aks_client,
):
@@ -68,17 +80,17 @@ class Test_aks_clusters_public_access_disabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'"
)
assert result[0].resource_id == cluster_id
assert result[0].resource_name == "cluster_name"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_aks_cluster_private_fqdn(self):
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -91,6 +103,9 @@ class Test_aks_clusters_public_access_disabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
new=aks_client,
):
@@ -104,17 +119,17 @@ class Test_aks_clusters_public_access_disabled:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Public access to nodes is disabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
== f"Public access to nodes is disabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'"
)
assert result[0].resource_id == cluster_id
assert result[0].resource_name == "cluster_name"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_aks_cluster_private_fqdn_with_public_ip(self):
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -127,6 +142,9 @@ class Test_aks_clusters_public_access_disabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_clusters_public_access_disabled.aks_clusters_public_access_disabled.aks_client",
new=aks_client,
):
@@ -140,8 +158,8 @@ class Test_aks_clusters_public_access_disabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'"
== f"Public access to nodes is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'"
)
assert result[0].resource_id == cluster_id
assert result[0].resource_name == "cluster_name"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.aks.aks_service import Cluster
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_aks_network_policy_enabled:
@@ -11,6 +14,9 @@ class Test_aks_network_policy_enabled:
aks_client.clusters = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
new=aks_client,
):
@@ -24,9 +30,12 @@ class Test_aks_network_policy_enabled:
def test_aks_subscription_empty(self):
aks_client = mock.MagicMock
aks_client.clusters = {AZURE_SUBSCRIPTION: {}}
aks_client.clusters = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
new=aks_client,
):
@@ -42,7 +51,7 @@ class Test_aks_network_policy_enabled:
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -55,6 +64,9 @@ class Test_aks_network_policy_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
new=aks_client,
):
@@ -68,17 +80,17 @@ class Test_aks_network_policy_enabled:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Network policy is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Network policy is enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "cluster_name"
assert result[0].resource_id == cluster_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_aks_network_policy_disabled(self):
aks_client = mock.MagicMock
cluster_id = str(uuid4())
aks_client.clusters = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
cluster_id: Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -91,6 +103,9 @@ class Test_aks_network_policy_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.aks.aks_network_policy_enabled.aks_network_policy_enabled.aks_client",
new=aks_client,
):
@@ -104,8 +119,8 @@ class Test_aks_network_policy_enabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Network policy is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Network policy is not enabled for cluster 'cluster_name' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "cluster_name"
assert result[0].resource_id == cluster_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,14 +2,14 @@ from unittest.mock import patch
from prowler.providers.azure.services.aks.aks_service import AKS, Cluster
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION,
set_mocked_azure_audit_info,
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
def mock_aks_get_clusters(_):
return {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"cluster_id-1": Cluster(
name="cluster_name",
public_fqdn="public_fqdn",
@@ -28,33 +28,36 @@ def mock_aks_get_clusters(_):
)
class Test_AppInsights_Service:
def test__get_client__(self):
aks = AKS(set_mocked_azure_audit_info())
aks = AKS(set_mocked_azure_provider())
assert (
aks.clients[AZURE_SUBSCRIPTION].__class__.__name__
aks.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
== "ContainerServiceClient"
)
def test__get_subscriptions__(self):
aks = AKS(set_mocked_azure_audit_info())
aks = AKS(set_mocked_azure_provider())
assert aks.subscriptions.__class__.__name__ == "dict"
def test__get_components__(self):
aks = AKS(set_mocked_azure_audit_info())
aks = AKS(set_mocked_azure_provider())
assert len(aks.clusters) == 1
assert aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].name == "cluster_name"
assert (
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].public_fqdn
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].name == "cluster_name"
)
assert (
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].public_fqdn
== "public_fqdn"
)
assert (
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].private_fqdn
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].private_fqdn
== "private_fqdn"
)
assert (
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].network_policy
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].network_policy
== "network_policy"
)
assert (
aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].agent_pool_profiles == []
aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].agent_pool_profiles
== []
)
assert aks.clusters[AZURE_SUBSCRIPTION]["cluster_id-1"].rbac_enabled
assert aks.clusters[AZURE_SUBSCRIPTION_ID]["cluster_id-1"].rbac_enabled
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_client_certificates_on:
@@ -11,6 +14,9 @@ class Test_app_client_certificates_on:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_client_certificates_on:
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_client_certificates_on:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_client_certificates_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
@@ -68,17 +80,17 @@ class Test_app_client_certificates_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Clients are required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Clients are required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_client_certificates_off(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -91,6 +103,9 @@ class Test_app_client_certificates_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_client_certificates_on.app_client_certificates_on.app_client",
new=app_client,
):
@@ -104,8 +119,8 @@ class Test_app_client_certificates_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Clients are not required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Clients are not required to present a certificate for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_ensure_auth_is_set_up:
@@ -11,6 +14,9 @@ class Test_app_ensure_auth_is_set_up:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_ensure_auth_is_set_up:
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_ensure_auth_is_set_up:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_ensure_auth_is_set_up:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
@@ -68,17 +80,17 @@ class Test_app_ensure_auth_is_set_up:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Authentication is set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Authentication is set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_auth_disabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=False,
@@ -91,6 +103,9 @@ class Test_app_ensure_auth_is_set_up:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_auth_is_set_up.app_ensure_auth_is_set_up.app_client",
new=app_client,
):
@@ -104,8 +119,8 @@ class Test_app_ensure_auth_is_set_up:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Authentication is not set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Authentication is not set up for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_ensure_http_is_redirected_to_https:
@@ -11,6 +14,9 @@ class Test_app_ensure_http_is_redirected_to_https:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_ensure_http_is_redirected_to_https:
def test_app_subscriptions_empty_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_ensure_http_is_redirected_to_https:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_ensure_http_is_redirected_to_https:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
@@ -68,17 +80,17 @@ class Test_app_ensure_http_is_redirected_to_https:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"HTTP is not redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"HTTP is not redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_http_to_https_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -91,6 +103,9 @@ class Test_app_ensure_http_is_redirected_to_https:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_http_is_redirected_to_https.app_ensure_http_is_redirected_to_https.app_client",
new=app_client,
):
@@ -104,8 +119,8 @@ class Test_app_ensure_http_is_redirected_to_https:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"HTTP is redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"HTTP is redirected to HTTPS for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_name == "app_id-1"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_ensure_java_version_is_latest:
@@ -11,6 +14,9 @@ class Test_app_ensure_java_version_is_latest:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_ensure_java_version_is_latest:
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_ensure_java_version_is_latest:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_ensure_java_version_is_latest:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -70,7 +82,7 @@ class Test_app_ensure_java_version_is_latest:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -87,6 +99,9 @@ class Test_app_ensure_java_version_is_latest:
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -100,17 +115,17 @@ class Test_app_ensure_java_version_is_latest:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_linux_java_version_not_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -127,6 +142,9 @@ class Test_app_ensure_java_version_is_latest:
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -140,17 +158,17 @@ class Test_app_ensure_java_version_is_latest:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Java version is set to 'Tomcat|9.0-java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Java version is set to 'Tomcat|9.0-java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_windows_java_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -167,6 +185,9 @@ class Test_app_ensure_java_version_is_latest:
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -180,17 +201,17 @@ class Test_app_ensure_java_version_is_latest:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Java version is set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_windows_java_version_not_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -207,6 +228,9 @@ class Test_app_ensure_java_version_is_latest:
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -220,17 +244,17 @@ class Test_app_ensure_java_version_is_latest:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Java version is set to 'java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Java version is set to 'java11', but should be set to 'java 17' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_linux_php_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -247,6 +271,9 @@ class Test_app_ensure_java_version_is_latest:
app_client.audit_config = {"java_latest_version": "17"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_java_version_is_latest.app_ensure_java_version_is_latest.app_client",
new=app_client,
):
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_ensure_php_version_is_latest:
@@ -11,6 +14,9 @@ class Test_app_ensure_php_version_is_latest:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_ensure_php_version_is_latest:
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_ensure_php_version_is_latest:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_ensure_php_version_is_latest:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
@@ -70,7 +82,7 @@ class Test_app_ensure_php_version_is_latest:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -85,6 +97,9 @@ class Test_app_ensure_php_version_is_latest:
app_client.audit_config = {"php_latest_version": "8.2"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
@@ -98,17 +113,17 @@ class Test_app_ensure_php_version_is_latest:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"PHP version is set to 'php|8.0', the latest version that you could use is the '8.2' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"PHP version is set to 'php|8.0', the latest version that you could use is the '8.2' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_php_version_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -123,6 +138,9 @@ class Test_app_ensure_php_version_is_latest:
app_client.audit_config = {"php_latest_version": "8.2"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_php_version_is_latest.app_ensure_php_version_is_latest.app_client",
new=app_client,
):
@@ -136,8 +154,8 @@ class Test_app_ensure_php_version_is_latest:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"PHP version is set to '8.2' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"PHP version is set to '8.2' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_ensure_python_version_is_latest:
@@ -11,6 +14,9 @@ class Test_app_ensure_python_version_is_latest:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_ensure_python_version_is_latest:
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_ensure_python_version_is_latest:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_ensure_python_version_is_latest:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
@@ -70,7 +82,7 @@ class Test_app_ensure_python_version_is_latest:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -85,6 +97,9 @@ class Test_app_ensure_python_version_is_latest:
app_client.audit_config = {"python_latest_version": "3.12"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
@@ -98,17 +113,17 @@ class Test_app_ensure_python_version_is_latest:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Python version is set to '3.12' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Python version is set to '3.12' for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_python_version_not_latest(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -123,6 +138,9 @@ class Test_app_ensure_python_version_is_latest:
app_client.audit_config = {"python_latest_version": "3.12"}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_python_version_is_latest.app_ensure_python_version_is_latest.app_client",
new=app_client,
):
@@ -136,8 +154,8 @@ class Test_app_ensure_python_version_is_latest:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Python version is 'python|3.10', the latest version that you could use is the '3.12' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Python version is 'python|3.10', the latest version that you could use is the '3.12' version, for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_ensure_using_http20:
@@ -11,6 +14,9 @@ class Test_app_ensure_using_http20:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_ensure_using_http20:
def test_app_subscription_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_ensure_using_http20:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_ensure_using_http20:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
@@ -68,17 +80,17 @@ class Test_app_ensure_using_http20:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_http20_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -91,6 +103,9 @@ class Test_app_ensure_using_http20:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
@@ -104,17 +119,17 @@ class Test_app_ensure_using_http20:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"HTTP/2.0 is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"HTTP/2.0 is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_http20_not_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -127,6 +142,9 @@ class Test_app_ensure_using_http20:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ensure_using_http20.app_ensure_using_http20.app_client",
new=app_client,
):
@@ -140,8 +158,8 @@ class Test_app_ensure_using_http20:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"HTTP/2.0 is not enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_ftp_deployment_disabled:
@@ -11,6 +14,9 @@ class Test_app_ftp_deployment_disabled:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_ftp_deployment_disabled:
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_ftp_deployment_disabled:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_ftp_deployment_disabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
@@ -68,17 +80,17 @@ class Test_app_ftp_deployment_disabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_ftp_deployment_disabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -91,6 +103,9 @@ class Test_app_ftp_deployment_disabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
@@ -104,17 +119,17 @@ class Test_app_ftp_deployment_disabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"FTP is enabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_ftp_deploy_enabled(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -127,6 +142,9 @@ class Test_app_ftp_deployment_disabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_ftp_deployment_disabled.app_ftp_deployment_disabled.app_client",
new=app_client,
):
@@ -140,8 +158,8 @@ class Test_app_ftp_deployment_disabled:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"FTP is disabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"FTP is disabled for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_minimum_tls_version_12:
@@ -11,6 +14,9 @@ class Test_app_minimum_tls_version_12:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_minimum_tls_version_12:
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_minimum_tls_version_12:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_minimum_tls_version_12:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
@@ -68,17 +80,17 @@ class Test_app_minimum_tls_version_12:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_min_tls_version_12(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -91,6 +103,9 @@ class Test_app_minimum_tls_version_12:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
@@ -104,17 +119,17 @@ class Test_app_minimum_tls_version_12:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Minimum TLS version is set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Minimum TLS version is set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_min_tls_version_10(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=False,
@@ -127,6 +142,9 @@ class Test_app_minimum_tls_version_12:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_minimum_tls_version_12.app_minimum_tls_version_12.app_client",
new=app_client,
):
@@ -140,8 +158,8 @@ class Test_app_minimum_tls_version_12:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}'."
== f"Minimum TLS version is not set to 1.2 for app 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.app.app_service import WebApp
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_app_register_with_identity:
@@ -11,6 +14,9 @@ class Test_app_register_with_identity:
app_client.apps = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
@@ -24,9 +30,12 @@ class Test_app_register_with_identity:
def test_app_subscriptions_empty(self):
app_client = mock.MagicMock
app_client.apps = {AZURE_SUBSCRIPTION: {}}
app_client.apps = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
@@ -42,7 +51,7 @@ class Test_app_register_with_identity:
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -55,6 +64,9 @@ class Test_app_register_with_identity:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
@@ -68,17 +80,17 @@ class Test_app_register_with_identity:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}' does not have an identity configured."
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}' does not have an identity configured."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_app_identity(self):
resource_id = f"/subscriptions/{uuid4()}"
app_client = mock.MagicMock
app_client.apps = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id=resource_id,
auth_enabled=True,
@@ -91,6 +103,9 @@ class Test_app_register_with_identity:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.app.app_register_with_identity.app_register_with_identity.app_client",
new=app_client,
):
@@ -104,8 +119,8 @@ class Test_app_register_with_identity:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION}' has an identity configured."
== f"App 'app_id-1' in subscription '{AZURE_SUBSCRIPTION_ID}' has an identity configured."
)
assert result[0].resource_id == resource_id
assert result[0].resource_name == "app_id-1"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -4,14 +4,14 @@ from azure.mgmt.web.models import ManagedServiceIdentity, SiteConfigResource
from prowler.providers.azure.services.app.app_service import App, WebApp
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION,
set_mocked_azure_audit_info,
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
def mock_app_get_apps(self):
return {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": WebApp(
resource_id="/subscriptions/resource_id",
configurations=SiteConfigResource(),
@@ -30,42 +30,42 @@ def mock_app_get_apps(self):
)
class Test_App_Service:
def test__get_client__(self):
app_service = App(set_mocked_azure_audit_info())
app_service = App(set_mocked_azure_provider())
assert (
app_service.clients[AZURE_SUBSCRIPTION].__class__.__name__
app_service.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
== "WebSiteManagementClient"
)
def test__get_subscriptions__(self):
app_service = App(set_mocked_azure_audit_info())
app_service = App(set_mocked_azure_provider())
assert app_service.subscriptions.__class__.__name__ == "dict"
def test__get_apps__(self):
app_service = App(set_mocked_azure_audit_info())
app_service = App(set_mocked_azure_provider())
assert len(app_service.apps) == 1
assert (
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].resource_id
app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].resource_id
== "/subscriptions/resource_id"
)
assert app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].auth_enabled
assert app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].auth_enabled
assert (
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].client_cert_mode
app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].client_cert_mode
== "Required"
)
assert app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].https_only
assert app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].https_only
assert (
app_service.apps[AZURE_SUBSCRIPTION]["app_id-1"].identity.type
app_service.apps[AZURE_SUBSCRIPTION_ID]["app_id-1"].identity.type
== "SystemAssigned"
)
assert (
app_service.apps[AZURE_SUBSCRIPTION][
app_service.apps[AZURE_SUBSCRIPTION_ID][
"app_id-1"
].configurations.__class__.__name__
== "SiteConfigResource"
)
def test__get_client_cert_mode__(self):
app_service = App(set_mocked_azure_audit_info())
app_service = App(set_mocked_azure_provider())
assert (
app_service.__get_client_cert_mode__(False, "OptionalInteractiveUser")
== "Ignore"
@@ -1,7 +1,10 @@
from unittest import mock
from prowler.providers.azure.services.appinsights.appinsights_service import Component
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_appinsights_ensure_is_configured:
@@ -10,6 +13,9 @@ class Test_appinsights_ensure_is_configured:
appinsights_client.components = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.appinsights.appinsights_ensure_is_configured.appinsights_ensure_is_configured.appinsights_client",
new=appinsights_client,
):
@@ -23,9 +29,12 @@ class Test_appinsights_ensure_is_configured:
def test_no_appinsights(self):
appinsights_client = mock.MagicMock
appinsights_client.components = {AZURE_SUBSCRIPTION: {}}
appinsights_client.components = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.appinsights.appinsights_ensure_is_configured.appinsights_ensure_is_configured.appinsights_client",
new=appinsights_client,
):
@@ -36,19 +45,19 @@ class Test_appinsights_ensure_is_configured:
check = appinsights_ensure_is_configured()
result = check.execute()
assert len(result) == 1
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].status == "FAIL"
assert result[0].resource_id == "AppInsights"
assert result[0].resource_name == "AppInsights"
assert (
result[0].status_extended
== f"There are no AppInsight configured in susbscription {AZURE_SUBSCRIPTION}."
== f"There are no AppInsight configured in susbscription {AZURE_SUBSCRIPTION_ID}."
)
def test_appinsights_configured(self):
appinsights_client = mock.MagicMock
appinsights_client.components = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": Component(
resource_id="/subscriptions/resource_id",
resource_name="AppInsightsTest",
@@ -57,6 +66,9 @@ class Test_appinsights_ensure_is_configured:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.appinsights.appinsights_ensure_is_configured.appinsights_ensure_is_configured.appinsights_client",
new=appinsights_client,
):
@@ -67,11 +79,11 @@ class Test_appinsights_ensure_is_configured:
check = appinsights_ensure_is_configured()
result = check.execute()
assert len(result) == 1
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].status == "PASS"
assert result[0].resource_id == "AppInsights"
assert result[0].resource_name == "AppInsights"
assert (
result[0].status_extended
== f"There is at least one AppInsight configured in susbscription {AZURE_SUBSCRIPTION}."
== f"There is at least one AppInsight configured in susbscription {AZURE_SUBSCRIPTION_ID}."
)
@@ -5,14 +5,14 @@ from prowler.providers.azure.services.appinsights.appinsights_service import (
Component,
)
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION,
set_mocked_azure_audit_info,
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
def mock_appinsights_get_components(_):
return {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"app_id-1": Component(
resource_id="/subscriptions/resource_id",
resource_name="AppInsightsTest",
@@ -27,24 +27,24 @@ def mock_appinsights_get_components(_):
)
class Test_AppInsights_Service:
def test__get_client__(self):
app_insights = AppInsights(set_mocked_azure_audit_info())
app_insights = AppInsights(set_mocked_azure_provider())
assert (
app_insights.clients[AZURE_SUBSCRIPTION].__class__.__name__
app_insights.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
== "ApplicationInsightsManagementClient"
)
def test__get_subscriptions__(self):
app_insights = AppInsights(set_mocked_azure_audit_info())
app_insights = AppInsights(set_mocked_azure_provider())
assert app_insights.subscriptions.__class__.__name__ == "dict"
def test__get_components__(self):
appinsights = AppInsights(set_mocked_azure_audit_info())
appinsights = AppInsights(set_mocked_azure_provider())
assert len(appinsights.components) == 1
assert (
appinsights.components[AZURE_SUBSCRIPTION]["app_id-1"].resource_id
appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].resource_id
== "/subscriptions/resource_id"
)
assert (
appinsights.components[AZURE_SUBSCRIPTION]["app_id-1"].resource_name
appinsights.components[AZURE_SUBSCRIPTION_ID]["app_id-1"].resource_name
== "AppInsightsTest"
)
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_cosmosdb_account_firewall_use_selected_networks:
@@ -11,6 +14,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
cosmosdb_client.accounts = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_firewall_use_selected_networks.cosmosdb_account_firewall_use_selected_networks.cosmosdb_client",
new=cosmosdb_client,
):
@@ -27,7 +33,7 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
account_name = "Account Name"
account_id = str(uuid4())
cosmosdb_client.accounts = {
AZURE_SUBSCRIPTION: [
AZURE_SUBSCRIPTION_ID: [
Account(
id=account_id,
name=account_name,
@@ -42,6 +48,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_firewall_use_selected_networks.cosmosdb_account_firewall_use_selected_networks.cosmosdb_client",
new=cosmosdb_client,
):
@@ -55,9 +64,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} has firewall rules that allow access from all networks."
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} has firewall rules that allow access from all networks."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == account_name
assert result[0].resource_id == account_id
@@ -66,7 +75,7 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
account_name = "Account Name"
account_id = str(uuid4())
cosmosdb_client.accounts = {
AZURE_SUBSCRIPTION: [
AZURE_SUBSCRIPTION_ID: [
Account(
id=account_id,
name=account_name,
@@ -81,6 +90,9 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_firewall_use_selected_networks.cosmosdb_account_firewall_use_selected_networks.cosmosdb_client",
new=cosmosdb_client,
):
@@ -94,8 +106,8 @@ class Test_cosmosdb_account_firewall_use_selected_networks:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} has firewall rules that allow access only from selected networks."
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} has firewall rules that allow access only from selected networks."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == account_name
assert result[0].resource_id == account_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_cosmosdb_account_use_aad_and_rbac:
@@ -11,6 +14,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
cosmosdb_client.accounts = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_aad_and_rbac.cosmosdb_account_use_aad_and_rbac.cosmosdb_client",
new=cosmosdb_client,
):
@@ -27,7 +33,7 @@ class Test_cosmosdb_account_use_aad_and_rbac:
account_name = "Account Name"
account_id = str(uuid4())
cosmosdb_client.accounts = {
AZURE_SUBSCRIPTION: [
AZURE_SUBSCRIPTION_ID: [
Account(
id=account_id,
name=account_name,
@@ -43,6 +49,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_aad_and_rbac.cosmosdb_account_use_aad_and_rbac.cosmosdb_client",
new=cosmosdb_client,
):
@@ -56,9 +65,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is not using AAD and RBAC"
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is not using AAD and RBAC"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == account_name
assert result[0].resource_id == account_id
@@ -67,7 +76,7 @@ class Test_cosmosdb_account_use_aad_and_rbac:
account_name = "Account Name"
account_id = str(uuid4())
cosmosdb_client.accounts = {
AZURE_SUBSCRIPTION: [
AZURE_SUBSCRIPTION_ID: [
Account(
id=account_id,
name=account_name,
@@ -83,6 +92,9 @@ class Test_cosmosdb_account_use_aad_and_rbac:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_aad_and_rbac.cosmosdb_account_use_aad_and_rbac.cosmosdb_client",
new=cosmosdb_client,
):
@@ -96,8 +108,8 @@ class Test_cosmosdb_account_use_aad_and_rbac:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is using AAD and RBAC"
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is using AAD and RBAC"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == account_name
assert result[0].resource_id == account_id
@@ -4,7 +4,10 @@ from uuid import uuid4
from azure.mgmt.cosmosdb.models import PrivateEndpointConnection
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_cosmosdb_account_use_private_endpoints:
@@ -13,6 +16,9 @@ class Test_cosmosdb_account_use_private_endpoints:
cosmosdb_client.accounts = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_private_endpoints.cosmosdb_account_use_private_endpoints.cosmosdb_client",
new=cosmosdb_client,
):
@@ -29,7 +35,7 @@ class Test_cosmosdb_account_use_private_endpoints:
account_name = "Account Name"
account_id = str(uuid4())
cosmosdb_client.accounts = {
AZURE_SUBSCRIPTION: [
AZURE_SUBSCRIPTION_ID: [
Account(
id=account_id,
name=account_name,
@@ -45,6 +51,9 @@ class Test_cosmosdb_account_use_private_endpoints:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_private_endpoints.cosmosdb_account_use_private_endpoints.cosmosdb_client",
new=cosmosdb_client,
):
@@ -58,9 +67,9 @@ class Test_cosmosdb_account_use_private_endpoints:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is not using private endpoints connections"
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is not using private endpoints connections"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == account_name
assert result[0].resource_id == account_id
@@ -69,7 +78,7 @@ class Test_cosmosdb_account_use_private_endpoints:
account_name = "Account Name"
account_id = str(uuid4())
cosmosdb_client.accounts = {
AZURE_SUBSCRIPTION: [
AZURE_SUBSCRIPTION_ID: [
Account(
id=account_id,
name=account_name,
@@ -89,6 +98,9 @@ class Test_cosmosdb_account_use_private_endpoints:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.cosmosdb.cosmosdb_account_use_private_endpoints.cosmosdb_account_use_private_endpoints.cosmosdb_client",
new=cosmosdb_client,
):
@@ -102,8 +114,8 @@ class Test_cosmosdb_account_use_private_endpoints:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION} is using private endpoints connections"
== f"CosmosDB account {account_name} from subscription {AZURE_SUBSCRIPTION_ID} is using private endpoints connections"
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == account_name
assert result[0].resource_id == account_id
@@ -2,14 +2,14 @@ from unittest.mock import patch
from prowler.providers.azure.services.cosmosdb.cosmosdb_service import Account, CosmosDB
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION,
set_mocked_azure_audit_info,
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
def mock_cosmosdb_get_accounts(_):
return {
AZURE_SUBSCRIPTION: [
AZURE_SUBSCRIPTION_ID: [
Account(
id="account_id",
name="account_name",
@@ -30,23 +30,25 @@ def mock_cosmosdb_get_accounts(_):
)
class Test_CosmosDB_Service:
def test__get_client__(self):
account = CosmosDB(set_mocked_azure_audit_info())
account = CosmosDB(set_mocked_azure_provider())
assert (
account.clients[AZURE_SUBSCRIPTION].__class__.__name__
account.clients[AZURE_SUBSCRIPTION_ID].__class__.__name__
== "CosmosDBManagementClient"
)
def test__get_accounts__(self):
account = CosmosDB(set_mocked_azure_audit_info())
assert account.accounts[AZURE_SUBSCRIPTION][0].__class__.__name__ == "Account"
assert account.accounts[AZURE_SUBSCRIPTION][0].id == "account_id"
assert account.accounts[AZURE_SUBSCRIPTION][0].name == "account_name"
assert account.accounts[AZURE_SUBSCRIPTION][0].kind is None
assert account.accounts[AZURE_SUBSCRIPTION][0].location is None
assert account.accounts[AZURE_SUBSCRIPTION][0].type is None
assert account.accounts[AZURE_SUBSCRIPTION][0].tags is None
account = CosmosDB(set_mocked_azure_provider())
assert (
account.accounts[AZURE_SUBSCRIPTION][0].is_virtual_network_filter_enabled
account.accounts[AZURE_SUBSCRIPTION_ID][0].__class__.__name__ == "Account"
)
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].id == "account_id"
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].name == "account_name"
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].kind is None
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].location is None
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].type is None
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].tags is None
assert (
account.accounts[AZURE_SUBSCRIPTION_ID][0].is_virtual_network_filter_enabled
is None
)
assert account.accounts[AZURE_SUBSCRIPTION][0].disable_local_auth is None
assert account.accounts[AZURE_SUBSCRIPTION_ID][0].disable_local_auth is None
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import SecurityContacts
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_additional_email_configured_with_a_security_contact:
@@ -11,6 +14,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
defender_client.security_contacts = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="",
@@ -40,6 +46,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
new=defender_client,
):
@@ -53,9 +62,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -63,7 +72,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="bad_email",
@@ -77,6 +86,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
new=defender_client,
):
@@ -90,9 +102,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -100,7 +112,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="test@test.es, test@test.email.com",
@@ -114,6 +126,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
new=defender_client,
):
@@ -127,9 +142,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -137,7 +152,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="test@test.com",
@@ -151,6 +166,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
new=defender_client,
):
@@ -164,9 +182,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -174,7 +192,7 @@ class Test_defender_additional_email_configured_with_a_security_contact:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="test@test.mail.es; bad_mail",
@@ -188,6 +206,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
new=defender_client,
):
@@ -201,18 +222,18 @@ class Test_defender_additional_email_configured_with_a_security_contact:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
== f"There is another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
def test_defender_default_security_contact_not_found(self):
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default",
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default",
emails="",
phone="",
alert_notifications_minimal_severity="",
@@ -224,6 +245,9 @@ class Test_defender_additional_email_configured_with_a_security_contact:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_additional_email_configured_with_a_security_contact.defender_additional_email_configured_with_a_security_contact.defender_client",
new=defender_client,
):
@@ -237,11 +261,11 @@ class Test_defender_additional_email_configured_with_a_security_contact:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION}."
== f"There is not another correct email configured for susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert (
result[0].resource_id
== f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default"
== f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default"
)
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Assesment
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_assessments_vm_endpoint_protection_installed:
@@ -11,6 +14,9 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
defender_client.assessments = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
new=defender_client,
):
@@ -24,9 +30,12 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
def test_defender_subscriptions_with_no_assessments(self):
defender_client = mock.MagicMock
defender_client.assessments = {AZURE_SUBSCRIPTION: {}}
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
new=defender_client,
):
@@ -42,7 +51,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
defender_client = mock.MagicMock
resource_id = str(uuid4())
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Install endpoint protection solution on virtual machines": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -52,6 +61,9 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
new=defender_client,
):
@@ -65,7 +77,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Endpoint protection is set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
== f"Endpoint protection is set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id
@@ -74,7 +86,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
defender_client = mock.MagicMock
resource_id = str(uuid4())
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Install endpoint protection solution on virtual machines": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -84,6 +96,9 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_assessments_vm_endpoint_protection_installed.defender_assessments_vm_endpoint_protection_installed.defender_client",
new=defender_client,
):
@@ -97,7 +112,7 @@ class Test_defender_assessments_vm_endpoint_protection_installed:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Endpoint protection is not set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
== f"Endpoint protection is not set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id
@@ -4,7 +4,10 @@ from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import (
AutoProvisioningSetting,
)
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
@@ -13,6 +16,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
defender_client.auto_provisioning_settings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
new=defender_client,
):
@@ -28,7 +34,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": AutoProvisioningSetting(
resource_id=resource_id,
resource_name="default",
@@ -39,6 +45,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
new=defender_client,
):
@@ -52,9 +61,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to OFF."
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -62,7 +71,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": AutoProvisioningSetting(
resource_id=resource_id,
resource_name="default",
@@ -73,6 +82,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
new=defender_client,
):
@@ -86,9 +98,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to ON."
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to ON."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -96,7 +108,7 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.auto_provisioning_settings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": AutoProvisioningSetting(
resource_id=resource_id,
resource_name="default",
@@ -113,6 +125,9 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_auto_provisioning_log_analytics_agent_vms_on.defender_auto_provisioning_log_analytics_agent_vms_on.defender_client",
new=defender_client,
):
@@ -126,17 +141,17 @@ class Test_defender_auto_provisioning_log_analytics_agent_vms_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to ON."
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to ON."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION} is set to OFF."
== f"Defender Auto Provisioning Log Analytics Agents from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF."
)
assert result[1].subscription == AZURE_SUBSCRIPTION
assert result[1].subscription == AZURE_SUBSCRIPTION_ID
assert result[1].resource_name == "default2"
assert result[1].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Assesment
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
@@ -11,6 +14,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
defender_client.assessments = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Machines should have a vulnerability assessment solution": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -36,6 +42,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Vulnerability assessment is not set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
== f"Vulnerability assessment is not set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Machines should have a vulnerability assessment solution": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -69,6 +78,9 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_auto_provisioning_vulnerabilty_assessments_machines_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_auto_provisioning_vulnerabilty_assessments_machines_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Vulnerability assessment is set up in all VMs in subscription {AZURE_SUBSCRIPTION}."
== f"Vulnerability assessment is set up in all VMs in subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Assesment
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_container_images_resolved_vulnerabilities:
@@ -11,6 +14,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
defender_client.assessments = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
@@ -24,9 +30,12 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_empty(self):
defender_client = mock.MagicMock
defender_client.assessments = {AZURE_SUBSCRIPTION: {}}
defender_client.assessments = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
@@ -41,7 +50,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_no_assesment(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
@@ -51,6 +60,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
@@ -65,7 +77,7 @@ class Test_defender_container_images_resolved_vulnerabilities:
def test_defender_subscription_assesment_unhealthy(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
@@ -75,6 +87,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
@@ -88,26 +103,26 @@ class Test_defender_container_images_resolved_vulnerabilities:
assert result[0].status == "FAIL"
assert (
result[0].resource_id
== defender_client.assessments[AZURE_SUBSCRIPTION][
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_id
)
assert (
result[0].resource_name
== defender_client.assessments[AZURE_SUBSCRIPTION][
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_name
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert (
result[0].status_extended
== f"Azure running container images have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
== f"Azure running container images have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
def test_defender_subscription_assesment_healthy(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
@@ -117,6 +132,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
@@ -130,26 +148,26 @@ class Test_defender_container_images_resolved_vulnerabilities:
assert result[0].status == "PASS"
assert (
result[0].resource_id
== defender_client.assessments[AZURE_SUBSCRIPTION][
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_id
)
assert (
result[0].resource_name
== defender_client.assessments[AZURE_SUBSCRIPTION][
== defender_client.assessments[AZURE_SUBSCRIPTION_ID][
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)"
].resource_name
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert (
result[0].status_extended
== f"Azure running container images do not have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION}'."
== f"Azure running container images do not have unresolved vulnerabilities in subscription '{AZURE_SUBSCRIPTION_ID}'."
)
def test_defender_subscription_assesment_not_applicable(self):
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)": Assesment(
resource_id=str(uuid4()),
resource_name=str(uuid4()),
@@ -159,6 +177,9 @@ class Test_defender_container_images_resolved_vulnerabilities:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_resolved_vulnerabilities.defender_container_images_resolved_vulnerabilities.defender_client",
new=defender_client,
):
@@ -3,7 +3,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_container_images_scan_enabled:
@@ -12,6 +15,9 @@ class Test_defender_container_images_scan_enabled:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
@@ -25,9 +31,12 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_empty(self):
defender_client = mock.MagicMock
defender_client.pricings = {AZURE_SUBSCRIPTION: {}}
defender_client.pricings = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
@@ -42,7 +51,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_no_containers(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"NotContainers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
@@ -52,6 +61,9 @@ class Test_defender_container_images_scan_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
@@ -66,7 +78,7 @@ class Test_defender_container_images_scan_enabled:
def test_defender_subscription_containers_no_extensions(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Containers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
@@ -77,6 +89,9 @@ class Test_defender_container_images_scan_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
@@ -89,21 +104,21 @@ class Test_defender_container_images_scan_enabled:
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].status_extended == (
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION_ID}."
)
assert (
result[0].resource_id
== defender_client.pricings[AZURE_SUBSCRIPTION][
== defender_client.pricings[AZURE_SUBSCRIPTION_ID][
"Containers"
].resource_id
)
assert result[0].resource_name == "Dender plan for Containers"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_defender_subscription_containers_container_images_scan_off(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Containers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
@@ -114,6 +129,9 @@ class Test_defender_container_images_scan_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
@@ -126,21 +144,21 @@ class Test_defender_container_images_scan_enabled:
assert len(result) == 1
assert result[0].status == "FAIL"
assert result[0].status_extended == (
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION}."
f"Container image scan is disabled in subscription {AZURE_SUBSCRIPTION_ID}."
)
assert (
result[0].resource_id
== defender_client.pricings[AZURE_SUBSCRIPTION][
== defender_client.pricings[AZURE_SUBSCRIPTION_ID][
"Containers"
].resource_id
)
assert result[0].resource_name == "Dender plan for Containers"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_defender_subscription_containers_container_images_scan_on(self):
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Containers": Pricing(
resource_id=str(uuid4()),
pricing_tier="Free",
@@ -151,6 +169,9 @@ class Test_defender_container_images_scan_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_container_images_scan_enabled.defender_container_images_scan_enabled.defender_client",
new=defender_client,
):
@@ -163,13 +184,13 @@ class Test_defender_container_images_scan_enabled:
assert len(result) == 1
assert result[0].status == "PASS"
assert result[0].status_extended == (
f"Container image scan is enabled in subscription {AZURE_SUBSCRIPTION}."
f"Container image scan is enabled in subscription {AZURE_SUBSCRIPTION_ID}."
)
assert (
result[0].resource_id
== defender_client.pricings[AZURE_SUBSCRIPTION][
== defender_client.pricings[AZURE_SUBSCRIPTION_ID][
"Containers"
].resource_id
)
assert result[0].resource_name == "Dender plan for Containers"
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_app_services_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_app_services_is_on.defender_ensure_defender_for_app_services_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"AppServices": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_app_services_is_on.defender_ensure_defender_for_app_services_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan App Services"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_app_services_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"AppServices": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_app_services_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_app_services_is_on.defender_ensure_defender_for_app_services_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_app_services_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for App Services from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan App Services"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_arm_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Arm": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan ARM"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_arm_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Arm": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_arm_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_arm_is_on.defender_ensure_defender_for_arm_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_arm_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for ARM from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan ARM"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_azure_sql_databases_is_on.defender_ensure_defender_for_azure_sql_databases_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServers": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_azure_sql_databases_is_on.defender_ensure_defender_for_azure_sql_databases_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Azure SQL DB Servers"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServers": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_azure_sql_databases_is_on.defender_ensure_defender_for_azure_sql_databases_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_azure_sql_databases_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for Azure SQL DB Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Azure SQL DB Servers"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_containers_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_containers_is_on.defender_ensure_defender_for_containers_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Containers": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_containers_is_on.defender_ensure_defender_for_containers_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Container Registries"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_containers_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Containers": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_containers_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_containers_is_on.defender_ensure_defender_for_containers_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_containers_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for Containers from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Container Registries"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_cosmosdb_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_cosmosdb_is_on.defender_ensure_defender_for_cosmosdb_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"CosmosDbs": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_cosmosdb_is_on.defender_ensure_defender_for_cosmosdb_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Cosmos DB"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"CosmosDbs": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_cosmosdb_is_on.defender_ensure_defender_for_cosmosdb_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_cosmosdb_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for Cosmos DB from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Cosmos DB"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_databases_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServers": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
new=defender_client,
):
@@ -51,7 +60,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServerVirtualMachines": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -61,6 +70,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
new=defender_client,
):
@@ -76,7 +88,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"OpenSourceRelationalDatabases": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -86,6 +98,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
new=defender_client,
):
@@ -101,7 +116,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"CosmosDbs": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -111,6 +126,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
new=defender_client,
):
@@ -126,7 +144,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServers": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -151,6 +169,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
new=defender_client,
):
@@ -164,9 +185,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Databases"
assert result[0].resource_id == resource_id
@@ -174,7 +195,7 @@ class Test_defender_ensure_defender_for_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServers": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -199,6 +220,9 @@ class Test_defender_ensure_defender_for_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_databases_is_on.defender_ensure_defender_for_databases_is_on.defender_client",
new=defender_client,
):
@@ -212,8 +236,8 @@ class Test_defender_ensure_defender_for_databases_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Databases"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_dns_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_dns_is_on.defender_ensure_defender_for_dns_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Dns": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_dns_is_on.defender_ensure_defender_for_dns_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan DNS"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_dns_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Dns": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_dns_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_dns_is_on.defender_ensure_defender_for_dns_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_dns_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for DNS from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan DNS"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_keyvault_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_keyvault_is_on.defender_ensure_defender_for_keyvault_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"KeyVaults": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_keyvault_is_on.defender_ensure_defender_for_keyvault_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan KeyVaults"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"KeyVaults": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_keyvault_is_on.defender_ensure_defender_for_keyvault_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_keyvault_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for KeyVaults from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan KeyVaults"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_os_relational_databases_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_os_relational_databases_is_on.defender_ensure_defender_for_os_relational_databases_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"OpenSourceRelationalDatabases": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_os_relational_databases_is_on.defender_ensure_defender_for_os_relational_databases_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert (
result[0].resource_name
== "Defender plan Open-Source Relational Databases"
@@ -62,7 +71,7 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"OpenSourceRelationalDatabases": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -72,6 +81,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_os_relational_databases_is_on.defender_ensure_defender_for_os_relational_databases_is_on.defender_client",
new=defender_client,
):
@@ -85,9 +97,9 @@ class Test_defender_ensure_defender_for_os_relational_databases_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for Open-Source Relational Databases from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert (
result[0].resource_name
== "Defender plan Open-Source Relational Databases"
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_server_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_server_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_server_is_on.defender_ensure_defender_for_server_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_server_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"VirtualMachines": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_server_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_server_is_on.defender_ensure_defender_for_server_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_server_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Servers"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_server_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"VirtualMachines": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_server_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_server_is_on.defender_ensure_defender_for_server_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_server_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for Servers from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Servers"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_sql_servers_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_sql_servers_is_on.defender_ensure_defender_for_sql_servers_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServerVirtualMachines": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_sql_servers_is_on.defender_ensure_defender_for_sql_servers_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan SQL Server VMs"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"SqlServerVirtualMachines": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_sql_servers_is_on.defender_ensure_defender_for_sql_servers_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_sql_servers_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for SQL Server VMs from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan SQL Server VMs"
assert result[0].resource_id == resource_id
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Pricing
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_defender_for_storage_is_on:
@@ -11,6 +14,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
defender_client.pricings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_storage_is_on.defender_ensure_defender_for_storage_is_on.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"StorageAccounts": Pricing(
resource_id=resource_id,
pricing_tier="Not Standard",
@@ -36,6 +42,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_storage_is_on.defender_ensure_defender_for_storage_is_on.defender_client",
new=defender_client,
):
@@ -49,9 +58,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION} is set to OFF (pricing tier not standard)."
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION_ID} is set to OFF (pricing tier not standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Storage Accounts"
assert result[0].resource_id == resource_id
@@ -59,7 +68,7 @@ class Test_defender_ensure_defender_for_storage_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.pricings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"StorageAccounts": Pricing(
resource_id=resource_id,
pricing_tier="Standard",
@@ -69,6 +78,9 @@ class Test_defender_ensure_defender_for_storage_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_defender_for_storage_is_on.defender_ensure_defender_for_storage_is_on.defender_client",
new=defender_client,
):
@@ -82,8 +94,8 @@ class Test_defender_ensure_defender_for_storage_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION} is set to ON (pricing tier standard)."
== f"Defender plan Defender for Storage Accounts from subscription {AZURE_SUBSCRIPTION_ID} is set to ON (pricing tier standard)."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "Defender plan Storage Accounts"
assert result[0].resource_id == resource_id
@@ -4,7 +4,10 @@ from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import (
IoTSecuritySolution,
)
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_iot_hub_defender_is_on:
@@ -13,6 +16,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
defender_client.iot_security_solutions = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
new=defender_client,
):
@@ -26,9 +32,12 @@ class Test_defender_ensure_iot_hub_defender_is_on:
def test_defender_no_iot_hub_solutions(self):
defender_client = mock.MagicMock
defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION: {}}
defender_client.iot_security_solutions = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
new=defender_client,
):
@@ -42,7 +51,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"No IoT Security Solutions found in the subscription {AZURE_SUBSCRIPTION}."
== f"No IoT Security Solutions found in the subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].resource_name == "IoT Hub Defender"
assert result[0].resource_id == "IoT Hub Defender"
@@ -51,7 +60,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"iot_sec_solution": IoTSecuritySolution(
resource_id=resource_id, status="Disabled"
)
@@ -59,6 +68,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
new=defender_client,
):
@@ -72,7 +84,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"The security solution iot_sec_solution is disabled in susbscription {AZURE_SUBSCRIPTION}"
== f"The security solution iot_sec_solution is disabled in susbscription {AZURE_SUBSCRIPTION_ID}"
)
assert result[0].resource_name == "iot_sec_solution"
assert result[0].resource_id == resource_id
@@ -81,7 +93,7 @@ class Test_defender_ensure_iot_hub_defender_is_on:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"iot_sec_solution": IoTSecuritySolution(
resource_id=resource_id, status="Enabled"
)
@@ -89,6 +101,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
new=defender_client,
):
@@ -102,18 +117,18 @@ class Test_defender_ensure_iot_hub_defender_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"The security solution iot_sec_solution is enabled in susbscription {AZURE_SUBSCRIPTION}."
== f"The security solution iot_sec_solution is enabled in susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].resource_name == "iot_sec_solution"
assert result[0].resource_id == resource_id
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
def test_defender_multiple_iot_hub_solution_enabled_and_disabled(self):
resource_id_enabled = str(uuid4())
resource_id_disabled = str(uuid4())
defender_client = mock.MagicMock
defender_client.iot_security_solutions = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"iot_sec_solution_enabled": IoTSecuritySolution(
resource_id=resource_id_enabled, status="Enabled"
),
@@ -124,6 +139,9 @@ class Test_defender_ensure_iot_hub_defender_is_on:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_iot_hub_defender_is_on.defender_ensure_iot_hub_defender_is_on.defender_client",
new=defender_client,
):
@@ -137,17 +155,17 @@ class Test_defender_ensure_iot_hub_defender_is_on:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"The security solution iot_sec_solution_enabled is enabled in susbscription {AZURE_SUBSCRIPTION}."
== f"The security solution iot_sec_solution_enabled is enabled in susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].resource_name == "iot_sec_solution_enabled"
assert result[0].resource_id == resource_id_enabled
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[1].status == "FAIL"
assert (
result[1].status_extended
== f"The security solution iot_sec_solution_disabled is disabled in susbscription {AZURE_SUBSCRIPTION}"
== f"The security solution iot_sec_solution_disabled is disabled in susbscription {AZURE_SUBSCRIPTION_ID}"
)
assert result[1].resource_name == "iot_sec_solution_disabled"
assert result[1].resource_id == resource_id_disabled
assert result[1].subscription == AZURE_SUBSCRIPTION
assert result[1].subscription == AZURE_SUBSCRIPTION_ID
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Setting
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_mcas_is_enabled:
@@ -11,6 +14,9 @@ class Test_defender_ensure_mcas_is_enabled:
defender_client.settings = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_mcas_is_enabled:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.settings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"MCAS": Setting(
resource_id=resource_id,
resource_type="Microsoft.Security/locations/settings",
@@ -37,6 +43,9 @@ class Test_defender_ensure_mcas_is_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
new=defender_client,
):
@@ -50,9 +59,9 @@ class Test_defender_ensure_mcas_is_enabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Microsoft Defender for Cloud Apps is disabeld for subscription {AZURE_SUBSCRIPTION}."
== f"Microsoft Defender for Cloud Apps is disabeld for subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "MCAS"
assert result[0].resource_id == resource_id
@@ -60,7 +69,7 @@ class Test_defender_ensure_mcas_is_enabled:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.settings = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"MCAS": Setting(
resource_id=resource_id,
resource_type="Microsoft.Security/locations/settings",
@@ -71,6 +80,9 @@ class Test_defender_ensure_mcas_is_enabled:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
new=defender_client,
):
@@ -84,17 +96,20 @@ class Test_defender_ensure_mcas_is_enabled:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Microsoft Defender for Cloud Apps is enabled for subscription {AZURE_SUBSCRIPTION}."
== f"Microsoft Defender for Cloud Apps is enabled for subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "MCAS"
assert result[0].resource_id == resource_id
def test_defender_mcas_no_settings(self):
defender_client = mock.MagicMock
defender_client.settings = {AZURE_SUBSCRIPTION: {}}
defender_client.settings = {AZURE_SUBSCRIPTION_ID: {}}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_mcas_is_enabled.defender_ensure_mcas_is_enabled.defender_client",
new=defender_client,
):
@@ -108,8 +123,8 @@ class Test_defender_ensure_mcas_is_enabled:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Microsoft Defender for Cloud Apps not exists for subscription {AZURE_SUBSCRIPTION}."
== f"Microsoft Defender for Cloud Apps not exists for subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "MCAS"
assert result[0].resource_id == "MCAS"
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import SecurityContacts
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_notify_alerts_severity_is_high:
@@ -11,6 +14,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
defender_client.security_contacts = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="",
@@ -40,6 +46,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
new=defender_client,
):
@@ -53,9 +62,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION}."
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -63,7 +72,7 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="",
@@ -77,6 +86,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
new=defender_client,
):
@@ -90,18 +102,18 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"Notifiy alerts are enabled for severity high in susbscription {AZURE_SUBSCRIPTION}."
== f"Notifiy alerts are enabled for severity high in susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
def test_defender_default_security_contact_not_found(self):
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default",
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default",
emails="",
phone="",
alert_notifications_minimal_severity="",
@@ -113,6 +125,9 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_alerts_severity_is_high.defender_ensure_notify_alerts_severity_is_high.defender_client",
new=defender_client,
):
@@ -126,11 +141,11 @@ class Test_defender_ensure_notify_alerts_severity_is_high:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION}."
== f"Notifiy alerts are not enabled for severity high in susbscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert (
result[0].resource_id
== f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default"
== f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default"
)
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import SecurityContacts
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_notify_emails_to_owners:
@@ -11,6 +14,9 @@ class Test_defender_ensure_notify_emails_to_owners:
defender_client.security_contacts = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_notify_emails_to_owners:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="",
@@ -40,6 +46,9 @@ class Test_defender_ensure_notify_emails_to_owners:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
new=defender_client,
):
@@ -53,9 +62,9 @@ class Test_defender_ensure_notify_emails_to_owners:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION}."
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -63,7 +72,7 @@ class Test_defender_ensure_notify_emails_to_owners:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="",
@@ -77,6 +86,9 @@ class Test_defender_ensure_notify_emails_to_owners:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
new=defender_client,
):
@@ -90,9 +102,9 @@ class Test_defender_ensure_notify_emails_to_owners:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION}."
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
@@ -100,7 +112,7 @@ class Test_defender_ensure_notify_emails_to_owners:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=resource_id,
emails="test@test.es",
@@ -114,6 +126,9 @@ class Test_defender_ensure_notify_emails_to_owners:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
new=defender_client,
):
@@ -127,18 +142,18 @@ class Test_defender_ensure_notify_emails_to_owners:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"The Owner role is notified for subscription {AZURE_SUBSCRIPTION}."
== f"The Owner role is notified for subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert result[0].resource_id == resource_id
def test_defender_default_security_contact_not_found(self):
defender_client = mock.MagicMock
defender_client.security_contacts = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"default": SecurityContacts(
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default",
resource_id=f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default",
emails="",
phone="",
alert_notifications_minimal_severity="",
@@ -150,6 +165,9 @@ class Test_defender_ensure_notify_emails_to_owners:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_notify_emails_to_owners.defender_ensure_notify_emails_to_owners.defender_client",
new=defender_client,
):
@@ -163,11 +181,11 @@ class Test_defender_ensure_notify_emails_to_owners:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION}."
== f"The Owner role is not notified for subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "default"
assert (
result[0].resource_id
== f"/subscriptions/{AZURE_SUBSCRIPTION}/providers/Microsoft.Security/securityContacts/default"
== f"/subscriptions/{AZURE_SUBSCRIPTION_ID}/providers/Microsoft.Security/securityContacts/default"
)
@@ -2,7 +2,10 @@ from unittest import mock
from uuid import uuid4
from prowler.providers.azure.services.defender.defender_service import Assesment
from tests.providers.azure.azure_fixtures import AZURE_SUBSCRIPTION
from tests.providers.azure.azure_fixtures import (
AZURE_SUBSCRIPTION_ID,
set_mocked_azure_provider,
)
class Test_defender_ensure_system_updates_are_applied:
@@ -11,6 +14,9 @@ class Test_defender_ensure_system_updates_are_applied:
defender_client.assessments = {}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
new=defender_client,
):
@@ -26,7 +32,7 @@ class Test_defender_ensure_system_updates_are_applied:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Log Analytics agent should be installed on virtual machines": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -46,6 +52,9 @@ class Test_defender_ensure_system_updates_are_applied:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
new=defender_client,
):
@@ -59,9 +68,9 @@ class Test_defender_ensure_system_updates_are_applied:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id
@@ -71,7 +80,7 @@ class Test_defender_ensure_system_updates_are_applied:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Log Analytics agent should be installed on virtual machines": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -91,6 +100,9 @@ class Test_defender_ensure_system_updates_are_applied:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
new=defender_client,
):
@@ -104,9 +116,9 @@ class Test_defender_ensure_system_updates_are_applied:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id
@@ -114,7 +126,7 @@ class Test_defender_ensure_system_updates_are_applied:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Log Analytics agent should be installed on virtual machines": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -134,6 +146,9 @@ class Test_defender_ensure_system_updates_are_applied:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
new=defender_client,
):
@@ -147,9 +162,9 @@ class Test_defender_ensure_system_updates_are_applied:
assert result[0].status == "FAIL"
assert (
result[0].status_extended
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
== f"System updates are not applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id
@@ -159,7 +174,7 @@ class Test_defender_ensure_system_updates_are_applied:
resource_id = str(uuid4())
defender_client = mock.MagicMock
defender_client.assessments = {
AZURE_SUBSCRIPTION: {
AZURE_SUBSCRIPTION_ID: {
"Log Analytics agent should be installed on virtual machines": Assesment(
resource_id=resource_id,
resource_name="vm1",
@@ -179,6 +194,9 @@ class Test_defender_ensure_system_updates_are_applied:
}
with mock.patch(
"prowler.providers.common.common.get_global_provider",
return_value=set_mocked_azure_provider(),
), mock.patch(
"prowler.providers.azure.services.defender.defender_ensure_system_updates_are_applied.defender_ensure_system_updates_are_applied.defender_client",
new=defender_client,
):
@@ -192,8 +210,8 @@ class Test_defender_ensure_system_updates_are_applied:
assert result[0].status == "PASS"
assert (
result[0].status_extended
== f"System updates are applied for all the VMs in the subscription {AZURE_SUBSCRIPTION}."
== f"System updates are applied for all the VMs in the subscription {AZURE_SUBSCRIPTION_ID}."
)
assert result[0].subscription == AZURE_SUBSCRIPTION
assert result[0].subscription == AZURE_SUBSCRIPTION_ID
assert result[0].resource_name == "vm1"
assert result[0].resource_id == resource_id

Some files were not shown because too many files have changed in this diff Show More